如果所有实例都使用相同的 IAM 角色,如何确定哪个 SageMaker 笔记本实例进行了特定 API 调用?
我有多个 Amazon SageMaker 笔记本实例。它们都使用相同的 AWS Identity and Access Management (IAM) 角色。无论哪个笔记本实例执行了操作,每个 API 操作的 AWS CloudTrail 事件都会显示相同的 PrincipalID(会话名称)。我如何判断哪个笔记本实例执行了哪些 API 操作?
简短描述
当您有多个具有相同 IAM 角色的 SageMaker 实例时,您无法通过 CloudTrail 事件确定哪个笔记本实例执行了特定 API 操作。
示例:
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AAAAAAAAAAAAAAAAAA:SageMaker", "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMaker-ExecutionRole/SageMaker",
解决方法
1. 为 SageMaker 笔记本实例创建 IAM 执行角色。或者,使用现有的执行角色。在以下步骤中,执行角色的 Amazon 资源名称 (ARN) 为 arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole。
2. 附加执行角色中包括 sts:AssumeRole 的 IAM 策略。sts:AssumeRole 操作允许执行角色使用不同的会话名称代入自己。
示例:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole" } ] }
3. 创建开始笔记本生命周期配置脚本,类似于下面的示例。此示例脚本检索笔记本实例名称,然后使用该名称作为会话名称。
#Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. #Permission is hereby granted, free of charge, to any person obtaining a copy of this #software and associated documentation files (the "Software"), to deal in the Software #without restriction, including without limitation the rights to use, copy, modify, #merge, publish, distribute, sublicense, and/or sell copies of the Software, and to #permit persons to whom the Software is furnished to do so. #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, #INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A #PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT #HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION #OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE #SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #!/bin/bash set -ex # Obtain the name of the notebook instance nbname=$(jq -r '.ResourceName' /opt/ml/metadata/resource-metadata.json) echo "Notebook Name = $nbname" # Use the AWS Command Line Interface (AWS CLI) to obtain the Amazon Resource Name (ARN) of the IAM execution role nbinfo=$(aws sagemaker describe-notebook-instance --notebook-instance-name $nbname) nbrole=$(jq -r '.RoleArn' <<< "$nbinfo") echo "Notebook Role = $nbrole" # Obtain the Region of the notebook instance nbregion=$(aws configure get region) echo "Notebook Region = $nbregion" # Write Assume Role Provider Settings to a new config file echo "Writing new config file" cat > /home/ec2-user/.aws/config.new <<EOF1 [default] region=$nbregion role_arn = $nbrole credential_source = Ec2InstanceMetadata role_session_name = $nbname sts_regional_endpoints = regional EOF1 echo "Moving new config to config file" sudo mv /home/ec2-user/.aws/config.new /home/ec2-user/.aws/config # Secure the "config" file so that it can't be deleted/updated without root user permissions sudo chattr +i /home/ec2-user/.aws/config
4. 创建 SageMaker 笔记本实例(如 test-2)并附上您在上一步骤中创建的生命周期配置脚本。
5. 创建一个已关闭 root 访问权限的 SageMaker 笔记本实例。这限制了用户 ec2-user 删除或更新配置文件。
6. 要识别执行 API 操作的笔记本实例,请检查 CloudTrail 事件。在 userIdentity 对象下面,principalId 和 arn 显示笔记本实例名称。例如,以下事件详细信息显示 test-2 的 SageMaker 笔记本实例进行了 API 调用。
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AAAAAAAAAAAAAAAAAAAA:test-2", "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMaker-ExecutionRole/test-2", "accountId": "111122223333", "accessKeyId": "AAAAAAAAAAAAAAAAAAAA", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole", "accountId": "111122223333", "userName": "AmazonSageMaker-ExecutionRole" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-09-12T00:45:04Z" } }, "invokedBy": "im.amazonaws.com" }, "eventTime": "2020-09-12T00:49:04Z", "eventSource": "sagemaker.amazonaws.com", "eventName": "CreateEndpoint", "awsRegion": "us-east-1", "sourceIPAddress": "im.amazonaws.com", "userAgent": "im.amazonaws.com", "requestParameters": { "endpointName": "sagemaker-mxnet-ep", "endpointConfigName": "sagemaker-mxnet-epc", "tags": [] }, "responseElements": { "endpointArn": "arn:aws:sagemaker:us-east-1:111122223333:endpoint/sagemaker-mxnet-ep" }, "requestID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "eventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
相关信息
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前