Dealing with AWS SageMaker permissions issues

AWS
1

Often times, when new users try to start using SageMaker they’ll run into unintelligible permissions errors like this one:

image
image1217×286 82.7 KB

This issue can be resolved by a user with administrator permissions (eg, the project PI) going into Amazon’s user management console and adding the appropriate permissions. What follows is a quick guide to do so, adapted from this article.

Starting from the PI’s CloudBank dashboard, go to ‘Access Cloud Billing Accounts’:

image
image1587×871 127 KB

Then, click the login link next to your AWS account:

image
image1555×613 127 KB

Now, from AWS, search for “IAM” at the top and go to the “IAM” service. “IAM” is general-purpose cloud jargon for user permissions and management

image
image1495×815 110 KB

Click ‘Roles’ on the left, and then find the row that corresponds to your collaborator who needs to use SageMaker. It’s the one with their username in the first column and “CloudBank-CILogon” in the second column. Click the username:

image
image1748×858 80.9 KB

Now we’re editing their user permissions. Click the ‘Add permissions’ button, and select ‘Create Inline policy’:

image
image1713×971 112 KB

Now, we’re going to define the permissions they need to run SageMaker. Click the JSON tab. Clear the contents of the big text box and replace it with the policy code provided below, and finally hit ‘Review policy’:

image
image1783×959 81.6 KB

Here is the policy code to paste into that box:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "kms:ListAliases",
                "iam:ListRoles",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateNetworkInterface",
                "iam:CreatePolicy",
                "ec2:DeleteNetworkInterface",
                "iam:CreateRole",
                "iam:AttachRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}

On the next screen, give the policy a name like ‘SagemakerAdditionalPolicy’, and click ‘Create policy’:

image
image1625×955 69.8 KB

We should then be returned to the user’s role page. We have one more set of permissions to add. Click the “Add permissions” button again, but this time choose “Attach policies” rather than “Create inline policy”. In the list that appears, search for “AmazonSageMakerFullAccess” and place a check next to it:

image
image798×389 21.4 KB

Then click ‘Attach policies’.

At this point, the collaborator in question should log out and log back in again. They should then be able to use SageMaker!