How do I make this IAM role error in aws sagemaker go away?











up vote
0
down vote

favorite












I suspect this has to more to do with IAM roles than Sagemaker.



I'm following the example here



Specifically, when it makes this call



tf_estimator.fit('s3://bucket/path/to/training/data')


I get this error



ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole


My notebook instance has an IAM role attached to it.
That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this



{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]


}



My input files and .py script is in an s3 bucket with the phrase sagemaker in it.



What else am I missing?










share|improve this question


























    up vote
    0
    down vote

    favorite












    I suspect this has to more to do with IAM roles than Sagemaker.



    I'm following the example here



    Specifically, when it makes this call



    tf_estimator.fit('s3://bucket/path/to/training/data')


    I get this error



    ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole


    My notebook instance has an IAM role attached to it.
    That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this



    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:GetObject",
    "s3:PutObject",
    "s3:DeleteObject",
    "s3:ListBucket"
    ],
    "Resource": [
    "arn:aws:s3:::*"
    ]
    }
    ]


    }



    My input files and .py script is in an s3 bucket with the phrase sagemaker in it.



    What else am I missing?










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I suspect this has to more to do with IAM roles than Sagemaker.



      I'm following the example here



      Specifically, when it makes this call



      tf_estimator.fit('s3://bucket/path/to/training/data')


      I get this error



      ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole


      My notebook instance has an IAM role attached to it.
      That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Action": [
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject",
      "s3:ListBucket"
      ],
      "Resource": [
      "arn:aws:s3:::*"
      ]
      }
      ]


      }



      My input files and .py script is in an s3 bucket with the phrase sagemaker in it.



      What else am I missing?










      share|improve this question













      I suspect this has to more to do with IAM roles than Sagemaker.



      I'm following the example here



      Specifically, when it makes this call



      tf_estimator.fit('s3://bucket/path/to/training/data')


      I get this error



      ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole


      My notebook instance has an IAM role attached to it.
      That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Action": [
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject",
      "s3:ListBucket"
      ],
      "Resource": [
      "arn:aws:s3:::*"
      ]
      }
      ]


      }



      My input files and .py script is in an s3 bucket with the phrase sagemaker in it.



      What else am I missing?







      amazon-web-services amazon-iam amazon-sagemaker






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 22 at 2:27









      kane

      1,15711537




      1,15711537
























          2 Answers
          2






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted










          If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.



          from sagemaker import get_execution_role
          sagemaker_session = sagemaker.Session()
          role = get_execution_role()


          And you can pass this role when initializing tf_estimator.
          You can check out the example here[1] for using execution_role with S3 on notebook instance.



          [1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html






          share|improve this answer





















          • That was it! Thank you!
            – kane
            Nov 27 at 6:07


















          up vote
          1
          down vote













          This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.



          Hope this helps !






          share|improve this answer





















          • yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
            – kane
            Nov 27 at 6:08











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53423061%2fhow-do-i-make-this-iam-role-error-in-aws-sagemaker-go-away%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote



          accepted










          If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.



          from sagemaker import get_execution_role
          sagemaker_session = sagemaker.Session()
          role = get_execution_role()


          And you can pass this role when initializing tf_estimator.
          You can check out the example here[1] for using execution_role with S3 on notebook instance.



          [1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html






          share|improve this answer





















          • That was it! Thank you!
            – kane
            Nov 27 at 6:07















          up vote
          1
          down vote



          accepted










          If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.



          from sagemaker import get_execution_role
          sagemaker_session = sagemaker.Session()
          role = get_execution_role()


          And you can pass this role when initializing tf_estimator.
          You can check out the example here[1] for using execution_role with S3 on notebook instance.



          [1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html






          share|improve this answer





















          • That was it! Thank you!
            – kane
            Nov 27 at 6:07













          up vote
          1
          down vote



          accepted







          up vote
          1
          down vote



          accepted






          If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.



          from sagemaker import get_execution_role
          sagemaker_session = sagemaker.Session()
          role = get_execution_role()


          And you can pass this role when initializing tf_estimator.
          You can check out the example here[1] for using execution_role with S3 on notebook instance.



          [1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html






          share|improve this answer












          If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.



          from sagemaker import get_execution_role
          sagemaker_session = sagemaker.Session()
          role = get_execution_role()


          And you can pass this role when initializing tf_estimator.
          You can check out the example here[1] for using execution_role with S3 on notebook instance.



          [1] https://docs.aws.amazon.com/sagemaker/latest/dg/automatic-model-tuning-ex-role.html







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 23 at 22:08









          Han

          361




          361












          • That was it! Thank you!
            – kane
            Nov 27 at 6:07


















          • That was it! Thank you!
            – kane
            Nov 27 at 6:07
















          That was it! Thank you!
          – kane
          Nov 27 at 6:07




          That was it! Thank you!
          – kane
          Nov 27 at 6:07












          up vote
          1
          down vote













          This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.



          Hope this helps !






          share|improve this answer





















          • yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
            – kane
            Nov 27 at 6:08















          up vote
          1
          down vote













          This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.



          Hope this helps !






          share|improve this answer





















          • yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
            – kane
            Nov 27 at 6:08













          up vote
          1
          down vote










          up vote
          1
          down vote









          This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.



          Hope this helps !






          share|improve this answer












          This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.



          Hope this helps !







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 22 at 6:47









          Kush Vyas

          2,9511724




          2,9511724












          • yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
            – kane
            Nov 27 at 6:08


















          • yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
            – kane
            Nov 27 at 6:08
















          yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
          – kane
          Nov 27 at 6:08




          yes, you were onto something. I just didn't know what to do about that until @Han pointed it out
          – kane
          Nov 27 at 6:08


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53423061%2fhow-do-i-make-this-iam-role-error-in-aws-sagemaker-go-away%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

          Calculate evaluation metrics using cross_val_predict sklearn

          Insert data from modal to MySQL (multiple modal on website)