Reputation: 454
The current AWS identity is not a role for SageMaker?
When I call get_execution_role() from SageMaker Python SDK, I get the following error:
ValueError: The current AWS identity is not a role: arn:aws:iam::XXX:XXX/XXX, therefore it cannot be used as a SageMaker execution role
I have added the SagemakerFullAccess policy to role and user both.
Upvotes: 28
Views: 21586
Answers (4)
Reputation: 875
get_execution_role() is a function helper used in the Amazon SageMaker Examples GitHub repository.
These examples were made to be executed from the fully managed Jupyter notebooks that Amazon SageMaker provides.
From inside these notebooks, get_execution_role() will return the IAM role name that was passed in as part of the notebook creation. That allows the notebook examples to be executed without code changes.
From outside these notebooks, get_execution_role() will return an exception because it does not know what is the role name that SageMaker requires.
To solve this issue, pass the IAM role name to SageMaker Python SDK instead of using get_execution_role(). For example:
from sagemaker import KMeans
role = 'role_name_with_sagemaker_permissions'
kmeans = KMeans(
role=role,
train_instance_count=2,
train_instance_type="ml.c4.8xlarge",
output_path=output_location,
k=10,
data_location=data_location,
)
Upvotes: 61
Reputation: 539
I believe these are the steps to solve (according to this doc).
You must add IAM role to your profile in AWS config file ~/.aws/config:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
Then, "Edit trust relationships" in the AWS dashboard:
Add this and update:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"sagemaker.amazonaws.com",
"AWS":"arn:aws:iam::XXXXXXX:user/YOURUSERNAME"
},
"Action":"sts:AssumeRole"
}
]
}
Lastly, I clicked the link that says
Give this link to users who can switch roles in the console
After adding my credentials - it worked.
Upvotes: 12
Reputation: 44
The exception you are seeing already suggests the reason. The credentials you are using are not role credentials but most likely user credentials.
The format of 'user' credentials will look like:
arn:aws:iam::accid:user/name as opposed to a role:
arn:aws:iam::accid:role/name
Upvotes: 1
Reputation: 4906
import boto3
import sagemaker
try:
# Works when running this code in SageMaker notebook instance
role = sagemaker.get_execution_role()
except ValueError:
# Works when running this code locally
session_boto = boto3.Session(profile_name="YOUR_PROFILE")
iam = session_boto.client("iam")
# Fetch the IAM role created by SageMaker
role = [
r
for r in iam.list_roles()["Roles"]
if r["RoleName"].startswith("AmazonSageMaker-ExecutionRole")
][0]["Arn"]
Upvotes: 0
Related Questions
- SageMaker ClientError: An error occurred (ValidationException) when calling the CreateTrainingJob operation: Could not assume role
- Unable to open AWS Sagemaker Studio
- AWS Sagemaker - Access Denied
- How do I make this IAM role error in aws sagemaker go away?
- aws sagemaker error on Create labelling job
- AWS Sagemaker ClientError: Unable to initialize the algorithm
- AWS Systems Manager (SSM) fails to UpdateInstanceInformation on SageMaker instance
- AWS SageMaker Access Denied
- AWS Sagemaker Deploy fails
- Using the AWS SageMaker create-training-job command: type Error