How do I make this IAM role error in aws sagemaker go away?

Question

I suspect this has to more to do with IAM roles than Sagemaker.

I'm following the example here

Specifically, when it makes this call

tf_estimator.fit('s3://bucket/path/to/training/data')

I get this error

ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole

My notebook instance has an IAM role attached to it. That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::*"
        ]
    }
]

}

My input files and .py script is in an s3 bucket with the phrase sagemaker in it.

What else am I missing?

Answer 1

Try using aws configure and make sure you are the expected user. If not, change / update your credentials.This worked for me.

Answer 2

If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.

from sagemaker import get_execution_role
sagemaker_session = sagemaker.Session()
role = get_execution_role()

And you can pass this role when initializing tf_estimator. You can check out the example here for using execution_role with S3 on notebook instance.

Answer 3

This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.

Hope this helps !