Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Remote Access in SageMaker CodeEditor doesn't work

0

I just found that a new feature "Remote access" (Enable remote access to connect to this space from your local IDE) appeared in SageMaker AI's CodeEditor. I turned on the toggle, started my Space, then tried to click "Open in VS Code" button, and received the following error message:

Remote access denied

Unable to connect because: [User: arn:aws:sts::<redacted>/SageMaker-ExecutionRole-<redacted>/SageMaker is not authorized to perform: sagemaker:StartSession on resource: arn:aws:sagemaker:us-east-1:<redacted>:space/<redacted>/codeeditor-ilya because no identity-based policy allows the sagemaker:StartSession action]

I am logged in through IAM Identity Center.

Any ideas how to solve it?

Topics
Machine Learning & AISecurity, Identity, & ComplianceStorage
Tags
AWS IAM Identity CenterAmazon SageMaker
Language
English
asked 9 months ago534 views
1 Answer
0

The error you're encountering is due to missing permissions required for remote access to SageMaker spaces. When using the "Open in VS Code" button (deep link access), your execution role needs specific permissions to perform the sagemaker:StartSession action.

To resolve this issue, you need to attach the appropriate IAM policy to your identity. Since you're using IAM Identity Center, you'll need to add the necessary permissions to your Permission sets. Here's what you need to do:

  1. Ensure the following policy is attached to your Permission sets managed by IAM Identity Center:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:ListSpaces",
"sagemaker:DescribeSpace",
"sagemaker:UpdateSpace",
"sagemaker:ListApps",
"sagemaker:CreateApp",
"sagemaker:DeleteApp",
"sagemaker:DescribeApp",
"sagemaker:StartSession",
"sagemaker:DescribeDomain",
"sagemaker:AddTags"
],
"Resource": "*"
}
]
}

For production environments, it's recommended to scope down these permissions to specific resources rather than using the wildcard "*".

After updating the permissions, you should be able to use the "Open in VS Code" button successfully. Remember that remote access must be set to "ENABLED" for the space, which you've already done by toggling it on.

Alternatively, you could also connect using the AWS Toolkit for Visual Studio Code or an SSH terminal connection if those methods better suit your workflow.
Sources
Set up remote access - Amazon SageMaker AI
Connect your local Visual Studio Code to SageMaker spaces - Amazon SageMaker AI
SpaceSettings - Amazon SageMaker

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content