How do I troubleshoot errors when I import data into my SageMaker Studio using SageMaker Data Wrangler?

3 minute read
0

I receive errors when I try to import data from Amazon Simple Storage Service (Amazon S3) or Amazon Athena using Amazon SageMaker Data Wrangler.

Resolution

Lifecycle permission error

When you try to import data from Amazon Athena into Data Wrangler, you might get the following error:

S3LifecyclePermissionError: You don't have permission to read expiration rules from the bucket that you specified.

This error occurs because the SageMaker execution role that's associated with the user profile doesn't have the required permissions. The role requires permission to access the Amazon S3 Lifecycle configurations that manage data retention and expiration.

To resolve this error, add the following AWS Identity and Access Management (IAM) policy to the SageMaker execution role (for example, AmazonSageMaker-ExecutionRole-################):

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LifecycleConfig",
      "Effect": "Allow",
      "Action": [
        "s3:GetLifecycleConfiguration",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": "*"
    }
  ]
}

For Resource, include only buckets that are specific to your AWS Region. GetBucketLifecycleConfiguration returns the lifecycle configuration information set on the bucket. PutBucketLifecycleConfiguration creates a new Lifecycle configuration for the bucket.

Access denied error

When you run a processing job with unencrypted output settings, you might get the following error:

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied

You get the error for these reasons:

  • The SageMaker execution role doesn't have the required permissions to perform S3 operations.
  • Either the S3 bucket policy or Amazon Virtual Private Cloud (Amazon VPC) endpoint policy has denied permissions for PutObject. This denial is true if you enforce only encrypted connections to the S3 bucket by requiring a specific AWS Key Management Service (AWS KMS) key.

To resolve this error, complete one or more of the following actions:

  • Check that the SageMaker execution role has minimum permissions for S3 bucket operations.

    {  "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:ListBucket",
            "s3:CreateBucket",
          ],
          "Resource": [
            "arn:aws:s3:::sagemaker-us-east-1-1111222233334444",
            "arn:aws:s3:::sagemaker-us-east-1-1111222233334444/*"
          ]
        }
      ]
    }
  • Be sure that the S3 bucket policy or VPC endpoint policy doesn't explicitly deny the required permissions for S3 operations.

  • Pass the AWS KMS key to the processing job that allows you to decrypt objects in the S3 bucket from where the data is imported.

  • Use a different S3 bucket for importing your data that's encrypted at rest using the Amazon S3 server-side encryption.

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago