ValidationError when creating a SageMaker Model

D

3

8

I'm new to AWS and trying to build a model (from the web console) by referring to their demo. However, when I try to create the model, it gives me the below error.

Could not access model data at https://s3.console.aws.amazon.com/s3/buckets/bucket_name/models/model_name-v0.1.hdf5. Please ensure that the role "arn:aws:iam::id:role/service-role/AmazonSageMaker-ExecutionRole-xxx" exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal "sagemaker.amazonaws.com". Also ensure that the role has "s3:GetObject" permissions and that the object is located in eu-west-1.

I checked the IAM Role and it has AmazonSageMakerFullAccess and AmazonS3FullAccess policies attached. And also, the trust relationship is also specified for the role (as below).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sagemaker.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I'm specifying the ECR and the S3 path correctly, but I can't figure out what is happening. Can someone help me to fix this?

Sorry if I couldn't provide more info, but I will give any other information if required.

UPDATE:

Below are the IAM policies.

AmazonS3FullAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

AmazonSageMaker-ExecutionPolicy-xxx

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<bucket_name>"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<bucket_name>/*"
            ]
        }
    ]
}

AmazonSageMakerFullAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "cloudwatch:PutMetricData",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DeleteAlarms",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeleteScheduledAction",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:DescribeScheduledActions",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:PutScheduledAction",
                "application-autoscaling:RegisterScalableTarget",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::*SageMaker*",
                "arn:aws:s3:::*Sagemaker*",
                "arn:aws:s3:::*sagemaker*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
                }
            }
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_SageMakerEndpoint",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "sagemaker.application-autoscaling.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "sagemaker.amazonaws.com"
                }
            }
        }
    ]
}

Dint answered 26/6, 2018 at 13:55 Comment(5)

Can you add mentioned IAM role's policy document? – Manlike 26/6, 2018 at 15:10

@Asdfg: Updated the post. – Dint 26/6, 2018 at 15:17

It was a stupid mistake. The model file name and the tar.gz file name should be the same. And my code should read from /opt/ml/model folder (I had it as models :( ) – Dint 3/7, 2018 at 8:9

BTW, You can skip S3 permissions if the bucket has "sagemaker" in its name – Celanese 3/7, 2018 at 10:26

Make sure your bucket policy also allows access if you have one attached to your bucket – Dynel 13/11, 2023 at 22:37

I

7

I think the sagemaker execution policy is missing permission at bucket level. Try adding "arn:aws:s3:::<bucket_name>" to the AmazonSageMaker-ExecutionPolicy-xxx

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::<bucket_name>" ] }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::<bucket_name>", "arn:aws:s3:::<bucket_name>/*" ] } ] }

I ran the demo with SageMaker execution policy as below and it works. This is much permissive policy. You can change it as per your bucket name once it works.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::*" ] } ] }

Irony answered 27/6, 2018 at 23:32 Comment(1)

Thanks, this also helped. – Dint 3/7, 2018 at 8:9

J

0

Try to check the bucket and the data are persisted in eu-west-1

Jerrylee answered 20/3, 2022 at 9:0 Comment(0)

S

0

Some additional context, i was facing this issue and the problem was a condition in my trust policy:

           "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "XXXXXXXXXXXX"
                }
            }

Schematic answered 17/4 at 0:56 Comment(0)

Recommended topics

Hot tags