stackoom
  简体   繁体   中英

create sagemaker notebook instance via Terraform

 原文  2022-04-11 12:30:47       amazon-web-services/ terraform/ amazon-sagemaker

Question

I am taking my first steps into the Terraform world so please be gentle with me. I have a user with AmazonSageMakerFullAccess, which I stored via AWS CLI in a profile called terraform. I can create an S3 bucket as follows no problem referring this user in Windows in VSC:

provider "aws" {
    region = "eu-west-2"
    shared_credentials_files = ["C:\\Users\\amazinguser\\.aws\\credentials"]
    profile = "terraform"
}

resource "aws_s3_bucket" "b" {
  bucket = "blabla-test-bucket"

  tags = {
    Name        = "amazing_tag"
    Environment = "dev"
  }
}

I try to implement this documented here and try to this:

resource "aws_sagemaker_notebook_instance" "notebook_instance" {
  name = "titanic-sagemaker-byoc-notebook"
  role_arn = aws_iam_role.notebook_iam_role.arn
  instance_type = "ml.t2.medium"
  #lifecycle_config_name = aws_sagemaker_notebook_instance_lifecycle_configuration.notebook_config.name
  #default_code_repository = aws_sagemaker_code_repository.git_repo.code_repository_name
}

I am a bit confused about the role_arn which is defined here:

https://github.com/dkhundley/terraform-sagemaker-tutorial/blob/main/Part%202a%20-%20Creating%20a%20SageMaker%20Notebook/terraform/iam.tf

Can I not use the above user? Thanks!

1 answers

solution1
 2 ACCPTED  2022-04-11 14:38:53

AWS services trying to call other AWS services and perform actions are not allowed to do so by default. For example, SageMaker Notebooks are basically EC2 instances. In order for SageMaker to create EC2 instances, it has to have a policy which allows eg, injecting ENIs to a VPC. Since you probably do not want to do all that by yourself (it is a managed Notebook service after all), you have to give SageMaker permissions to perform actions on your behalf. Enter execution roles . For SageMaker, you can read more in [1]. Other services that you will commonly find using execution roles are Lambda, ECS and many others. An IAM role usually consists of two parts:

  1. Trust relationship (I like to call it trust policy)
  2. Permissions policy

The first one decides which principal (AWS identifier, Service etc. [2]) will be able to assume the role. In your example, that is:

data "aws_iam_policy_document" "sm_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]
    
    principals {
      type = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  }
}

What this policy says is "I am going to allow SageMaker (which is of type Service ) to assume any role to which this policy is attached and perform actions that are defined in the permissions policy". The permissions policy is:

# Attaching the AWS default policy, "AmazonSageMakerFullAccess"
resource "aws_iam_policy_attachment" "sm_full_access_attach" {
  name = "sm-full-access-attachment"
  roles = [aws_iam_role.notebook_iam_role.name]
  policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
}

Without going into too much details about what the AWS managed policy for SageMaker does, it is enough to see the FullAccess part for it to be clear. What you could do if you want to be extra careful is to define a customer managed policy [3] for SageMaker notebooks. This permissions policy will be attached to the IAM role(s) defined in the roles argument. Note that it is a list, so multiple roles can have the same permissions policy attached.

Last, but not the least, the glue between the trust and permissions policy is the role itself:

resource "aws_iam_role" "notebook_iam_role" {
  name = "sm_notebook_role"
  assume_role_policy = data.aws_iam_policy_document.sm_assume_role_policy.json
}

As you can see, the assume_role_policy is the policy which will allow SageMaker to perform actions in the AWS account based on the permissions defined in the permissions policy.

This topic is much more complex than in this answer, but it should give you a fair amount of information.

NOTE: In theory, the same role accessing information in AWS and running the AWS API actions when using Terraform could be used for SageMaker, but I would strongly advise against it. Always keep in mind separation of concerns and principle of least privilege.

[1] https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-create-execution-role

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

[3] https://docs.aws.amazon.com/acm/latest/userguide/authen-custmanagedpolicies.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Graphviz running on SageMaker notebook instance but not SageMaker Studio Automatically "stop" Sagemaker notebook instance after inactivity? Is sagemaker:CreatePresignedDomainUrl required to open jupyter in SageMaker notebook instance? Unable to open Jupyter Notebook instance on AWS Sagemaker how to create a serverless endpoint in sagemaker via cloudformation? Autoscaling in Sagemaker by Terraform Install spark 3.2 in SageMaker Notebook xgboost on Sagemaker notebook import fails unable to create efs secondary gid via terraform Can't create a GCE instance with static IP with Terraform
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM