ClientError: An error occurred (AccessDeniedException) when calling the CreateInferenceComponent operation:

Question

`ClientError: An error occurred (AccessDeniedException) when calling the CreateInferenceComponent operation: User: 
arn:aws:sts::x:assumed-role/xx-xx-xx-xx-user-service-role/SageMaker is not authorized to 
perform: sagemaker:CreateInferenceComponent on resource: 
arn:aws:sagemaker:us-west-2:x:inference-component/DEMO-1741933531-3bf5-inference-component-1 with an explicit deny in an identity-based policy`

We did add

```
{
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateInferenceComponent"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:xx:endpoint/*",
                "arn:aws:sagemaker:*:xx:inference-component/*"
            ]
        },
```

Riku_Kobayashi · Answer

Hello.

Judging from the error message, an explicit denial has occurred for the IAM role SageMaker due to an IAM policy issue.  
Perhaps another IAM policy has the "Deny" action set.  
Could you please share all the IAM policies that you have in place?

Also, please check whether any permission boundaries have been set.  
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

Rishika_P · Answer

Hello,

I understand that you are encountering an AccessDeniedException when attempting to create an inference component using Amazon SageMaker, despite adding the necessary permissions to your IAM policy, including the "sagemaker:CreateInferenceComponent" action for the appropriate resources.

The AccessDeniedException with indicates that the user or role attempting to perform the action does not have the necessary permissions. This error is commonly encountered when working with AWS services, including Amazon SageMaker. Here no-identity based policy means there is no allow or deny to the action specified in the IAM permissions.

**To address this issue, please follow these steps:**

- Examine all policies attached to the role "xx-xx-xx-xx-user-service-role", including both managed and inline policies. Look for any explicit "Deny" statements that might be overriding your "Allow" permissions.
- If you're using AWS Organizations, review any Service Control Policies (SCPs) that might be restricting actions across your organization or specific accounts.
- Ensure the resource ARNs in your policy match those you're trying to access. Pay attention to the region and account ID.

**Regarding the explicit deny:**

An explicit deny in an IAM policy is a statement that specifically prohibits an action, regardless of any allow statements that might exist. In IAM, deny statements always take precedence over allow statements. This means that even if you have an allow statement for the CreateInferenceComponent action, an explicit deny for the same action will override it and prevent the operation from being performed. Remember that the explicit deny could be in a policy attached to the user, group, or role, or it could be in a resource-based policy.

If these steps don't resolve the issue, please contact AWS Support for more detailed assistance with your account's permission structure. They can provide insights into any account-specific configurations that might be causing this error.
[https://console.aws.amazon.com/support/home#/case/create]

**For further information on this, you can refer to the following documents:**

[1] Troubleshoot IAM:  
https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot.html

[2] Troubleshoot access denied error messages:  https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html

[3] CreateInferenceComponent: https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateInferenceComponent.html#API_CreateInferenceComponent_Errors

ClientError: An error occurred (AccessDeniedException) when calling the CreateInferenceComponent operation:

Add your answer

Relevant content