Mixing
How do I make this IAM role error in aws sagemaker go away?
I suspect this has to more to do with IAM roles than Sagemaker.
I'm following the example here
Specifically, when it makes this call
tf_estimator.fit('s3://bucket/path/to/training/data')
I get this error
ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole
My notebook instance has an IAM role attached to it.
That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
My input files and .py script is in an s3 bucket with the phrase sagemaker in it.
What else am I missing?
amazon-web-services amazon-iam amazon-sagemaker
asked Nov 22 '18 at 2:27
kanekane
1,25011739
add a comment |
I suspect this has to more to do with IAM roles than Sagemaker.
I'm following the example here
Specifically, when it makes this call
tf_estimator.fit('s3://bucket/path/to/training/data')
I get this error
ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole
My notebook instance has an IAM role attached to it.
That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
My input files and .py script is in an s3 bucket with the phrase sagemaker in it.
What else am I missing?
amazon-web-services amazon-iam amazon-sagemaker
asked Nov 22 '18 at 2:27
kanekane
1,25011739
add a comment |
I suspect this has to more to do with IAM roles than Sagemaker.
I'm following the example here
Specifically, when it makes this call
tf_estimator.fit('s3://bucket/path/to/training/data')
I get this error
ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole
My notebook instance has an IAM role attached to it.
That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
My input files and .py script is in an s3 bucket with the phrase sagemaker in it.
What else am I missing?
amazon-web-services amazon-iam amazon-sagemaker
asked Nov 22 '18 at 2:27
kanekane
1,25011739
I suspect this has to more to do with IAM roles than Sagemaker.
I'm following the example here
Specifically, when it makes this call
tf_estimator.fit('s3://bucket/path/to/training/data')
I get this error
ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole
My notebook instance has an IAM role attached to it.
That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
My input files and .py script is in an s3 bucket with the phrase sagemaker in it.
What else am I missing?
amazon-web-services amazon-iam amazon-sagemaker
amazon-web-services amazon-iam amazon-sagemaker
asked Nov 22 '18 at 2:27
kanekane
1,25011739
asked Nov 22 '18 at 2:27
kanekane
1,25011739
asked Nov 22 '18 at 2:27
kanekane
1,25011739
asked Nov 22 '18 at 2:27
kanekane
1,25011739
asked Nov 22 '18 at 2:27
kanekane
1,25011739
1,25011739
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.
from sagemaker import get_execution_role
sagemaker_session = sagemaker.Session()
role = get_execution_role()
And you can pass this role when initializing tf_estimator.
You can check out the example here[1] for using execution_role with S3 on notebook instance.
[1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html
answered Nov 23 '18 at 22:08
HanHan
612
That was it! Thank you!
– kane
Nov 27 '18 at 6:07
add a comment |
This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.
Hope this helps !
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
– kane
Nov 27 '18 at 6:08
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53423061%2fhow-do-i-make-this-iam-role-error-in-aws-sagemaker-go-away%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.
from sagemaker import get_execution_role
sagemaker_session = sagemaker.Session()
role = get_execution_role()
And you can pass this role when initializing tf_estimator.
You can check out the example here[1] for using execution_role with S3 on notebook instance.
[1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html
answered Nov 23 '18 at 22:08
HanHan
612
That was it! Thank you!
– kane
Nov 27 '18 at 6:07
add a comment |
If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.
from sagemaker import get_execution_role
sagemaker_session = sagemaker.Session()
role = get_execution_role()
And you can pass this role when initializing tf_estimator.
You can check out the example here[1] for using execution_role with S3 on notebook instance.
[1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html
answered Nov 23 '18 at 22:08
HanHan
612
That was it! Thank you!
– kane
Nov 27 '18 at 6:07
add a comment |
If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.
from sagemaker import get_execution_role
sagemaker_session = sagemaker.Session()
role = get_execution_role()
And you can pass this role when initializing tf_estimator.
You can check out the example here[1] for using execution_role with S3 on notebook instance.
[1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html
answered Nov 23 '18 at 22:08
HanHan
612
If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.
from sagemaker import get_execution_role
sagemaker_session = sagemaker.Session()
role = get_execution_role()
And you can pass this role when initializing tf_estimator.
You can check out the example here[1] for using execution_role with S3 on notebook instance.
[1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html
answered Nov 23 '18 at 22:08
HanHan
612
answered Nov 23 '18 at 22:08
HanHan
612
answered Nov 23 '18 at 22:08
HanHan
612
answered Nov 23 '18 at 22:08
HanHan
612
612
That was it! Thank you!
– kane
Nov 27 '18 at 6:07
add a comment |
That was it! Thank you!
– kane
Nov 27 '18 at 6:07
That was it! Thank you!
– kane
Nov 27 '18 at 6:07
That was it! Thank you!
– kane
Nov 27 '18 at 6:07
add a comment |
This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.
Hope this helps !
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
– kane
Nov 27 '18 at 6:08
add a comment |
This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.
Hope this helps !
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
– kane
Nov 27 '18 at 6:08
add a comment |
This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.
Hope this helps !
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.
Hope this helps !
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
answered Nov 22 '18 at 6:47
Kush VyasKush Vyas
3,1381925
3,1381925
yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
– kane
Nov 27 '18 at 6:08
add a comment |
yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
– kane
Nov 27 '18 at 6:08
yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
– kane
Nov 27 '18 at 6:08
yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
– kane
Nov 27 '18 at 6:08
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53423061%2fhow-do-i-make-this-iam-role-error-in-aws-sagemaker-go-away%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
