2 Answers
- Newest
- Most votes
- Most comments
0
Hi Kalmesh,
The labeling job will not assume other roles, so granting access via AssumeRolePolicy
and TrustRelationship
will not work in this case. The permissions need to be granted directly to AmazonSageMaker-ExecutionRole
.
The easiest way to accomplish this is:
- Attach a policy to
AmazonSageMaker-ExecutionRole
granting appropriate permissions to the bucket in Account B. (It sounds like you have already done this viaAccount_B_S3_AccessPolicy
) - Define a corresponding bucket policy on the S3 Bucket in Account B to allow access for the principal
arn:aws:iam::Account_A:role/AmazonSageMaker-ExecutionRole
There is also a more detailed explanation of the setup required in this knowledge center article: How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?
answered 2 years ago
0
Reverted back to original approach where access to the SageMaker execution role was provided through direct S3 bucket policy.
While creating the GT job from console:
- Expects the user creating the job also to have access to the data in cross account S3 bucket; Updated bucket policy to have access for both SageMaker execution role as well as user
- Expects the manifest in own account's S3 bucket; Fails with 403 if manifest is in cross account S3 bucket even though SageMaker execution role had access to the cross account S3 bucket
While creating the GT job from CLI: Above restrictions doesn't apply and was able to create the GT job.
answered 2 years ago
Relevant content
- asked 3 years ago
- asked 6 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 16 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Hi James,
Thanks for the reply. Before trying out the Assume Role approach, I had tried the same step of attaching the below policy to S3 bucket directly which provides access to SageMaker-Execution role. But even that threw the same error message.
That looks right - double check the permissions against the list in the documentation and make sure there is nothing missing from the IAM policy or the bucket policy. Also depending on the encryption settings on the S3 Bucket you might need to add KMS permissions as well.