SageMaker 无权执行:iam:PassRole
SageMaker is not authorized to perform: iam:PassRole
我正在关注 SageMaker 示例中的 automate_model_retraining_workflow 示例,并且我在 AWS SageMaker Jupyter notebook 中 运行ning 了它。我按照示例中给出的所有步骤创建角色和策略。
但是当我尝试 运行 下面的代码块来创建 Glue 作业时,我 运行 出错了:
glue_script_location = S3Uploader.upload(
local_path="./code/glue_etl.py",
desired_s3_uri="s3://{}/{}".format(bucket, project_name),
sagemaker_session=session,
)
glue_client = boto3.client("glue")
response = glue_client.create_job(
Name=job_name,
Description="PySpark job to extract the data and split in to training and validation data sets",
Role=glue_role, # you can pass your existing AWS Glue role here if you have used Glue before
ExecutionProperty={"MaxConcurrentRuns": 2},
Command={"Name": "glueetl", "ScriptLocation": glue_script_location, "PythonVersion": "3"},
DefaultArguments={"--job-language": "python"},
GlueVersion="1.0",
WorkerType="Standard",
NumberOfWorkers=2,
Timeout=60,
)
An error occurred (AccessDeniedException) when calling the CreateJob
operation: User:
arn:aws:sts::############:assumed-role/AmazonSageMaker-ExecutionRole-############/SageMaker is not authorized to perform: iam:PassRole on resource:
arn:aws:iam::############:role/AWS-Glue-S3-Bucket-Access
这就是 AmazonSageMaker-ExecutionPolicy-############ 的样子:
{
"Version": "############",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"glue:UpdateCrawler",
"glue:UpdateTrigger",
"lambda:DeleteFunction",
"glue:DeleteCrawler",
"glue:UpdateSchema",
"lambda:UpdateFunctionCode",
"glue:DeleteConnection",
"glue:UseMLTransforms",
"glue:BatchDeleteConnection",
"lambda:PutProvisionedConcurrencyConfig",
"glue:StartCrawlerSchedule",
"glue:UpdateMLTransform",
"lambda:PublishVersion",
"lambda:DeleteEventSourceMapping",
"glue:CreateMLTransform",
"glue:CreateRegistry",
"glue:StartMLEvaluationTaskRun",
"glue:DeleteTableVersion",
"glue:CreateTrigger",
"glue:BatchDeletePartition",
"glue:StopTrigger",
"glue:CreateUserDefinedFunction",
"glue:StopCrawler",
"lambda:InvokeAsync",
"glue:DeleteJob",
"glue:DeleteDevEndpoint",
"glue:DeleteMLTransform",
"glue:CreateJob",
"glue:ResetJobBookmark",
"glue:CreatePartition",
"lambda:PutFunctionCodeSigningConfig",
"glue:UpdatePartition",
"glue:RegisterSchemaVersion",
"glue:ResumeWorkflowRun",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCodeSigningConfig",
"lambda:UpdateFunctionConfiguration",
"glue:StartMLLabelingSetGenerationTaskRun",
"lambda:UpdateCodeSigningConfig",
"glue:CreateDatabase",
"glue:BatchDeleteTableVersion",
"lambda:DeleteAlias",
"glue:DeleteSchemaVersions",
"glue:BatchCreatePartition",
"glue:CreateClassifier",
"glue:UpdateTable",
"lambda:DeleteProvisionedConcurrencyConfig",
"glue:DeleteTable",
"glue:DeleteWorkflow",
"glue:DeleteSchema",
"glue:UpdateWorkflow",
"glue:CreateScript",
"glue:StartWorkflowRun",
"glue:StopCrawlerSchedule",
"lambda:UpdateFunctionEventInvokeConfig",
"lambda:DeleteFunctionCodeSigningConfig",
"glue:UpdateDatabase",
"glue:CreateTable",
"lambda:InvokeFunction",
"glue:BatchStopJobRun",
"glue:DeleteUserDefinedFunction",
"glue:CreateConnection",
"glue:CreateCrawler",
"lambda:UpdateAlias",
"glue:DeleteSecurityConfiguration",
"glue:CreateSchema",
"glue:StartJobRun",
"glue:BatchDeleteTable",
"glue:UpdateClassifier",
"glue:CreateWorkflow",
"glue:DeletePartition",
"lambda:CreateAlias",
"glue:CreateSecurityConfiguration",
"glue:PutWorkflowRunProperties",
"glue:DeleteDatabase",
"glue:RemoveSchemaVersionMetadata",
"lambda:PublishLayerVersion",
"lambda:CreateEventSourceMapping",
"glue:StartTrigger",
"glue:DeleteRegistry",
"lambda:PutFunctionConcurrency",
"lambda:DeleteCodeSigningConfig",
"glue:ImportCatalogToGlue",
"glue:PutDataCatalogEncryptionSettings",
"glue:UpdateRegistry",
"glue:StartCrawler",
"lambda:DeleteLayerVersion",
"lambda:PutFunctionEventInvokeConfig",
"glue:UpdateJob",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:CreateCodeSigningConfig",
"glue:StartImportLabelsTaskRun",
"glue:DeleteClassifier",
"glue:StartExportLabelsTaskRun",
"glue:UpdateUserDefinedFunction",
"glue:CancelMLTaskRun",
"glue:StopWorkflowRun",
"glue:PutSchemaVersionMetadata",
"glue:UpdateCrawlerSchedule",
"glue:UpdateConnection",
"glue:CreateDevEndpoint",
"glue:UpdateDevEndpoint",
"lambda:DeleteFunctionConcurrency",
