SageMaker客户端错误：在调用CreateTrainingJob操作时发生ValidationException错误：无法扮演角色。

Question

SageMaker客户端错误：在调用CreateTrainingJob操作时发生ValidationException错误：无法扮演角色。

amazon-web-servicesamazon-iamamazon-sagemaker

4

当我在SageMaker的Notebook实例中创建linear_learner_mnist示例模型时，即使我已经拥有具有AmazonSageMakerFullAccess和AssumeRole附加策略的角色，我仍会遇到错误。当我将AdministratorAccess策略添加到该角色时，一切正常。我错过了什么吗？

P.S 角色已存在且已附加 :)

Resources:
  SageMakerExecutionRole:
    Condition: RoleArnEmpty
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "sagemaker.amazonaws.com"
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
      Path: "/service-role/"
      Policies:
        Fn::If:
        - S3BucketNotEmpty
        -
          - PolicyName: SageMakerS3BucketAccess
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - s3:*
                  Resource:
                    - !Sub 'arn:aws:s3:::${SageMakerS3Bucket}'
                    - !Sub 'arn:aws:s3:::${SageMakerS3Bucket}/*'
        - Ref: AWS::NoValue

客户端错误: 在调用CreateTrainingJob操作时发生了一个错误(ValidationException): 无法假设角色arn:aws:iam::XXX:role/sagemaker-stack-SageMakerExecutionRole-1JT7AT4OPUK9R。请确保该角色存在并允许主体'sagemaker.amazonaws.com'来假设角色。

- Ivan Shelonik

2个回答

1

我尝试基于您提供的CloudFormation模板创建IAM角色，得到了一个ARN为arn:aws:iam::xxx:role/service-role/test-iam-SageMakerExecutionRole-187YIQM7UMMXF的角色。

我认为问题在于您在创建训练工作时设置的角色ARN不正确。您可能需要在角色名称之前添加"/service-role"。

- Alohahaha

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- balast · Accepted Answer

当您添加AdministratorAccess策略时，我很惊讶一切都正常工作。有关错误及其更正方式的说明，请参阅https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html。

An Amazon SageMaker user can grant these permissions with an IAM role (referred to as an execution role). The user passes the role when making these API calls: CreateNotebookInstance, CreateHyperParameterTuningJob, CreateTrainingJob, and CreateModel.

You attach the following trust policy to the IAM role which grants Amazon SageMaker principal permissions to assume the role, and is the same for all of the execution roles:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "sagemaker.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

在身份和访问管理(IAM)控制台中，我在我的角色的信任关系部分的信任策略下添加了上面的语句，并且这为我修复了该错误。