- Newest
- Most votes
- Most comments
Hello,
I understand that you are currently trying to restrict access to Sagemaker notebook using SSO identity's UserID.
Currently, I leveraged your provided SSO Permission set and tweaked it out as you can see below, and finally tested it out on AWS SageMaker Console by logging in as an AWS SSO User, and was able to see successful start/stop/describing of the SageMaker notebook (with Tags - Owner:UserId) corresponding to the SSO UserId.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:CreateScript",
"secretsmanager:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags",
"sagemaker:DeleteNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl",
"sagemaker:Describe*",
"sagemaker:StartNotebookInstance",
"sagemaker:UpdateNotebookInstance",
"sagemaker:CreatePresignedDomainUrl"
],
"Resource": "arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/*",
"Condition": {
"StringEquals": {
"sagemaker:ResourceTag/Owner": "${identitystore:UserId}"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sagemaker:ListNotebookInstanceLifecycleConfigs",
"sagemaker:ListNotebookInstances",
"sagemaker:ListCodeRepositories"
],
"Resource": "*"
}
]
}
However, in case if this SSO User tried to stop any other Sagemaker notebooks, which didn't have the tags corresponding to their UserId, then the following errors were observed as expected behavior -
User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:StopNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/userachecking because no identity-based policy allows the sagemaker:StopNotebookInstance action
or
User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:DescribeNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/Test1Check because no identity-based policy allows the sagemaker:DescribeNotebookInstance action
Also, please note that unlike your provided IAM policy, your SSO permission set policy was missing the action - sagemaker:ListNotebookInstances
which also raised an error for not being able to list out the notebook instances on AWS SageMaker Console in my testing. Hence, I had added the appropriate Sagemaker list actions to your permission set as well.
Additional Information -
a. ${identitystore:UserId} -> Each user in the AWS SSO identity store is assigned a unique UserId. You can view the UserId for your users by using the AWS SSO console and navigating to each user or by using the DescribeUser API action. [1]
b. ListNotebookInstances -> Returns a list of the SageMaker notebook instances in the requester's account in an AWS Region. [2]
c. ResourceTag -> You can use the ResourceTag/key-name condition key to determine whether to allow access to the resource based on the tags that are attached to the resource. [3][4]
d. sagemaker:ResourceTag/ -> Filters access by the preface string for a tag key and value pair attached to a resource [5]
e. sagemaker:ResourceTag/${TagKey} -> Filters access by a tag key and value pair [5]
I hope the shared information is insightful to your query. In case, if you have any other queries or concerns regarding AWS SSO or Sagemaker services or any account specific configuration that you would like to discuss, then please feel free to reach out to our team directly by creating a support case with our premium support team.
Have a wonderful day ahead and stay safe.
References:
[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/using-predefined-attributes.html
[2] https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_ListNotebookInstances.html
[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
Relevant content
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
thanks a lot for this it really worked