SageMaker - What IAM Permission to specify for ECR?

0
votes

Question

Is this the ECR IAM permission required for SageMaker to use the XGBoost of the Amazon SageMaker built-in algorithms in the us-west-1 region?

"Effect": "Allow",
"Action": [
  "ecr:GetAuthorizationToken",
  "ecr:BatchCheckLayerAvailability",
  "ecr:GetDownloadUrlForLayer",
  "ecr:BatchGetImage"
],
"Resource": [
  "arn:aws:ecr:us-west-1:632365934929:repository/632365934929.dkr.ecr.us-west-1.amazonaws.com/xgboost:1"
]

Background

The AWS document Amazon SageMaker Roles tells to specify TrainingImage value of the CreateTrainingJob API.

Scope ecr permissions as follows:
- Scope to the AlgorithmSpecification.TrainingImage value that you specify in a CreateTrainingJob request.
- Scope to the PrimaryContainer.Image value that you specify in a CreateModel request:


"Effect": "Allow",
"Action": [
  "ecr:BatchCheckLayerAvailability",
  "ecr:GetDownloadUrlForLayer",
  "ecr:BatchGetImage"
],
"Resource": [
  "arn:aws:ecr:::repository/my-repo1",
  "arn:aws:ecr:::repository/my-repo2",
  "arn:aws:ecr:::repository/my-repo3"
]

The AWS SageMaker API document TrainingImage tells to specify the algorithm docker image registry path as the value.

TrainingImage

The registry path of the Docker image that contains the training algorithm. For information about docker registry paths for built-in algorithms, see Algorithms Provided by Amazon SageMaker: Common Parameters. Amazon SageMaker supports both registry/repository[:tag] and registry/repository[@digest] image path formats.

The AWS document Common parameters for built-in algorithms indicates the XGBoost registry path is 632365934929.dkr.ecr.us-west-1.amazonaws.com/xgboost:1.


|Algorithm name|Training image and inference image registry path|
|XGBoost | ecr_path/xgboost:tag|

ecr_path (Algorithms: BlazingText, ..., Seq2Seq, and XGBoost (0.72)
| us-west-1 | 632365934929.dkr.ecr.us-west-1.amazonaws.com |

For the Training Image and Inference Image Registry Path column, use the :1 version tag to ensure that you are using a stable version of the algorithm. You can reliably host a model trained using an image with the :1 tag on an inference image that has the :1 tag.

1
amazon-web-servicesamazon-iamamazon-sagemaker

1 Answers

0
votes

As per the note on page https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-algo-docker-registry-paths.html

For XGBoost, do not use :latest or :1. Use the specific version you require, such as :0.90-1-cpu-py3, :0.90-2-cpu-py3, :1.0-1-cpu-py3, or :1.2-1.