- Newest
- Most votes
- Most comments
Hi,
Thank you for using AWS Sagemaker.
According to the 'TensorFlowProcessor' doc[1], this 'TensorFlowProcessor' is inherited from the 'FrameworkProcessor'[2]. When user doesn't define the optional 'sagemaker_session'[3], it will create one using the default AWS configuration chain. I can see in your post you were passing the default 'PipelineSession' to the 'TensorFlowProcessor' and it failed with the 'AccessDenied' error. However, if you don't include the 'PipelineSession' you defined above and leave the value to none, the system will create a default 'sagemaker_session' for you and it won't assume role and results into the error.
Based on the above, could you please try defining a default 'sagemaker_session' and pass the 'sagemaker_session' as the value of a new 'PipelineSession' and try launching the pipeline with this one. Sample code below:
sagemaker_sess = sagemaker.Session() pipeline_sess = PipelineSession(boto_session=sagemaker_sess)
Please note the 'PipelineSession' is inherited from the SageMaker session class and is only recommended over regular SageMaker Session when your pipeline involves SageMaker Model-Building[4]. For your use case, as you are only doing pre and post processing tasks, you can use the regular SageMaker Session.
In case you have any further queries ,I'd recommend you to reachout to AWS Support by creating a support case[5] so that an engineer can investigate further and assist you in this regard.
Reference: —————— [1] https://sagemaker.readthedocs.io/en/stable/frameworks/tensorflow/sagemaker.tensorflow.html#tensorflow-processor [2] https://sagemaker.readthedocs.io/en/stable/api/training/processing.html#sagemaker.processing.FrameworkProcessor [3] https://sagemaker.readthedocs.io/en/stable/api/utility/session.html#sagemaker.session.Session [4] https://sagemaker.readthedocs.io/en/stable/workflows/pipelines/sagemaker.workflow.pipelines.html#sagemaker.workflow.pipeline_context.PipelineSession [5]Open a support case with AWS using the link: https://console.aws.amazon.com/support/home?#/case/create [6]https://aws.amazon.com/premiumsupport/faqs/
I tried sagemaker_sess = sagemaker.Session() pipeline_sess = PipelineSession(boto_session=sagemaker_sess)
I got an error that says "AttributeError: 'Session' object has no attribute 'region_name'
In your IAM policy for role/CTE-AmazonSageMakerStudio-ExecutionRole
, does it have permission to call KMS API? (Not the KMS key policy)
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Your S3 bucket is likely secured by SSE-KMS. Check the key policy for KMS key that's associated with the bucket.
@kumo-hiyori. Thank you for your comment. I updated the question to include information about SSE-KMS for the source bucket. I believe the SSE-KMS cross-account access permissions are setup correctly but feel free to take a look. Let me know if you need more information.