Unable to configure SageMaker execution Role with access to S3 bucket in another AWS account

0

Requirement: Create SakeMaker GroundTruth labeling job with input/output location pointing to S3 bucket in another AWS account

High Level Steps Followed: Lets say, Account_A: SageMaker GroundTruth labeling job and Account_B: S3 bucket

  1. Create role AmazonSageMaker-ExecutionRole in Account_A with 3 policies attached:
  • AmazonSageMakerFullAccess
  • Account_B_S3_AccessPolicy: Policy with necessary S3 permissions to access S3 bucket in Account_B
  • AssumeRolePolicy: Assume role policy for arn:aws:iam::Account_B:role/Cross-Account-S3-Access-Role
  1. Create role Cross-Account-S3-Access-Role in Account_B with 1 policy and 1 trust relationship attached:
  • S3_AccessPolicy: Policy with necessary S3 permissions to access S3 bucket in the this Account_B
  • TrustRelationship: For principal arn:aws:iam::Account_A:role/AmazonSageMaker-ExecutionRole

Error: While trying to create SakeMaker GroundTruth labeling job with IAM role as AmazonSageMaker-ExecutionRole, it throws error AccessDenied: Access Denied - The S3 bucket 'Account_B_S3_bucket_name' you entered in Input dataset location cannot be reached. Either the bucket does not exist, or you do not have permission to access it. If the bucket does not exist, update Input dataset location with a new S3 URI. If the bucket exists, give the IAM entity you are using to create this labeling job permission to read and write to this S3 bucket, and try your request again.

2 Answers
0

Hi Kalmesh,

The labeling job will not assume other roles, so granting access via AssumeRolePolicy and TrustRelationship will not work in this case. The permissions need to be granted directly to AmazonSageMaker-ExecutionRole.

The easiest way to accomplish this is:

  1. Attach a policy to AmazonSageMaker-ExecutionRole granting appropriate permissions to the bucket in Account B. (It sounds like you have already done this via Account_B_S3_AccessPolicy)
  2. Define a corresponding bucket policy on the S3 Bucket in Account B to allow access for the principal arn:aws:iam::Account_A:role/AmazonSageMaker-ExecutionRole

There is also a more detailed explanation of the setup required in this knowledge center article: How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?

profile pictureAWS
JamesB
answered 2 years ago
  • Hi James,

    Thanks for the reply. Before trying out the Assume Role approach, I had tried the same step of attaching the below policy to S3 bucket directly which provides access to SageMaker-Execution role. But even that threw the same error message.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:AbortMultipartUpload",
                    "s3:ListBucket",
                    "s3:GetBucketAcl",
                    "s3:PutBucketAcl"
                ],
                "Resource": [
                    "arn:aws:s3:::account_b_s3_bucket",
                    "arn:aws:s3:::account_b_s3_bucket/*"
                ],
                "Principal": {
                    "AWS": "arn:aws:iam::Account_A:role/AmazonSageMaker-ExecutionRole"
                }
            }
        ]
    }
    
  • That looks right - double check the permissions against the list in the documentation and make sure there is nothing missing from the IAM policy or the bucket policy. Also depending on the encryption settings on the S3 Bucket you might need to add KMS permissions as well.

0

Reverted back to original approach where access to the SageMaker execution role was provided through direct S3 bucket policy.

While creating the GT job from console:

  • Expects the user creating the job also to have access to the data in cross account S3 bucket; Updated bucket policy to have access for both SageMaker execution role as well as user
  • Expects the manifest in own account's S3 bucket; Fails with 403 if manifest is in cross account S3 bucket even though SageMaker execution role had access to the cross account S3 bucket

While creating the GT job from CLI: Above restrictions doesn't apply and was able to create the GT job.

kalmesh
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions