Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Access Denied for boto3 list_buckets operation when assuming cross account role from sagemaker notebook

0

I have sagemaker notebook instance running in Account-A and I have buckets in Account-B. Account-B has an IAM role with the following permissions to access s3 buckets and etc

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": [
				"s3:PutObject",
				"s3:GetObject",
				"s3:ListAllMyBuckets",
				"s3:CreateBucket",
				"s3:ListBucket",
				"s3:PutBucketTagging",
				"s3:GetBucketTagging",
				"s3:PutBucketVersioning",
				"s3:GetBucketLocation"
			],
			"Resource": "arn:aws:s3:::*",
			"Effect": "Allow",
			"Sid": "allowS3Acccess"
		}
	]
}

I keep getting Access Denied when I assume the role in Account-B and try to execute list_buckets() operation. The sagemaker can successfully assume the role in Account-B and I can see the correct response when i perfrom sts.get_caller_identity.

Also, using the CLI I can assume sagemaker's IAM role and then assume the role in Account-B. When I execute aws s3 ls i can see the list of Buckets in Account-B. Also, things work even when I run from my pyCharm IDE using boto3.

Bottom line, I keep getting Access Denied Error whenever I run s3:some_operation from the sagemaker after assuming the Role in Account-B

Topics
Machine Learning & AISecurity, Identity, & ComplianceStorage
Tags
Amazon SageMakerAWS Identity and Access ManagementAmazon Simple Storage Service
Language
English
asked 2 years ago679 views
2 Answers
1

Hi,

Did you exactly follow the guidance of https://docs.aws.amazon.com/sagemaker/latest/dg/canvas-permissions-cross-account.html ?

It provides all policies and other settings to achieve what you want.

Best,

Didier

EXPERT
answered 2 years ago
  • mz
    2 years ago

    Thank you Didier for your reply.

    Yes, i had gone thru the article before i posted my question. However, the article does not quiet fit the problem I am trying to solve. I am trying to list all buckets in another account (Account-B) by assuming the IAM role of that account. Buckets in different account(B) are dynamically created and don't have any bucket level permission to specific IAM role (such as Sagemaker's execution role).

    I wonder how it all works from locally with cli and even python code from the IDE after assuming the role in account-B. For instance, assume the sage's IAM role, then assume the Cross Account(B) Role - then perform s3 operation in Account-B.

    Also, in Account-A, I have set up VPC, VPC endpoint for S3, and security group for outbound rules for Destination pl-63a5400a (com.amazonaws.us-east-1.s3). I can access the buckets in the same account(A) as the Sage's IAM role lives.

    i am also, wondering if the VPC endpoint for s3 in account-B has anything to with issue. currently there is no S3 Vpc endpoint setup in account-B.

    Any suggestions.

0
Accepted Answer

Okay, I solved the problem. I had to update the policy for S3 vpc endpoint.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content