- Newest
- Most votes
- Most comments
The issue you're encountering with your AWS IAM policies, specifically in the context of SageMaker Studio and Canvas, seems to be related to how AWS IAM interprets and enforces policies based on tags, such as aws:PrincipalTag
. Your intention is to limit access to S3 resources based on an organization ID (org_id
), which is a commendable approach for multi-tenant architectures. However, the crux of the problem lies in the application of aws:PrincipalTag
within the context of SageMaker's execution model.
Understanding aws:PrincipalTag
The aws:PrincipalTag
condition key in IAM policies is designed to allow or deny permissions based on tags associated with the IAM principal (an IAM user or role) making the request. This is useful for implementing fine-grained access controls based on attributes like organization ID, project ID, etc.
The Issue with SageMaker and IAM Roles
SageMaker Studio, when executing actions on AWS resources such as S3, operates under an IAM role assumed by the SageMaker service. This role is used to perform operations on behalf of the user. The critical detail here is that this role is shared across different users of the SageMaker Studio instance; it is not unique to each user.
When you define an IAM policy that uses aws:PrincipalTag
to restrict access to resources based on the org_id
tag, it assumes that the principal (in this case, the IAM role assumed by SageMaker) has the org_id
tag that matches the intended restriction. However, since SageMaker Studio users share the same execution role, this role cannot have a unique org_id
tag for each user. Consequently, the policy does not work as intended because it's evaluating the tag of the shared role, not the individual user.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks for replying and I understand the error I made, however I had tried to replace the
org_id
tag directly with the folder name, and it still doesn't work. I know it's a very specific question, but would you know where this problem comes from ?