[英]How to add sagemaker createApp to user profile executionrole?
我使用 terraform 創建了一個 aws sagemaker 用戶配置文件。 我嘗試從用戶配置文件啟動 sagemaker studio 但遇到了這個錯誤: SageMaker is unable to use your associated ExecutionRole [arn:aws:iam::xxxxxxxxxxxx:role/sagemaker-workshop-data-ml] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp'
SageMaker is unable to use your associated ExecutionRole [arn:aws:iam::xxxxxxxxxxxx:role/sagemaker-workshop-data-ml] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp'
。 該角色附加了 sagemaker 完全訪問策略,但該策略沒有 createApp 權限,這很奇怪。 是否有任何策略可以附加到具有 sagemaker createApp 權限的角色,或者我是否需要通過 terraform 將策略附加到角色?
確保您的執行角色沒有任何權限邊界。 默認情況下,SageMakerFullAccess 策略允許創建應用程序權限 - 請參閱此語句 -
{
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:*App",
"sagemaker:ListApps"
],
"Resource": "*"
},
您可以添加如下內聯策略,以確保您的角色有權創建應用程序 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateApp",
"Effect": "Allow",
"Action": "sagemaker:CreateApp",
"Resource": "*"
}
]
}
您是在談論arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
嗎? 如果您查看此政策,您會發現這是以下聲明之一:
{
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:DescribeSpace",
"sagemaker:ListSpaces",
"sagemaker:*App",
"sagemaker:ListApps"
],
"Resource": "*"
},
sagemaker:*App
對"Resource": "*"
的操作意味着該策略實際上確實具有sagemaker:CreateApp
權限。
這是一個常見的護欄(甚至列在 AWS 白皮書中的“SageMaker Studio 管理最佳實踐”),用於限制對特定實例的筆記本訪問,並且該護欄拒絕CreateApp
操作。 白皮書中的建議是在服務控制策略級別(在 AWS Organizations 中,您可能看不到)對此進行控制,這是一個示例策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitInstanceTypesforNotebooks",
"Effect": "Deny",
"Action": [
"sagemaker:CreateApp"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotLike": {
"sagemaker:InstanceTypes": [
"ml.c5.large",
"ml.m5.large",
"ml.t3.medium",
"system"
]
}
}
}
]
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.