CODEWITHSUNDEEP
amazon-web-servicesamazon-iamamazon-sagemaker
madmanu
madmanu

Reputation: 21

IAM control Sagemaker Studio Instance type

Was wondering if anyone had luck limiting the type of instances a user could chose from the Sagemaker Studio-Jupyter. Did not want to enforce the limitation on the Domain role and was trying to create custom roles that could be attached to user profiles. Tried with the "createApp" and denying the larger instances, but found it becoming a road-block (Sagemaker.createApp not permitted) when a new user profile tries to launch the studio for the first time. Is there anyway to allow them to create the default APP, but limit the choice of the instances that he/she can select for the image using IAM ?

Sample Policy used :

    {
        "Sid": "VisualEditor1",
        "Effect": "Deny",
        "Action": "sagemaker:CreateApp",
        "Resource": "*",
        "Condition": {
            "ForAllValues:StringLike": {
                "sagemaker:InstanceTypes": [
                    "ml.c5.3xlarge",
                    "ml.c5.4large",
                    "ml.c5.9xlarge",                                                                      
                    "ml.m5.4xlarge",                        
                    "ml.m5.12xlarge",
                    "ml.m5.16xlarge",
                    "ml.m5.24xlarge",
                    "ml.c5.4xlarge",
                    "ml.c5.9xlarge",
                    "ml.c5.12xlarge",
                    "ml.c5.18xlarge",
                    "ml.c5.24xlarge",
                    "ml.g4dn.*",
                    "ml.p3.*"
                    
                ]
            }
        }
    }

This works fine on a user profile that has logged/started the "default" App, but limits a new user with the same role/policy from launching issuing "Open Studio".

Saw this which was quite similar to the ask - https://github.com/aws/amazon-sagemaker-examples/issues/1499

Any thoughts, pointers ?

Thanks, Mano

Upvotes: 2

Views: 1476

Answers (1)

Abdelrahman Maharek
Abdelrahman Maharek

Reputation: 872

The IAM policy which you are using Denies the CreateApp permission for users with certain type of instances (large instances).

You should have another IAM Poicy attached with users/roles to grant the CreateApp for all other instance types including system and default.

Note: if you are have another IAM statement which grants the permission to all instance types, ensure the policy has the permission to use the system and default instance types.

See the IAM Policy discussed in the Github question

To troubleshoot this issue, check the CreatApp API request from AWS CloudTrail to see the errormessage and understand the issue.

Upvotes: 1

Related Questions