How do I troubleshoot connection errors when I set up input data for an Amazon SageMaker Ground Truth labeling job?

2 minute read

I want to troubleshoot connection errors when I try to set up input data for an Amazon SageMaker Ground Truth labeling job.


When you have connection issues with SageMaker Ground Truth, you might get an error similar to the following:

Connection error: There was an issue with your input data setup. Ground Truth could not setup a connection with your dataset in S3. Please check your input data setup and try again, or use the manual data setup option. Network Failure Request id: <request_id>

This error usually occurs because your AWS Identity and Access Management (IAM) role doesn't have the permissions that are required for setting up the input data.

To troubleshoot this error, be sure that the role that you're using has the following policies attached:

  • AmazonSageMakerFullAccess
  • Amazon Simple Storage Service (Amazon S3) read and write access

Issues with SageMaker access

If the IAM role that you're using doesn't have the AmazonSageMakerFullAccess policy attached, then attach the following Ground Truth actions to the policy:

  • groundtruthlabeling:DescribeConsoleJob
  • groundtruthlabeling:ListDatasetObjects
  • groundtruthlabeling:RunFilterOrSampleManifestJob
  • groundtruthlabeling:RunGenerateManifestByCrawlingJob

For more information, see Permissions.

Issues with Amazon S3 access

Be sure that the IAM role includes the required permissions to access the input data files in the Amazon S3 bucket. For more information, see S3: Allows read and write access to objects in an S3 bucket.

Issues with cross-account access

If the data that you are setting up is in another account, then be sure that the execution role account has cross-account access to the S3 objects. For more information, see How can I provide cross-account access to objects that are in Amazon S3 buckets?

Issues with service control policies

Be sure that the service control policies applied at the organization level don't restrict actions on the member account. For example, even if the execution role has the required permissions attached, an explicit DENY on all groundtruthlabeling actions restricts the connection and results in a connection error. For more information, see SCP effects on permissions.

AWS OFFICIALUpdated 2 years ago