aws sagemaker - IAM permission to call get_role

Question

Question

In which AWS documentation explains the IAM permissions required to run SageMaker in a SageMaker Studio?

Problem

In a SageMaker Studio with an IAM policy AmazonSageMakerFullAccess attached.

The AWS documentation AmazonSageMakerFullAccess:

This policy grants administrative permissions that allow a principal full access to all Amazon SageMaker resources and operations. The policy also provides select access to related services.

Permissions details

This policy includes the following permissions.
...
iam – Needed to give the SageMaker console access to available IAM roles and create service-linked roles.

However, run the code below as instructed SageMaker Roles fails.

import sagemaker

sess = sagemaker.Session()
role = sagemaker.get_execution_role()
-----
Couldn't call 'get_role' to get Role ARN from role name <IAM Role Name> to get Role path.

Fix

Attached iam:GetRole permission to solve the issue. However, where is it documented?

Related

Apparently AWS acknowledged this is an issue in 2020 and has not updated document?

• AWS SageMaker Github This project requires more permissions than AmazonSageMakerFullAccess gives it #2027

Well yeah I found a solution, but you should probably fix the underlying problem- either in the documentation or in your policies themselves.

Answer 1

I hope your issue is resolved - and I tested it just now with only AmazonSageMakerFullAccess attached to my execution role, and I am able to execute the cell without any permission errors.

Edit: The GitHub documentation is already updated to specify the permission required if your role has a path in it. If there is no path in your role, AmazonSageMakerFullAccess should suffice (as in my case).

I work at AWS and my opinions are my own.