I started to work with AWS SageMaker. I have an AWS Starter Account. I have been trying to deploy a built-in algorithm for 2 days but I always get AccessDeniedException despite the fact that I created IAM role according to https://aws.amazon.com/tr/getting-started/tutorials/build-train-deploy-machine-learning-model-sagemaker/
ClientError: An error occurred (AccessDeniedException) when calling the CreateTrainingJob operation: User: arn:aws:sts::161745376217:assumed-role/AmazonSageMaker-ExecutionRole-20200203T194557/SageMaker is not authorized to perform: sagemaker:CreateTrainingJob on resource: arn:aws:sagemaker:us-east-1:161745376217:training-job/blazingtext-2020-02-03-18-12-14-017 with an explicit deny
Could you help me to solve this problem ?
Thank you so much
You have created a role for SageMaker to access S3 bucket, but it seems your IAM user doesn't have access to SageMaker service. Please make sure your IAM user has permission to SageMaker.
This error usually occurs, if you have an AWS Educate account. It restricts you to take full control of the Sagemaker service. In this case, I'd recommend you to access AWS using regular AWS account.
Related
botocore.exceptions.ClientError:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: Lambda was unable to encrypt your environment variables because the KMS access was denied. Please check your KMS permissions.
KMS Exception: AccessDeniedException KMS Message:
User: arn:aws:iam::816087693535:user/pj#123.com is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd with an explicit deny in a service control policy.
Also we tried to read and write kms policies but it did not work out.
You need to allow the IAM user pj#123.com to perform kms:Encrypt on the resource arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd If you have already tried that but it still doesn't work my next question would be if you are using AWS Organizations. If you do, I would visit AWS Organizations on the Management Account and check for any Service Control Policies (SCPs) which explicitly deny this action. If you follow these steps the resolution of your issue should be straightforward. Kindly let me know if not.
I've been trying to access a project in AWS devicefarm using AWS CLI.
Steps taken:
Downloaded the AWS CLI tool
Configured my credentials according to: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html using aws configure command
executed aws devicefarm list-uploads --arn myProjectArn
and what i get is this error:
An error occurred (AccessDeniedException) when calling the ListUploads operation:
User: arn:aws:iam::replacingANumber:user/myUserName is not authorized to perform: devicefarm:ListUploads
on resource:
arn:aws:devicefarm:us-west-2:replacingANumber:project:replacingALongString with an explicit deny
The docs:https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting_iam.html say i'm missing permissions, but devOps team in my company says i have all the permissions.
What am I missing?
Either misconfigured AWS CLI or insufficient permissions.
This can be 2 things:
Your AWS CLI is misconfigured. Make sure that when you run aws sts get-caller-identity, you get the same role as the one that the devops team claims to have the correct permission. Also, make sure that your default region is us-west-2.
If the above is correctly setup, then it comes from the permissions defined in the IAM policy. If you are able to view the policy associated with your user/role, you can check out the policy simulator to figure out which permission is missing.
AWS CLI is throwing this error. Am I doing something wrong or does my institution simply not allow me to connect? What's the point if this is valid? Frustrated.
CLI is throwing this error -
Error while pushing the public key:
An error occurred (AccessDeniedException) when calling the SendSSHPublicKey operation: User: arn:aws:sts::550549147475:assumed-role/vocstartsoft/user1366934=ag618#g.harvard.edu is not authorized to perform: ec2-instance-connect:SendSSHPublicKey on resource: arn:aws:ec2:us-east-1:550549147475:instance/i-0d13f5839e0d3dd00 with an explicit deny
The operation you are trying to perform has been explicit denied. This means that AWS Educate prohibits such an action and you can't change that.
Please note, that AWS Educate Starter Accounts are very limited, and only a handful of services and operations are allowed:
AWS Services Supported with AWS Educate Starter Account
I made an AWS educate account but sage maker gives me an error while training a model:
ClientError: An error occurred (AccessDeniedException) when calling the CreateTrainingJob operation: User: arn:aws:sts::387322780008:assumed-role/AmazonSageMaker-ExecutionRole-20200830T040703/SageMaker is not authorized to perform: sagemaker:CreateTrainingJob on resource: arn:aws:sagemaker:us-east-1:387322780008:training-job/xgboost-2020-08-29-20-06-24-680 with an explicit deny
Did any one know the solution
The error you’re seeing is an explicit deny which means that the IAM permissions attached are denying that action.
Looking at the availability of AWS educate ensure that you’re creating the resources in us-east-1 and that the instance type is one of the following:
ml.t2.medium
ml.t2.large
ml.t3.medium
ml.t3.large
If both of these conditions are met and you still cannot access then you should reach out to AWS support to validate why you do not have the necessary permissions for your classroom.
AWS Educate accounts are intentionally limited in their capabilities.
For any enquiries regarding AWS Education accounts, you will need to contact AWS Educate directly: AWS Educate | Contact Us
aws deploy register-on-premises-instance --instance-name XXXXX --iam-user-arn arn:aws:iam::XXXXXXXXXXXX:user/LightSailCodeDeployUser --region ap-south-1
An error occurred (AccessDeniedException) when calling the RegisterOnPremisesInstance operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AmazonLightsailInstanceRole/i-XXXXXXXXXXXXXX is not authorized to perform: codedeploy:RegisterOnPremisesInstance on resource: arn:aws:codedeploy:ap-south-1:XXXXXXXXXX:instance:XXXXXXXXXXXX
I didn't even create the role AmazonLightsailInstanceRole, then how did it come in the picture. My user have all permissions on codedeploy though. I am following this link to set up. https://aws.amazon.com/blogs/compute/using-aws-codedeploy-and-aws-codepipeline-to-deploy-applications-to-amazon-lightsail/
I made the same mistake and then realized that command is meant to be run on your local machine and not the instance!
AmazonLightsailInstanceRole is a service-linked role automatically created by aws:
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
The error you are getting is not about you not having the codedeploy:RegisterOnPremisesInstance permission.
The error is about the AmazonLightsailInstanceRole not having it. It does not matter if you (i.e. your IAM user) has all CodeDeploy permissions.
Normally you would add the missing permissions to the role. How to work with the AmazonLightsailInstanceRole is described in the following AWS documentaiton:
Using Service-Linked Roles for Amazon Lightsail
Editing a Service-Linked Role
However, I'm not sure if you can modify the AmazonLightsailInstanceRole and add the missing permissions. Some service-linked roles can be modified, some not.
The documentation is a bit confusing. Create a new user in IAM with admin role (full privileges) and use the credentials of that user to run the command in your local machine.