By using AWS re:Post, you agree to the Terms of Use

Can't access S3 bucket from Braket Notebook

0

Hello,

I am currently trying out AWS Braket in preparation for a larger research project. As part of my trails I am trying to load data from an S3 bucket I created into a pandas DataFrame. The script I am using for this is the following

import sagemaker
import boto3
import pandas as pd

sagemaker_session = sagemaker.Session()
role = sagemaker.get_execution_role()

bucket='test'
file_name = 'sine.txt'

file_obj = boto3.client('s3').get_object(Bucket=bucket, Key=file_name)

df = pd.read_csv( file_obj['Body'], delimiter=' ')

unfortunately running it in a braket notebook results in

ClientError: An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

I searched around and found that it should be due to missing IAM roles for Brakets. However, according to my Identity and Acces Management, the required AWSServiceRoleForAmazonBraket role is already active. Screenshot of AWSServiceRoleForAmazonBraket in IAM console

I now spend several hours searching but all potential solutions result in the same (or similar) errors. That is why I am coming here. Can anyone tell me how I can solve this issue?

Thanks and best wishes, Philipp

4 Answers
0
Accepted Answer

Oh, I'm sorry I didn't catch that. You are right, our default role that us created when you launch a new notebook only gives access to S3 buckets that start with "amazon-braket-". Here is the corresponding statement from the AmazonBraketFullAccess Policy (which is attached to our default notebook role).

        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketPolicy"
            ],
            "Resource": "arn:aws:s3:::amazon-braket-*"
        },

So, it your bucket name was amazon-braket-test instead of test it should work. The easiest way is to just use this naming convention throughout.

If you want to use the bucket with name test, you need to customize the Role attached to your notebook (I can't tell in which role you modified the permission above, but since there is a Principal line I suspect it wasn't in the role of your notebook). For instance, you can just add another resource in the above snippet:

        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::amazon-braket-*",
                "arn:aws:s3:::test"
            ]
        },
answered a month ago
0

Hi Philipp,

I'm sorry you're running into issues. You need to make sure that your notebook has assumed a Role with Permission to access S3 (a role defines what actions an AWS resource, such as a notebook, can perform on your behalf). The easiest way is to create a new notebook and select "Create a new role" in the Permissions and encryption interface

Enter image description here

That will create a new role that has all required permissions and attach it to the new notebook. It is also possible to change the permissions for an existing notebook, but it's slightly more involved (happy to walk you through it if interested).

For completeness, the AWSServiceRoleForAmazonBraket that you you were able to check is unrelated to the issue you are experiencing. This role is what is called a "service-linked role" (SLR) which defines the actions Amazon Braket (and not the notebook) can perform on your behalf. You can read more about it here https://docs.aws.amazon.com/braket/latest/developerguide/braket-slr.html.

Let us know if this worked, Eric

answered a month ago
0

Hi Eric,

thank you very much for your answer. Unfortunately, I need to tell you that it did not work. I created a new notebook instance, as you described, and ran the same notebook but I get the same error. Is there anything else I can try?

Update - It looks like it depends on the bucket:

I noticed that there is a new bucket in my S3 which was automatically created by the Braket when I ran a hybrid job. When I try to load data from this bucket it works (in both the old and the new notebook instance). I already tried to change the permissions of my old bucket to be equal to the ones in the one created by Braket. Specifically, I changed the Bucket policy to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "braket.amazonaws.com"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::test",
                "arn:aws:s3:::test/*"
            ]
        }
    ]
}

Unfortunately, this does not seem to have an effect.

answered a month ago
0

Thank you very much, Eric. It now works when I use a bucket named with the convention you suggested.

And just for interest: how would I change the role of the notebook? I think I found it in the IAM, but I can not modify it.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions