Dealing with AWS SageMaker permissions issues

Often times, when new users try to start using SageMaker they’ll run into unintelligible permissions errors like this one:

This issue can be resolved by a user with administrator permissions (eg, the project PI) going into Amazon’s user management console and adding the appropriate permissions. What follows is a quick guide to do so, adapted from this article.

Starting from the PI’s CloudBank dashboard, go to ‘Access Cloud Billing Accounts’:

Then, click the login link next to your AWS account:

Now, from AWS, search for “IAM” at the top and go to the “IAM” service. “IAM” is general-purpose cloud jargon for user permissions and management

Click ‘Roles’ on the left, and then find the row that corresponds to your collaborator who needs to use SageMaker. It’s the one with their username in the first column and “CloudBank-CILogon” in the second column. Click the username:

Now we’re editing their user permissions. Click the ‘Add permissions’ button, and select ‘Create Inline policy’:

Now, we’re going to define the permissions they need to run SageMaker. Click the JSON tab. Clear the contents of the big text box and replace it with the policy code provided below, and finally hit ‘Review policy’:

Here is the policy code to paste into that box:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

On the next screen, give the policy a name like ‘SagemakerAdditionalPolicy’, and click ‘Create policy’:

We should then be returned to the user’s role page. We have one more set of permissions to add. Click the “Add permissions” button again, but this time choose “Attach policies” rather than “Create inline policy”. In the list that appears, search for “AmazonSageMakerFullAccess” and place a check next to it:

Then click ‘Attach policies’.

At this point, the collaborator in question should log out and log back in again. They should then be able to use SageMaker!