AccessDeniedException on sagemaker:CreateDomain in AWS SageMaker Studio, despite having SageMakerFullAccess

Question

I am trying to use the AWS SageMaker Studio > Get Started > Quick Start, as an IAM user with the AmazonSageMakerFullAccess policy attached, but I am getting the following error:

User: arn:aws:iam::<user-id>:user/<username> is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-west-1:<user-id>:domain/d-<domain-id>

I looked up some documentation on the CreateDomain command, and it looks like it involves EFS storage and VPC configuration, so I have also added the FullAccess policies for these services to my IAM user, but am still getting the same error.

I also tried adding a custom policy as shown here: https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-createdomain-perms which also seemed to have no effect.

What am I doing wrong here?

Answer 1

AmazonSageMakerFullAccess policy gives the user access to perform actions such as start training jobs, deploy endpoints, along with limited access on other services such as ECR, Glue etc. This is generally attached to a SageMaker notebook instance or Studio.

The user creating the SageMaker domain needs sagemaker:CreateDomain permission, i.e., to your IAM user, add:

        {
            "Sid": "AllowCreateDomain",
            "Effect": "Allow",
            "Action": "sagemaker:CreateDomain",
            "Resource": "*"
        }

I work at AWS and my opinions are my own.

Answer 2

To me you are not doing anything wrong. If you look at the part for domain related actions in the "full access" policy:

    {
        "Effect": "Allow",
        "Action": [
            "sagemaker:CreatePresignedDomainUrl",
            "sagemaker:DescribeDomain",
            "sagemaker:ListDomains",
            "sagemaker:DescribeUserProfile",
            "sagemaker:ListUserProfiles",
            "sagemaker:DescribeSpace",
            "sagemaker:ListSpaces",
            "sagemaker:*App",
            "sagemaker:ListApps"
        ],
        "Resource": "*"
    }

There is no CreateDomain and you need to add the action yourself. Also missing are actions like CreateUserProfile -- I realized that after wasting a lot of time on error messages. I didn't find any predefined policy that allows these actions. You can create inline policies to allow these actions.

(I don't know what "full access" means for people at AWS, but it does not make any sense to me based on my experience -- especially when it is not easy to find all the permissions required beforehand)

Answer 3

I figured out that this is because certain actions does not work with specific resource only. For some actions like CreateDomain you must use wilcard * in resource field.