4

When I get to Notebook Instance in SageMaker and create model in linear_learner_mnist example I get error even when I have the role with AmazonSageMakerFullAccessand AssumeRole attached policies attached. When I add AdministratorAccesspolicy to the role - all works fine. What am I missing here?

role exists and attached

Resources:
  SageMakerExecutionRole:
    Condition: RoleArnEmpty
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "sagemaker.amazonaws.com"
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
      Path: "/service-role/"
      Policies:
        Fn::If:
        - S3BucketNotEmpty
        -
          - PolicyName: SageMakerS3BucketAccess
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - s3:*
                  Resource:
                    - !Sub 'arn:aws:s3:::${SageMakerS3Bucket}'
                    - !Sub 'arn:aws:s3:::${SageMakerS3Bucket}/*'
        - Ref: AWS::NoValue

ClientError: An error occurred (ValidationException) when calling the CreateTrainingJob operation: Could not assume role arn:aws:iam::XXX:role/sagemaker-stack-SageMakerExecutionRole-1JT7AT4OPUK9R. Please ensure that the role exists and allows principal 'sagemaker.amazonaws.com' to assume the role.

Improve this question

2 Answers 2

Reset to default
6

I'm surprised that everything works normally when you add the AdministratorAccess policy. The error and how to correct it is documented at https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html.

An Amazon SageMaker user can grant these permissions with an IAM role (referred to as an execution role). The user passes the role when making these API calls: CreateNotebookInstance, CreateHyperParameterTuningJob, CreateTrainingJob, and CreateModel.

You attach the following trust policy to the IAM role which grants Amazon SageMaker principal permissions to assume the role, and is the same for all of the execution roles: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "sagemaker.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

In the Identity and Access Management (IAM) Console, I added the statement section above to the trust policy under the trust relationships section of my role, and it fixed this error for me.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This still doesn't work at times.
1

I tried to create an IAM role based on the CloudFormation template you provided and got a role with ARN - arn:aws:iam::xxx:role/service-role/test-iam-SageMakerExecutionRole-187YIQM7UMMXF.

I think the issue is the role ARN you set when creating the training job is not correct. You probably need to add "/service-role" before the role name.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.