- Newest
- Most votes
- Most comments
Oh, I'm sorry I didn't catch that. You are right, our default role that us created when you launch a new notebook only gives access to S3 buckets that start with "amazon-braket-". Here is the corresponding statement from the AmazonBraketFullAccess Policy (which is attached to our default notebook role).
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::amazon-braket-*"
},
So, it your bucket name was amazon-braket-test
instead of test
it should work. The easiest way is to just use this naming convention throughout.
If you want to use the bucket with name test
, you need to customize the Role attached to your notebook (I can't tell in which role you modified the permission above, but since there is a Principal line I suspect it wasn't in the role of your notebook). For instance, you can just add another resource in the above snippet:
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketPolicy"
],
"Resource": [
"arn:aws:s3:::amazon-braket-*",
"arn:aws:s3:::test"
]
},
Hi Philipp,
I'm sorry you're running into issues. You need to make sure that your notebook has assumed a Role with Permission to access S3 (a role defines what actions an AWS resource, such as a notebook, can perform on your behalf). The easiest way is to create a new notebook and select "Create a new role" in the Permissions and encryption interface
That will create a new role that has all required permissions and attach it to the new notebook. It is also possible to change the permissions for an existing notebook, but it's slightly more involved (happy to walk you through it if interested).
For completeness, the AWSServiceRoleForAmazonBraket that you you were able to check is unrelated to the issue you are experiencing. This role is what is called a "service-linked role" (SLR) which defines the actions Amazon Braket (and not the notebook) can perform on your behalf. You can read more about it here https://docs.aws.amazon.com/braket/latest/developerguide/braket-slr.html.
Let us know if this worked, Eric
Hi Eric,
thank you very much for your answer. Unfortunately, I need to tell you that it did not work. I created a new notebook instance, as you described, and ran the same notebook but I get the same error. Is there anything else I can try?
Update - It looks like it depends on the bucket:
I noticed that there is a new bucket in my S3 which was automatically created by the Braket when I ran a hybrid job. When I try to load data from this bucket it works (in both the old and the new notebook instance). I already tried to change the permissions of my old bucket to be equal to the ones in the one created by Braket. Specifically, I changed the Bucket policy to
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "braket.amazonaws.com"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::test",
"arn:aws:s3:::test/*"
]
}
]
}
Unfortunately, this does not seem to have an effect.
Thank you very much, Eric. It now works when I use a bucket named with the convention you suggested.
And just for interest: how would I change the role of the notebook? I think I found it in the IAM, but I can not modify it.
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago