By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Sagemaker Studio - create domain error

1

A customer is trying to setup Sagemaker studio. He is following our published instructions to set up using IAM: https://docs.aws.amazon.com/sagemaker/latest/dg/onboard-iam.html

But is getting an error: User: arn:aws:iam:xxxx:user/user1 is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker: us-east-2:xxxx:domain/yyyy

He has admin priviledges on the account and AmazonSageMakerFullAccess. We noticed that the AmazonSageMakerFullAccess policy actually has a limitation. You can perform all sagemaker actions, but not on a resource with arn “arn:aws:sagemaker:::domain/*”. We confirmed there are no other domains in that region with the CLI as you are only allowed one – so that isn’t blocking. And aws sagemaker list-user-profiles returns no user profiles.

Has anyone seen that error before or know the workaround? Should he create a custom policy to enable creating domains or would there be any implications of that? Are there specific permissions he should have so as to onboard using IAM?

Topics
Machine Learning & AI
Tags
Amazon SageMaker
Language
English
AWS
rabinon
asked 4 years ago3079 views
1 Answer
1
Accepted Answer

A user with admin privileges would have access to "iam:CreateServiceLinkedRole" and "sagemaker:CreateDomain" actions, unless SCPs or permissions boundaries are involved. However, for the purpose of onboarding Amazon SageMaker Studio with limited permissions, I would grant the user least privilege by reviewing Control Access to the Amazon SageMaker API by Using Identity-based Policies and Actions, Resources, and Condition Keys for Amazon SageMaker documentation:

{
    "Effect": "Allow",
    "Action": "sagemaker:CreateDomain",
    "Resource": "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
}

NOTE: An AWS account is limited to one Domain, per region, see CreateDomain.

{
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "iam:AWSServiceName": "sagemaker.amazonaws.com"
        }
    }
}

Cheers!

AWS
AWS-User-2530299
answered 4 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content