如果所有实例都使用相同的 IAM 角色,如何确定进行特定 API 调用的 SageMaker Notebook 实例?
我有多个 Amazon SageMaker Notebook 实例。它们都使用相同的 AWS Identity and Access Management(IAM)角色。无论执行操作的是哪个 Notebook 实例,每个 API 操作的 AWS CloudTrail 事件都显示相同的 principalId(会话名称)。我需要确定哪个 Notebook 实例执行了哪个 API 操作。
简短描述
当您有多个具有相同 IAM 角色的 SageMaker 实例时,CloudTrail 事件不会识别执行 API 操作的实例。
以下示例 CloudTrail 事件日志将 principalId 显示为“SageMaker”。默认情况下,principalId 不会识别特定的 SageMaker 实例。
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AAAAAAAAAAAAAAAAAA:SageMaker",
解决方法
要创建区分实例的笔记本脚本,请执行下列步骤:
-
为 SageMaker Notebook 实例创建 IAM 执行角色。或者,使用已经存在的执行角色。在以下步骤中,执行角色的 Amazon 资源名称(ARN)为 arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole。您的执行角色的 ARN 将会有所不同。
-
将包含 sts:AssumeRole 的 IAM 策略附加到执行角色。sts:AssumeRole 操作允许执行角色使用不同的会话名称来代入自身。
示例:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole" } ] }3.验证执行角色的信任策略是否包含以下权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole" } } } ] } -
创建类似于以下内容的 Start 笔记本生命周期配置脚本。此示例脚本检索 Notebook 实例名称,然后使用该名称作为会话名称。有关更多信息,请参阅 Customization of a SageMaker notebook instance using an LCC script。
#Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. #Permission is hereby granted, free of charge, to any person obtaining a copy of this #software and associated documentation files (the "Software"), to deal in the Software #without restriction, including without limitation the rights to use, copy, modify, #merge, publish, distribute, sublicense, and/or sell copies of the Software, and to #permit persons to whom the Software is furnished to do so. #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, #INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A #PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT #HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION #OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE #SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #!/bin/bash set -ex # Obtain the name of the notebook instance nbname=$(jq -r '.ResourceName' /opt/ml/metadata/resource-metadata.json) echo "Notebook Name = $nbname" # Use the AWS Command Line Interface (AWS CLI) to obtain the Amazon Resource Name (ARN) of the IAM execution role nbinfo=$(aws sagemaker describe-notebook-instance --notebook-instance-name $nbname) nbrole=$(jq -r '.RoleArn' <<< "$nbinfo") echo "Notebook Role = $nbrole" # Obtain the Region of the notebook instance nbregion=$(aws configure get region) echo "Notebook Region = $nbregion" # Write Assume Role Provider Settings to a new config file echo "Writing new config file" cat > /home/ec2-user/.aws/config.new <<EOF1 [default] region=$nbregion role_arn = $nbrole credential_source = Ec2InstanceMetadata role_session_name = $nbname sts_regional_endpoints = regional EOF1 echo "Moving new config to config file" sudo mv /home/ec2-user/.aws/config.new /home/ec2-user/.aws/config # Secure the "config" file so that it can't be deleted/updated without root user permissions sudo chattr +i /home/ec2-user/.aws/config -
接下来,创建 SageMaker Notebook 实例(如 test-2),然后在其他配置下附加您在上一步中创建的生命周期配置脚本。
注意: 要在关闭根访问权限的情况下创建上述 Notebook 实例,请参阅 Use Control root access to a SageMaker notebook instance。 创建 Notebook 实例后,将 RootAccess 字段设置为“已禁用”。此操作会防止用户删除或更新配置文件。
在 CloudTrail 中识别 Notebook 实例
要识别执行 API 操作的 Notebook 实例,请检查 CloudTrail 事件。在 userIdentity 对象下,principalId 和 arn 显示 Notebook 实例的名称。
例如,以下事件详细信息显示 SageMaker Notebook 实例 test-2 进行了 API 调用。
{ "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AAAAAAAAAAAAAAAAAAAA:test-2", "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMaker-ExecutionRole/test-2", "accountId": "111122223333", "accessKeyId": "AAAAAAAAAAAAAAAAAAAA", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole", "accountId": "111122223333", "userName": "AmazonSageMaker-ExecutionRole" }, "webIdFederationData": {}, "attributes": { "mfaAuthenticated": "false", "creationDate": "2020-09-12T00:45:04Z" } }, "invokedBy": "im.amazonaws.com" }, "eventTime": "2020-09-12T00:49:04Z", "eventSource": "sagemaker.amazonaws.com", "eventName": "CreateEndpoint", "awsRegion": "us-east-1", "sourceIPAddress": "im.amazonaws.com", "userAgent": "im.amazonaws.com", "requestParameters": { "endpointName": "sagemaker-mxnet-ep", "endpointConfigName": "sagemaker-mxnet-epc", "tags": [] }, "responseElements": { "endpointArn": "arn:aws:sagemaker:us-east-1:111122223333:endpoint/sagemaker-mxnet-ep" }, "requestID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "eventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
相关信息
- 语言
- 中文 (简体)
