IAM Roles for Sagemaker?

2
votes

I'm trying to get AWS SageMaker to call AWS Comprehend. I'm getting this message in SageMaker:

ClientError: An error occurred (AccessDeniedException) when calling the StartTopicsDetectionJob operation: User: arn:aws:sts::545176143103:assumed-role/access-aws-services-from-sagemaker/SageMaker is not authorized to perform: iam:PassRole on resource: arn:aws:iam::545176143103:role/access-aws-services-from-sagemaker

When creating the Jupyter notebook, I used this role:

arn:aws:sagemaker:us-east-2:545176143103:notebook-instance/access-comprehend-from-sagemaker

...with the following policies attached:

enter image description here

I'm using the same IAM role in SageMaker:

 data_access_role_arn = "arn:aws:iam::545176143103:role/access-aws-services-from-sagemaker"

It looks like I'm giving the role all the access it needs. How can I correct this error?

2
amazon-web-servicesamazon-iamamazon-sagemakeramazon-comprehend

2 Answers

5
votes

Based on your error, it looks like there's a permissions issue with the SageMaker notebook trying to change IAM settings from within a notebook that does not explicitly have permission to do so.

You have a few options here to remedy this:

Option 1: Granting the SageMaker notebook permissions to define IAM role within the notebook during runtime.

From the console, click on Hosted Notebooks along the left navbar, then under Permissions, click the attached IAM role. Here, you can add policies such as IAMFullAccess or IAMReadOnlyAccess. This should solve for the permissions error when you try to attach an IAM role from within the notebook.

Option 2: Explicitly define the permissions you want SageMaker to have in the console.

From the console, click on Hosted Notebooks along the left navbar, then under Permissions, click the attached IAM role. Here, you can directly add policies for resource permissions (such as Comprehend). Without attaching explicit IAM access policies to this role, you wouldn't be able to change permissions during runtime.

Option 3: Both

If you'd like to pre-define access for some resources, but also potentially add other resource permissions during experimentation, you can do both steps 1 and 2 (Add IAM + other resource permissions to the hosted notebook in console, with the ability to change your SageMaker IAM role inline during experimentation).

0
votes

You need to add sts full access in order for Sagemaker to have assumed role. User: arn:aws:sts::545176143103:assumed-role

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "sts:DecodeAuthorizationMessage",
            "sts:GetAccessKeyInfo",
            "sts:GetCallerIdentity"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "sts:*",
        "Resource": "*"
    }
]

}