如何將 sagemaker createApp 添加到用戶配置文件執行角色?
[英]How to add sagemaker createApp to user profile executionrole?
問題描述
我使用 terraform 創建了一個 aws sagemaker 用戶配置文件。 我嘗試從用戶配置文件啟動 sagemaker studio 但遇到了這個錯誤: SageMaker is unable to use your associated ExecutionRole [arn:aws:iam::xxxxxxxxxxxx:role/sagemaker-workshop-data-ml] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp' SageMaker is unable to use your associated ExecutionRole [arn:aws:iam::xxxxxxxxxxxx:role/sagemaker-workshop-data-ml] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp' 。 該角色附加了 sagemaker 完全訪問策略,但該策略沒有 createApp 權限,這很奇怪。 是否有任何策略可以附加到具有 sagemaker createApp 權限的角色,或者我是否需要通過 terraform 將策略附加到角色?
2 個解決方案
解決方案1
0 2022-06-16 22:10:15
確保您的執行角色沒有任何權限邊界。 默認情況下,SageMakerFullAccess 策略允許創建應用程序權限 - 請參閱此語句 -
{
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:*App",
"sagemaker:ListApps"
],
"Resource": "*"
},
您可以添加如下內聯策略,以確保您的角色有權創建應用程序 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateApp",
"Effect": "Allow",
"Action": "sagemaker:CreateApp",
"Resource": "*"
}
]
}
解決方案2
0 2022-12-20 18:15:38
您是在談論arn:aws:iam::aws:policy/AmazonSageMakerFullAccess嗎? 如果您查看此政策,您會發現這是以下聲明之一:
{
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:DescribeUserProfile",
"sagemaker:ListUserProfiles",
"sagemaker:DescribeSpace",
"sagemaker:ListSpaces",
"sagemaker:*App",
"sagemaker:ListApps"
],
"Resource": "*"
},
sagemaker:*App對"Resource": "*"的操作意味着該策略實際上確實具有sagemaker:CreateApp權限。
這是一個常見的護欄(甚至列在 AWS 白皮書中的“SageMaker Studio 管理最佳實踐”),用於限制對特定實例的筆記本訪問,並且該護欄拒絕CreateApp操作。 白皮書中的建議是在服務控制策略級別(在 AWS Organizations 中,您可能看不到)對此進行控制,這是一個示例策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitInstanceTypesforNotebooks",
"Effect": "Deny",
"Action": [
"sagemaker:CreateApp"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringNotLike": {
"sagemaker:InstanceTypes": [
"ml.c5.large",
"ml.m5.large",
"ml.t3.medium",
"system"
]
}
}
}
]
}
如何在應用程序外部獲取 AWS Connect 用戶的安全配置文件?
[英]How to get security profile of AWS Connect user outside of the application?
如何從端點內訪問 sagemaker 模型注冊表指標
[英]How to access sagemaker model registry metrics from within the endpoint
如何根據預定義的計划運行 AWS Sagemaker Studio 作業
[英]How to run AWS Sagemaker Studio job based on pre defined schedule
如何遠程連接到 GCP ML Engine/AWS Sagemaker 托管筆記本?
[英]How to remotely connect to GCP ML Engine/AWS Sagemaker managed notebooks?
用戶在 Cloud firestore 中注冊時如何將當前用戶 uid 添加到用戶集合?
[英]how to add current user uid to user collection when user signup in cloud firestore?
如何將 user.uid 作為 id 的文檔添加到 Firebase 中的集合中?
[英]How to add a document with user.uid as id to a collection in Firebase?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
SageMaker Studio:我使用的是哪個 AWS 用戶配置文件?
如何在應用程序外部獲取 AWS Connect 用戶的安全配置文件?
如何使用 JAVA 庫在 Google API 上獲取用戶配置文件?
如何從端點內訪問 sagemaker 模型注冊表指標
如何根據預定義的計划運行 AWS Sagemaker Studio 作業
如何遠程連接到 GCP ML Engine/AWS Sagemaker 托管筆記本?
如何打印來自 Sagemaker 培訓的調試信息?
如何制作個人資料屏幕
用戶在 Cloud firestore 中注冊時如何將當前用戶 uid 添加到用戶集合?
如何將 user.uid 作為 id 的文檔添加到 Firebase 中的集合中?
相關標簽