堆栈内存溢出
  简体   繁体   English

AWS 资源是在 IAM 角色之前创建的,因此因缺少角色而失败

[英]AWS resource is getting created before IAM role hence failing for missing role

 原文  2022-05-25 06:58:46       amazon-web-services/ amazon-iam/ amazon-sagemaker

问题描述

I am trying to create endpoint in sagemaker using.我正在尝试使用 sagemaker 创建端点。 below is serverless.yaml file I am getting下面是我得到的 serverless.yaml 文件

PocModelEndPointRole" exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal

After investigation stack event I see调查堆栈事件后,我看到

2022-05-25 02:03:03 UTC+0530    RModelEndpointModel CREATE_FAILED   Could not access model data at s3://my-bucket/output/byom_poc/gre_score_knn.tar.gz. Please ensure that the role "arn:aws:iam::19:role/PocModelEndPointRole" exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal "sagemaker.amazonaws.com". Also ensure that the role has "s3:GetObject" permissions and that the object is located in us-east-2. (Service: AmazonSageMaker; Status Code: 400; Error Code: ValidationException; Request ID: 243d62e4b-a7a1-488a-b89e-8aa0fb486296; Proxy: null)
2022-05-25 02:03:02 UTC+0530    ServiceNotificationTopic    CREATE_IN_PROGRESS  Resource creation Initiated
2022-05-25 02:03:02 UTC+0530    ModelEndpointRole   CREATE_IN_PROGRESS  Resource creation Initiated
2022-05-25 02:03:01 UTC+0530    ServiceNotificationTopic    CREATE_IN_PROGRESS  -
2022-05-25 02:03:01 UTC+0530    RModelEndpointModel CREATE_IN_PROGRESS  -
2022-05-25 02:03:01 UTC+0530    ModelEndpointRole   CREATE_IN_PROGRESS  -
2022-05-25 02:02:57 UTC+0530    byom-pc-dev CREATE_IN_PROGRESS  User Initiated

Serverless.yaml无服务器.yaml

resources:
  Resources:
    RModelEndpointRole:
      Type: AWS::IAM::Role
      Properties:
        Path: /
        RoleName: ${self:custom.modelEndpointRoleName}
        PermissionsBoundary: ${self:provider.rolePermissionsBoundary}
        ManagedPolicyArns:
          - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
          - "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
          - "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess"
          - "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - events.amazonaws.com
                  - states.amazonaws.com
                  - sagemaker.amazonaws.com
              Action:
                - sts:AssumeRole
        Policies:
          - PolicyName: ${self:custom.modelEndpointRoleName}
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - s3:List*
                    - s3:Get*
                    - s3:Put*
                  Resource:
                    - "arn:aws:s3:::${self:custom.deploymentBucket}/*"
                    - "arn:aws:s3:::${self:custom.deploymentBucket}"
    RModelEndpoint:
      Type: "AWS::SageMaker::Endpoint"
      Properties:
        EndpointConfigName:
          !GetAtt RModelEndpointConfig.EndpointConfigName
    RModelEndpointConfig:
      Type: "AWS::SageMaker::EndpointConfig"
      Properties:
        ProductionVariants:
          - InitialInstanceCount: 1
            InitialVariantWeight: 1.0
            InstanceType: ml.t2.large
#            ModelName: "myrmodel"
#            VariantName: "test1"
            ModelName: !GetAtt RModelEndpointModel.ModelName
            VariantName: !GetAtt RModelEndpointModel.ModelName
    RModelEndpointModel:
      Type: "AWS::SageMaker::Model"
      Properties:
          PrimaryContainer:
            Image: ${self:custom.sagemakerRExecutionContainerURI}
            Mode: SingleModel
            #ModelDataUrl: !Sub s3://${AppBucket}/${ModelDataPath}
            #ModelDataUrl: s3://${self:custom.deploymentBucket}/${self:service}/${self.custom.ModelDataPath}
            ModelDataUrl: "s3://my-bucket/output/byom_poc/gre_score_knn.tar.gz"             
          
          ExecutionRoleArn: "${self:custom.modelEndpointRoleARN}"

Error that i am getting我得到的错误

Serverless Error ---------------------------------------
 
  An error occurred: RModelEndpointModel - Could not access model data at s3://my-bucket/output/byom_poc/gre_score_knn.tar.gz. Please ensure that the role "arn:aws:iam::19:role/PocModelEndPointRole" exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal "sagemaker.amazonaws.com". Also ensure that the role has "s3:GetObject" permissions and that the object is located in us-east-2. (Service: AmazonSageMaker; Status Code: 400; Error Code: ValidationException; Request ID: 83d62e4b-a7a1-488a-b89e-8aa0fb486296; Proxy: null).

1 个解决方案

解决方案1
 0  2022-05-25 08:14:19

I found this link我找到了这个链接

below code worked for me.下面的代码对我有用。

RModelEndpointModel:
   DependsOn: ModelEndpointRole
   Type: "AWS::SageMaker::Model"

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 新创建的 AWS 成员账户缺少 IAM 角色 - Newly created AWS member account is missing IAM role AWS IAM角色策略资源限制 - AWS IAM Role Policy Resource Restriction aws iam 角色已成功创建但不可用 - aws iam role succesfully created but unvailable AWS 工作区的 IAM 角色 - IAM role for AWS workspace 代入 AWS IAM 角色 - AWS IAM role assuming AWS IAM 角色到期 - AWS IAM role expiry 为什么我的CFN IAM角色因“缺少必填字段操作”而失败? - Why is my CFN IAM role failing with “Missing required field Action”? AWS IAM 角色信任关系是否与基于资源的策略相当? - Are AWS IAM role trust relationships comparable to resource based policies? 如何在 aws 控制台资源标签组中找到 IAM 角色? - how to find IAM role in aws console Resource tag group? spark aws S3a ARN(亚马逊资源名称)IAM 角色 - spark aws S3a ARN (Amazon Resource Name) IAM role
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM