By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Policy that allows only one SSO user to access a resource

1

We are in a process to move all of our IAM users to aws SSO we used to have this policy for sagemaker :

"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListTags",
                "sagemaker:DeleteNotebookInstance",
                "sagemaker:StopNotebookInstance",
                "sagemaker:CreatePresignedNotebookInstanceUrl",
                "sagemaker:DescribeNotebookInstance",
                "sagemaker:StartNotebookInstance",
                "sagemaker:UpdateNotebookInstance"
            ],
            "Resource": "arn:aws:sagemaker:::notebook-instance/${aws:username}*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListNotebookInstanceLifecycleConfigs",
                "sagemaker:ListNotebookInstances",
                "sagemaker:ListCodeRepositories"
            ],
            "Resource": "*"
        }
    ]
}

"

this would give access to each user to use his\hers own notebook now on the new SSO permission set i gave this

"
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateScript",
                "secretsmanager:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListTags",
                "sagemaker:DeleteNotebookInstance",
                "sagemaker:StopNotebookInstance",
                "sagemaker:CreatePresignedNotebookInstanceUrl",
                "sagemaker:Describe*",
                "sagemaker:StartNotebookInstance",
                "sagemaker:UpdateNotebookInstance",
                "sagemaker:CreatePresignedDomainUrl",
                "sagemaker:*"
            ],
            "Resource": "arn:aws:sagemaker:::notebook-instance/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Owner": "${identitystore:UserId}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListTags",
                "sagemaker:Describe*",
                "sagemaker:StartNotebookInstance"
            ],
            "Resource": "*"
        }
    ]
}
"

this is what i tried but i cant make it work please assist?

1 Answer
1
Accepted Answer

Hello,

I understand that you are currently trying to restrict access to Sagemaker notebook using SSO identity's UserID.

Currently, I leveraged your provided SSO Permission set and tweaked it out as you can see below, and finally tested it out on AWS SageMaker Console by logging in as an AWS SSO User, and was able to see successful start/stop/describing of the SageMaker notebook (with Tags - Owner:UserId) corresponding to the SSO UserId.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"glue:CreateScript",
				"secretsmanager:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"sagemaker:ListTags",
				"sagemaker:DeleteNotebookInstance",
				"sagemaker:StopNotebookInstance",
				"sagemaker:CreatePresignedNotebookInstanceUrl",
				"sagemaker:Describe*",
				"sagemaker:StartNotebookInstance",
				"sagemaker:UpdateNotebookInstance",
				"sagemaker:CreatePresignedDomainUrl"
			],
			"Resource": "arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/*",
			"Condition": {
				"StringEquals": {
					"sagemaker:ResourceTag/Owner": "${identitystore:UserId}"
				}
			}
		},
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": [
				"sagemaker:ListNotebookInstanceLifecycleConfigs",
				"sagemaker:ListNotebookInstances",
				"sagemaker:ListCodeRepositories"
			],
			"Resource": "*"
		}
	]
}

However, in case if this SSO User tried to stop any other Sagemaker notebooks, which didn't have the tags corresponding to their UserId, then the following errors were observed as expected behavior -

User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:StopNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/userachecking because no identity-based policy allows the sagemaker:StopNotebookInstance action

or 

User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:DescribeNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/Test1Check because no identity-based policy allows the sagemaker:DescribeNotebookInstance action

Also, please note that unlike your provided IAM policy, your SSO permission set policy was missing the action - sagemaker:ListNotebookInstances which also raised an error for not being able to list out the notebook instances on AWS SageMaker Console in my testing. Hence, I had added the appropriate Sagemaker list actions to your permission set as well.

Additional Information -

a. ${identitystore:UserId} -> Each user in the AWS SSO identity store is assigned a unique UserId. You can view the UserId for your users by using the AWS SSO console and navigating to each user or by using the DescribeUser API action. [1]

b. ListNotebookInstances -> Returns a list of the SageMaker notebook instances in the requester's account in an AWS Region. [2]

c. ResourceTag -> You can use the ResourceTag/key-name condition key to determine whether to allow access to the resource based on the tags that are attached to the resource. [3][4]

d. sagemaker:ResourceTag/ -> Filters access by the preface string for a tag key and value pair attached to a resource [5]

e. sagemaker:ResourceTag/${TagKey} -> Filters access by a tag key and value pair [5]


I hope the shared information is insightful to your query. In case, if you have any other queries or concerns regarding AWS SSO or Sagemaker services or any account specific configuration that you would like to discuss, then please feel free to reach out to our team directly by creating a support case with our premium support team.

Have a wonderful day ahead and stay safe.


References:

[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/using-predefined-attributes.html

[2] https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_ListNotebookInstances.html

[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

[4] https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/

[5] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-policy-keys

profile pictureAWS
SUPPORT ENGINEER
answered 2 years ago
profile picture
EXPERT
reviewed 8 months ago
  • thanks a lot for this it really worked

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions