I am Able to train my modelusing Sagemaker TensorFlow container.
Below is the code:
model_dir = '/opt/ml/model'
train_instance_type = 'ml.c4.xlarge'
hyperparameters = {'epochs': 10, 'batch_size': 256, 'learning_rate': 0.001}
script_mode_estimator = TensorFlow(
entry_point='model.py',
train_instance_type=train_instance_type,
train_instance_count=1,
model_dir=model_dir,
hyperparameters=hyperparameters,
role=sagemaker.get_execution_role(),
base_job_name='tf-fashion-mnist',
framework_version='1.12.0',
py_version='py3',
output_path='s3://my_bucket/testing',
script_mode=True
)
Model Fitting:
script_mode_estimator.fit(inputs)
But when i ama trying to deploy model i ama getting this below error:
Deploy code is:
script_mode_d=script_mode_estimator.deploy(initial_instance_count=1,
instance_type="ml.m4.xlarge")
Error is:
UnexpectedStatusException: Error hosting endpoint tf-fashion-mnist-2020-09-23-09-05-25-791: Failed. Reason: The role 'xyz' does not have BatchGetImage permission for the image: '520713654638.dkr.ecr.us-east-1.amazonaws.com/sagemaker-tensorflow-serving:1.12-cpu'.
Please help me to resolve this issue.
Reason: The role 'xyz' does not have BatchGetImage permission for the image: '520713654638.dkr.ecr.us-east-1.amazonaws.com/sagemaker-tensorflow-serving:1.12-cpu'.
This error means that the IAM role "xyz" (you can find this in the IAM console) does not have permission to make the BatchGetImage API call in ECR (Elastic Container Registry, you can find this service in the ECS console).
You can find a number of example IAM policies you can use for the "xyz" role to grant it permission to perform the API call her: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html
To add a policy go to the IAM console, look for the "xyz" role, and either add an (inline) policy, or edit one of its existing policies (if it already has a policy that grants similar permissions it would make sense to add this permission in that policy).
Instead of managing permissions by crafting a permission policy, you can use the AWS-managed AmazonSageMakerFullAccess permission policy, which allows for any actions you might want to perform in SageMaker (including BatchGetImage).
To do so:
Log onto the console -> IAM -> Roles -> Create Role
Create a service-linked role with sagemaker.amazonaws.com
Give the role AmazonSageMakerFullAccess
Give the role AmazonS3FullAccess
Related
My application generates this error message:
arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue
How can I see more information about which roles or permissions are attached to this assumed role?
I have tried querying for this with the AWS CLI using aws iam get-user / list-users / get-role / list-roles but neither exist. I looked at querying under STS but couldn't see an appropriate option.
I couldn't find this role in the AWS console.
How can I see more information about which roles or permissions are attached to this assumed role?
You can access this information a number of ways, if you know the name of the role you can use the IAM service, here is a boto3 example:
import boto3
iam = boto3.resource('iam')
role = iam.Role('AWSServiceRoleForRDS')
for pol in role.attached_policies.iterator():
print(pol)
For me this gives:
iam.Policy(arn='arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy')
The sole policy I have attached to this role. Obviously, you'll need to substitute the role name you are interested in here in place of 'AWSServiceRoleForRDS'
In general this will print out all the policies attached to the role (to stdout).
In order to do make this query you need to be authenticated as a user or role that has permissions to access the IAM role (or user).
Update: How to find the name of the role from an ARN?
following the aws docs for IAM identifies you can identify the role name from the arn for sts assumed roles they follow this format:
arn:aws:sts::account:assumed-role/role-name/role-session-name
Based on what was posted:
arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue
it looks like my-service-role is the name of the assumed role.
I'm working on an AWS account managed by another team which use it only for S3 storage. We have authorization to use sagemaker, and administartor said “AmazonSageMakerFullAccess” have been given to me.
I'm trying to access sagemaker studio, for that I'm ask to "Setup SageMaker Domain" by aws.
I then need a "Default execution role"
If I try to create one, I got error "User ... is not authorized to perform: iam:CreateRole on resource: ..."
There is an option to use a custom exiting one with the format
"arn:aws:iam::YourAccountID:role/yourRole"
but while I have an account Id, I don't know what role to use.
I don't have permission to create role, and the ones I see in IAM service doesn't seem to be related to sagemaker (also I don't have permission to see the details of those roles).
Should the sagemaker setup be done by the administrator who can create a new role ? Or is there a way for me to do it, and if so where can I find the role I need ?
If you don't attach any role to AWS SageMaker, and when you try to create SageMaker resource the very first time it will create a default execution role for the service. Either get the permission to create a role or ask your administrator to create a execution role for your SageMaker so that next time when you create one you can use the same role.
I logged into AWS console as DEV-OPS-ENGINEER and created ROLE-1 with aws managed policy attached. I attached this role to ECS tasks.
Now from my machine I logged into aws cli as DEVELOPER and ran aws ecs update-service command but i am getting below mentioned error:
"An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts:::assumed-role/DEVELOPER is not authorized to perform: iam:PassRole on resource: arn:aws:iam:::role/ROLE-1"
My idea was all logged in user (with different roles) should be able to use ROLE-1.
Any idea why it is throwing me this error and how can I resolve it ?
To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group.
Find out more, including examples, in the AWS User Guide: Granting a user permissions to pass a role to an AWS service
aws deploy register-on-premises-instance --instance-name XXXXX --iam-user-arn arn:aws:iam::XXXXXXXXXXXX:user/LightSailCodeDeployUser --region ap-south-1
An error occurred (AccessDeniedException) when calling the RegisterOnPremisesInstance operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AmazonLightsailInstanceRole/i-XXXXXXXXXXXXXX is not authorized to perform: codedeploy:RegisterOnPremisesInstance on resource: arn:aws:codedeploy:ap-south-1:XXXXXXXXXX:instance:XXXXXXXXXXXX
I didn't even create the role AmazonLightsailInstanceRole, then how did it come in the picture. My user have all permissions on codedeploy though. I am following this link to set up. https://aws.amazon.com/blogs/compute/using-aws-codedeploy-and-aws-codepipeline-to-deploy-applications-to-amazon-lightsail/
I made the same mistake and then realized that command is meant to be run on your local machine and not the instance!
AmazonLightsailInstanceRole is a service-linked role automatically created by aws:
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
The error you are getting is not about you not having the codedeploy:RegisterOnPremisesInstance permission.
The error is about the AmazonLightsailInstanceRole not having it. It does not matter if you (i.e. your IAM user) has all CodeDeploy permissions.
Normally you would add the missing permissions to the role. How to work with the AmazonLightsailInstanceRole is described in the following AWS documentaiton:
Using Service-Linked Roles for Amazon Lightsail
Editing a Service-Linked Role
However, I'm not sure if you can modify the AmazonLightsailInstanceRole and add the missing permissions. Some service-linked roles can be modified, some not.
The documentation is a bit confusing. Create a new user in IAM with admin role (full privileges) and use the credentials of that user to run the command in your local machine.
I'm trying to replicate this lab :https://github.com/aws-samples/ec2-spot-montecarlo-workshop, But keep getting an error The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances. seems like when it tries to create instance it fails, does anyone have an idea why ? I made sure to give it all permission role but didn't work ...
Seems that credentials which you use (IAM user or role) do not have permissions to execute an action iam:CreateServiceLinkedRole. The action:
Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf
Please double check the IAM user and credentials which you use.
When lodging a spot request – there is a service-linked role that needs to be created (if it does not exist) in IAM called AWSServiceRoleForEC2Spot.
Check that the IAM user has the permission:
iam:CreateServiceLinkedRole
More in the docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-requests.html#service-linked-roles-spot-instance-requests