IAM Roles for Sagemaker?

amazon-web-services amazon-iam amazon-sagemaker amazon-comprehend
VikR picture VikR · Apr 25, 2019 · Viewed 7.8k times · Source

I'm trying to get AWS SageMaker to call AWS Comprehend. I'm getting this message in SageMaker:

ClientError: An error occurred (AccessDeniedException) when calling the StartTopicsDetectionJob operation: User: arn:aws:sts::545176143103:assumed-role/access-aws-services-from-sagemaker/SageMaker is not authorized to perform: iam:PassRole on resource: arn:aws:iam::545176143103:role/access-aws-services-from-sagemaker

When creating the Jupyter notebook, I used this role:

arn:aws:sagemaker:us-east-2:545176143103:notebook-instance/access-comprehend-from-sagemaker

...with the following policies attached:

enter image description here

I'm using the same IAM role in SageMaker:

 data_access_role_arn = "arn:aws:iam::545176143103:role/access-aws-services-from-sagemaker"

It looks like I'm giving the role all the access it needs. How can I correct this error?

Answer

Nick Walsh picture Nick Walsh · Apr 25, 2019

Based on your error, it looks like there's a permissions issue with the SageMaker notebook trying to change IAM settings from within a notebook that does not explicitly have permission to do so.

You have a few options here to remedy this:

Option 1: Granting the SageMaker notebook permissions to define IAM role within the notebook during runtime.

From the console, click on Hosted Notebooks along the left navbar, then under Permissions, click the attached IAM role. Here, you can add policies such as IAMFullAccess or IAMReadOnlyAccess. This should solve for the permissions error when you try to attach an IAM role from within the notebook.

Option 2: Explicitly define the permissions you want SageMaker to have in the console.

From the console, click on Hosted Notebooks along the left navbar, then under Permissions, click the attached IAM role. Here, you can directly add policies for resource permissions (such as Comprehend). Without attaching explicit IAM access policies to this role, you wouldn't be able to change permissions during runtime.

Option 3: Both

If you'd like to pre-define access for some resources, but also potentially add other resource permissions during experimentation, you can do both steps 1 and 2 (Add IAM + other resource permissions to the hosted notebook in console, with the ability to change your SageMaker IAM role inline during experimentation).

Related questions

How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?

I cd into the directory where all the pem/key files are and run the following: aws iam upload-server-certificate --server-certificate-name certificate_name --certificate-body file://webservercertificate.pem --private-key file://server.key --certificate-chain file://certificate_chain_file.pem I get the following …

Read More
AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

I'm trying to invoke a lambda function from node. var aws = require('aws-sdk'); var lambda = new aws.Lambda({ accessKeyId: 'id', secretAccessKey: 'key', region: 'us-west-2' }); lambda.invoke({ FunctionName: 'test1', Payload: JSON.stringify({ key1: 'Arjun', key2: 'kom', key3: 'ath' }) }, function(…

Read More
Proper access policy for Amazon Elastic Search Cluster

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned …

Read More