DEVHIDE
Login Or Sign up

AccessDeniedException on sagemaker:CreateDomain in AWS SageMaker Studio, despite having SageMakerFullAccess

1.1k Views Asked by At

I am trying to use the AWS SageMaker Studio > Get Started > Quick Start, as an IAM user with the AmazonSageMakerFullAccess policy attached, but I am getting the following error:

User: arn:aws:iam::<user-id>:user/<username> is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-west-1:<user-id>:domain/d-<domain-id>

I looked up some documentation on the CreateDomain command, and it looks like it involves EFS storage and VPC configuration, so I have also added the FullAccess policies for these services to my IAM user, but am still getting the same error.

I also tried adding a custom policy as shown here: https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-createdomain-perms which also seemed to have no effect.

What am I doing wrong here?

amazon-web-services amazon-iam amazon-sagemaker aws-permissions
Original Q&A
3

There are 3 best solutions below

0
On

To me you are not doing anything wrong. If you look at the part for domain related actions in the "full access" policy:

    {
        "Effect": "Allow",
        "Action": [
            "sagemaker:CreatePresignedDomainUrl",
            "sagemaker:DescribeDomain",
            "sagemaker:ListDomains",
            "sagemaker:DescribeUserProfile",
            "sagemaker:ListUserProfiles",
            "sagemaker:DescribeSpace",
            "sagemaker:ListSpaces",
            "sagemaker:*App",
            "sagemaker:ListApps"
        ],
        "Resource": "*"
    }

There is no CreateDomain and you need to add the action yourself. Also missing are actions like CreateUserProfile -- I realized that after wasting a lot of time on error messages. I didn't find any predefined policy that allows these actions. You can create inline policies to allow these actions.

(I don't know what "full access" means for people at AWS, but it does not make any sense to me based on my experience -- especially when it is not easy to find all the permissions required beforehand)

0
On

AmazonSageMakerFullAccess policy gives the user access to perform actions such as start training jobs, deploy endpoints, along with limited access on other services such as ECR, Glue etc. This is generally attached to a SageMaker notebook instance or Studio.

The user creating the SageMaker domain needs sagemaker:CreateDomain permission, i.e., to your IAM user, add:

        {
            "Sid": "AllowCreateDomain",
            "Effect": "Allow",
            "Action": "sagemaker:CreateDomain",
            "Resource": "*"
        }

I work at AWS and my opinions are my own.

1
On

I figured out that this is because certain actions does not work with specific resource only. For some actions like CreateDomain you must use wilcard * in resource field.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-IAM

Related Questions in AMAZON-SAGEMAKER

Related Questions in AWS-PERMISSIONS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.