- Newest
- Most votes
- Most comments
Hi lemon rubik, it's impossible for me to definitively solve this, but I have a feeling it's based on
`User: arn:aws:sts::543327004903:assumed-role/sagemaker_execution_role/SageMaker is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-west-1:432930124757:repository/sm-automl-robotorch because no resource-based policy allows the ecr:BatchGetImage action`
Specifically
sagemaker_execution_role/SageMaker is not authorized to perform: ecr:BatchGetImage
I would advise you to check the SageMaker Execution Role Permissions:
- Open the AWS Management Console, navigate to the IAM dashboard, and then find the SageMaker execution role that you're using.
- Make sure that the role has permissions to access ECR. You could for example attach the AmazonEC2ContainerRegistryFullAccess policy to the role for full access, although it's better to limit permissions to only what's necessary with a custom policy where you would only grant permission that's needed.
I would also double check the ECR private repository policy - https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html
Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let you specify which users or roles have access to a repository and what actions they can perform on it. By default, only the AWS account that created the repository has access to a repository. You can apply a policy document that allow additional permissions to your repository. Check the repository "sm-automl-robotorch" policy to ensure that the SageMaker execution role has permissions to pull images.
If this answer helped, please accept, if you have any questions, feel free to reply.
Cheers, Dylan
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hey thanks for the comment, although I am not the repository owner for this image, I believe it's managed by the sagemaker team directly so I think it's a permissions issue on their part.