![](/img/trans.png)
[英]Transaction simulation failed: Error processing Instruction 0: Cross-program invocation with unauthorized signer or writable account
[英]Error when deploying cross account Sagemaker Endpoints
我正在使用 cdk 在跨賬戶上下文中部署 Sagemaker 端點。
創建 Sagemaker Endpoint 時出現以下錯誤:無法從 URL 下載容器“container_1”的 model 數據:“s3://.../model.tar.gz”。 請確保 object 位於 URL 並且傳遞給 CreateModel 的角色有權下載 object。
這里有一些有用的細節。
我有兩個帳戶:
在帳戶 A 中:
// Create bucket and kms key to be used by Sagemaker Pipeline
//KMS
const sagemakerKmsKey = new Key(
this,
"SagemakerBucketKMSKey",
{
description: "key used for encryption of data in Amazon S3",
enableKeyRotation: true,
policy: new PolicyDocument(
{
statements:[
new PolicyStatement(
{
actions:["kms:*"],
effect: Effect.ALLOW,
resources:["*"],
principals: [new AccountRootPrincipal()]
}
),
new PolicyStatement(
{
actions:[
"kms:*"
],
effect: Effect.ALLOW,
resources:["*"],
principals: [
new ArnPrincipal(`arn:${Aws.PARTITION}:iam::${AccountA}:root`),
new ArnPrincipal(`arn:${Aws.PARTITION}:iam::${AccountB}:root`),
]
}
)
]
}
)
}
)
// S3 Bucket
const sagemakerArtifactBucket = new Bucket(
this,
"SagemakerArtifactBucket",
{
bucketName:`mlops-${projectName}-${Aws.REGION}`,
encryptionKey:sagemakerKmsKey,
versioned:false,
removalPolicy: RemovalPolicy.DESTROY
}
)
sagemakerArtifactBucket.addToResourcePolicy(
new PolicyStatement(
{
actions: [
"s3:*",
],
resources: [
sagemakerArtifactBucket.bucketArn,
`${sagemakerArtifactBucket.bucketArn}/*`
],
principals: [
new ArnPrincipal(`arn:${Aws.PARTITION}:iam::${AccountA}:root`),
new ArnPrincipal(`arn:${Aws.PARTITION}:iam::${AccountB}:root`),
]
}
)
)
// Define Code Build Deploy Staging Action
const deployStagingAction = new CloudFormationCreateUpdateStackAction(
{
actionName: "DeployStagingAction",
runOrder: 1,
adminPermissions: false,
stackName: `${projectName}EndpointStaging`,
templatePath: cdKSynthArtifact.atPath("staging.template.json"),
replaceOnFailure: true,
role: Role.fromRoleArn(
this,
"StagingActionRole",
`arn:${Aws.PARTITION}:iam::${AccountB}:role/cdk-hnb659fds-deploy-role-${AccountB}-${Aws.REGION}`,
),
deploymentRole: Role.fromRoleArn(
this,
"StagingDeploymentRole",
`arn:${Aws.PARTITION}:iam::${AccountB}:role/cdk-hnb659fds-cfn-exec-role-${AccountB}-${Aws.REGION}`
),
cfnCapabilities: [
CfnCapabilities.AUTO_EXPAND,
CfnCapabilities.NAMED_IAM
]
}
)
具體來說,創建 Sagemaker Model 和 Sagemaker 端點的角色應該是 cdk-hnb659fds-cfn-exec-role,如 CloudTrail 所示,但出於測試目的,我已授予他們兩個管理員權限(錯誤仍然出現)。
AccountA中的部署是正確執行的,也就是說bucket位置是正確的。
注意:一切都正確部署到 Sagemaker 端點。
我設法找到了問題。
問題在於,即使存儲桶是使用自定義 KMSKey 創建的,存儲在存儲桶中的工件也是由Estimator生成的。 如果您不指定output_kms_key參數,它將使用托管 kms 密鑰,該密鑰與用於 s3 存儲桶的密鑰不同。
即使該問題與跨帳戶權限無關,我也會將其留在這里,以防有人遇到類似問題。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.