By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permissions issue deploying aws sagemaker image classification trained with autopilot.

2

We have been using the Sagemaker Autopilot job for Image Classification. https://docs.aws.amazon.com/sagemaker/latest/dg/autopilot-create-experiment-image-classification.html We have been able to successfully train a model using this tool, however we cannot do any deployments to this model because the underlying docker container has been giving permission issues.

ClientError: API error (404): pull access denied for 432930124757.dkr.ecr.us-west-1.amazonaws.com/sm-automl-robotorch, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::543327004903:assumed-role/sagemaker_execution_role/SageMaker is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-west-1:432930124757:repository/sm-automl-robotorch because no resource-based policy allows the ecr:BatchGetImage action

It sounds like this is something on the sagemaker side of things if anyone can assist.

Topics
Machine Learning & AIContainers
Tags
Amazon SageMakerAmazon Elastic Container Registry (ECR)Amazon SageMaker Autopilot
Language
English
lemon rubik
asked 8 months ago438 views
1 Answer
0

Hi lemon rubik, it's impossible for me to definitively solve this, but I have a feeling it's based on

`User: arn:aws:sts::543327004903:assumed-role/sagemaker_execution_role/SageMaker is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-west-1:432930124757:repository/sm-automl-robotorch because no resource-based policy allows the ecr:BatchGetImage action`

Specifically

sagemaker_execution_role/SageMaker is not authorized to perform: ecr:BatchGetImage

I would advise you to check the SageMaker Execution Role Permissions:

  1. Open the AWS Management Console, navigate to the IAM dashboard, and then find the SageMaker execution role that you're using.
  2. Make sure that the role has permissions to access ECR. You could for example attach the AmazonEC2ContainerRegistryFullAccess policy to the role for full access, although it's better to limit permissions to only what's necessary with a custom policy where you would only grant permission that's needed.

I would also double check the ECR private repository policy - https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html

Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let you specify which users or roles have access to a repository and what actions they can perform on it. By default, only the AWS account that created the repository has access to a repository. You can apply a policy document that allow additional permissions to your repository. Check the repository "sm-automl-robotorch" policy to ensure that the SageMaker execution role has permissions to pull images.

If this answer helped, please accept, if you have any questions, feel free to reply.

Cheers, Dylan

profile pictureAWS
Dylan Souvage
answered 8 months ago
  • lemon rubik
    8 months ago

    Hey thanks for the comment, although I am not the repository owner for this image, I believe it's managed by the sagemaker team directly so I think it's a permissions issue on their part.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content