SageMaker 无权执行:iam:PassRole
Posted
技术标签:
【中文标题】SageMaker 无权执行:iam:PassRole【英文标题】:SageMaker is not authorized to perform: iam:PassRole 【发布时间】:2021-10-14 16:29:23 【问题描述】:我正在关注 SageMaker 示例中的automation_model_retraining_workflow 示例,并在 AWS SageMaker Jupyter 笔记本中运行该示例。我按照示例中给出的所有步骤来创建角色和策略。
但是当我尝试运行以下代码块来创建 Glue 作业时,我遇到了错误:
glue_script_location = S3Uploader.upload(
local_path="./code/glue_etl.py",
desired_s3_uri="s3:///".format(bucket, project_name),
sagemaker_session=session,
)
glue_client = boto3.client("glue")
response = glue_client.create_job(
Name=job_name,
Description="PySpark job to extract the data and split in to training and validation data sets",
Role=glue_role, # you can pass your existing AWS Glue role here if you have used Glue before
ExecutionProperty="MaxConcurrentRuns": 2,
Command="Name": "glueetl", "ScriptLocation": glue_script_location, "PythonVersion": "3",
DefaultArguments="--job-language": "python",
GlueVersion="1.0",
WorkerType="Standard",
NumberOfWorkers=2,
Timeout=60,
)
调用 CreateJob 时发生错误 (AccessDeniedException) 操作: 用户: arn:aws:sts::############:assumed-role/AmazonSageMaker-ExecutionRole-############/SageMaker 无权执行:iam:资源上的 PassRole: arn:aws:iam::############:role/AWS-Glue-S3-Bucket-Access
这就是 AmazonSageMaker-ExecutionPolicy-############ 的样子:
"Version": "############",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"glue:UpdateCrawler",
"glue:UpdateTrigger",
"lambda:DeleteFunction",
"glue:DeleteCrawler",
"glue:UpdateSchema",
"lambda:UpdateFunctionCode",
"glue:DeleteConnection",
"glue:UseMLTransforms",
"glue:BatchDeleteConnection",
"lambda:PutProvisionedConcurrencyConfig",
"glue:StartCrawlerSchedule",
"glue:UpdateMLTransform",
"lambda:PublishVersion",
"lambda:DeleteEventSourceMapping",
"glue:CreateMLTransform",
"glue:CreateRegistry",
"glue:StartMLEvaluationTaskRun",
"glue:DeleteTableVersion",
"glue:CreateTrigger",
"glue:BatchDeletePartition",
"glue:StopTrigger",
"glue:CreateUserDefinedFunction",
"glue:StopCrawler",
"lambda:InvokeAsync",
"glue:DeleteJob",
"glue:DeleteDevEndpoint",
"glue:DeleteMLTransform",
"glue:CreateJob",
"glue:ResetJobBookmark",
"glue:CreatePartition",
"lambda:PutFunctionCodeSigningConfig",
"glue:UpdatePartition",
"glue:RegisterSchemaVersion",
"glue:ResumeWorkflowRun",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCodeSigningConfig",
"lambda:UpdateFunctionConfiguration",
"glue:StartMLLabelingSetGenerationTaskRun",
"lambda:UpdateCodeSigningConfig",
"glue:CreateDatabase",
"glue:BatchDeleteTableVersion",
"lambda:DeleteAlias",
"glue:DeleteSchemaVersions",
"glue:BatchCreatePartition",
"glue:CreateClassifier",
"glue:UpdateTable",
"lambda:DeleteProvisionedConcurrencyConfig",
"glue:DeleteTable",
"glue:DeleteWorkflow",
"glue:DeleteSchema",
"glue:UpdateWorkflow",
"glue:CreateScript",
"glue:StartWorkflowRun",
"glue:StopCrawlerSchedule",
"lambda:UpdateFunctionEventInvokeConfig",
"lambda:DeleteFunctionCodeSigningConfig",
"glue:UpdateDatabase",
"glue:CreateTable",
"lambda:InvokeFunction",
"glue:BatchStopJobRun",
"glue:DeleteUserDefinedFunction",
"glue:CreateConnection",
"glue:CreateCrawler",
"lambda:UpdateAlias",
"glue:DeleteSecurityConfiguration",
"glue:CreateSchema",
"glue:StartJobRun",
"glue:BatchDeleteTable",
"glue:UpdateClassifier",
"glue:CreateWorkflow",
"glue:DeletePartition",
"lambda:CreateAlias",
"glue:CreateSecurityConfiguration",
"glue:PutWorkflowRunProperties",
"glue:DeleteDatabase",
"glue:RemoveSchemaVersionMetadata",
"lambda:PublishLayerVersion",
"lambda:CreateEventSourceMapping",
"glue:StartTrigger",
"glue:DeleteRegistry",
"lambda:PutFunctionConcurrency",
"lambda:DeleteCodeSigningConfig",
"glue:ImportCatalogToGlue",
"glue:PutDataCatalogEncryptionSettings",
"glue:UpdateRegistry",
"glue:StartCrawler",
"lambda:DeleteLayerVersion",
"lambda:PutFunctionEventInvokeConfig",
"glue:UpdateJob",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:CreateCodeSigningConfig",
"glue:StartImportLabelsTaskRun",
"glue:DeleteClassifier",
"glue:StartExportLabelsTaskRun",
"glue:UpdateUserDefinedFunction",
"glue:CancelMLTaskRun",
"glue:StopWorkflowRun",
"glue:PutSchemaVersionMetadata",
"glue:UpdateCrawlerSchedule",
"glue:UpdateConnection",
"glue:CreateDevEndpoint",
"glue:UpdateDevEndpoint",
"lambda:DeleteFunctionConcurrency",
"glue:DeleteTrigger"
],
"Resource": "*"
,
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"iam:PassRole",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:iam::############:role/query_training_status-role"
]
]
【问题讨论】:
【参考方案1】:从您发布的 IAM 政策中可以清楚地看出,当 Glue 尝试使用 arn:aws:iam::############:role/AWS-Glue-S3-Bucket-Access 时,您只能在 arn:aws:iam::############:role/query_training_status-role 上执行 iam:PassRole。因此,您只需要更新您的 IAM 策略以允许 iam:PassRole 角色以及其他角色。
【讨论】:
感谢它解决了错误。我是 AWS 的新手。我想知道为什么 SageMaker 示例中没有提到它。以上是关于SageMaker 无权执行:iam:PassRole的主要内容,如果未能解决你的问题,请参考以下文章
如何在sagemaker笔记本的S3存储桶中打开模型tarfile?
SageMaker - CloudFormation 中 SageMaker 实体的说明