"glue:DeleteTrigger"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"iam:PassRole",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:iam::############:role/query_training_status-role"
]
}
]
}
从您发布的 IAM 政策中可以清楚地看出,当 Glue 尝试使用 arn:aws:iam::############:role/AWS-Glue-S3-Bucket-Access 时,您只能在 arn:aws:iam::############:role/query_training_status-role 上执行 iam:PassRole。因此,您只需要更新 IAM 策略以允许 iam:PassRole 角色以及其他角色。
我正在关注 SageMaker 示例中的 automate_model_retraining_workflow 示例,并且我在 AWS SageMaker Jupyter notebook 中 运行ning 了它。我按照示例中给出的所有步骤创建角色和策略。
但是当我尝试 运行 下面的代码块来创建 Glue 作业时,我 运行 出错了:
glue_script_location = S3Uploader.upload(
local_path="./code/glue_etl.py",
desired_s3_uri="s3://{}/{}".format(bucket, project_name),
sagemaker_session=session,
)
glue_client = boto3.client("glue")
response = glue_client.create_job(
Name=job_name,
Description="PySpark job to extract the data and split in to training and validation data sets",
Role=glue_role, # you can pass your existing AWS Glue role here if you have used Glue before
ExecutionProperty={"MaxConcurrentRuns": 2},
Command={"Name": "glueetl", "ScriptLocation": glue_script_location, "PythonVersion": "3"},
DefaultArguments={"--job-language": "python"},
GlueVersion="1.0",
WorkerType="Standard",
NumberOfWorkers=2,
Timeout=60,
)
An error occurred (AccessDeniedException) when calling the CreateJob operation: User: arn:aws:sts::############:assumed-role/AmazonSageMaker-ExecutionRole-############/SageMaker is not authorized to perform: iam:PassRole on resource: arn:aws:iam::############:role/AWS-Glue-S3-Bucket-Access
这就是 AmazonSageMaker-ExecutionPolicy-############ 的样子:
{
"Version": "############",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"glue:UpdateCrawler",
"glue:UpdateTrigger",
"lambda:DeleteFunction",
"glue:DeleteCrawler",
"glue:UpdateSchema",
"lambda:UpdateFunctionCode",
"glue:DeleteConnection",
"glue:UseMLTransforms",
"glue:BatchDeleteConnection",
"lambda:PutProvisionedConcurrencyConfig",
"glue:StartCrawlerSchedule",
"glue:UpdateMLTransform",
"lambda:PublishVersion",
"lambda:DeleteEventSourceMapping",
"glue:CreateMLTransform",
"glue:CreateRegistry",
"glue:StartMLEvaluationTaskRun",
"glue:DeleteTableVersion",
"glue:CreateTrigger",
"glue:BatchDeletePartition",
"glue:StopTrigger",
"glue:CreateUserDefinedFunction",
"glue:StopCrawler",
"lambda:InvokeAsync",
"glue:DeleteJob",
"glue:DeleteDevEndpoint",
"glue:DeleteMLTransform",
"glue:CreateJob",
"glue:ResetJobBookmark",
"glue:CreatePartition",
"lambda:PutFunctionCodeSigningConfig",
"glue:UpdatePartition",
"glue:RegisterSchemaVersion",
"glue:ResumeWorkflowRun",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCodeSigningConfig",
"lambda:UpdateFunctionConfiguration",
"glue:StartMLLabelingSetGenerationTaskRun",
"lambda:UpdateCodeSigningConfig",
"glue:CreateDatabase",
"glue:BatchDeleteTableVersion",
"lambda:DeleteAlias",
"glue:DeleteSchemaVersions",
"glue:BatchCreatePartition",
"glue:CreateClassifier",
"glue:UpdateTable",
"lambda:DeleteProvisionedConcurrencyConfig",
"glue:DeleteTable",
"glue:DeleteWorkflow",
"glue:DeleteSchema",
"glue:UpdateWorkflow",
"glue:CreateScript",
"glue:StartWorkflowRun",
"glue:StopCrawlerSchedule",
"lambda:UpdateFunctionEventInvokeConfig",
"lambda:DeleteFunctionCodeSigningConfig",
"glue:UpdateDatabase",
"glue:CreateTable",
"lambda:InvokeFunction",
"glue:BatchStopJobRun",
"glue:DeleteUserDefinedFunction",
"glue:CreateConnection",
"glue:CreateCrawler",
"lambda:UpdateAlias",
"glue:DeleteSecurityConfiguration",
"glue:CreateSchema",
"glue:StartJobRun",
"glue:BatchDeleteTable",
"glue:UpdateClassifier",
"glue:CreateWorkflow",
"glue:DeletePartition",
"lambda:CreateAlias",
"glue:CreateSecurityConfiguration",
"glue:PutWorkflowRunProperties",
"glue:DeleteDatabase",
"glue:RemoveSchemaVersionMetadata",
"lambda:PublishLayerVersion",
"lambda:CreateEventSourceMapping",
"glue:StartTrigger",
"glue:DeleteRegistry",
"lambda:PutFunctionConcurrency",
"lambda:DeleteCodeSigningConfig",
"glue:ImportCatalogToGlue",
"glue:PutDataCatalogEncryptionSettings",
"glue:UpdateRegistry",
"glue:StartCrawler",
"lambda:DeleteLayerVersion",
"lambda:PutFunctionEventInvokeConfig",
"glue:UpdateJob",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:CreateCodeSigningConfig",
"glue:StartImportLabelsTaskRun",
"glue:DeleteClassifier",
"glue:StartExportLabelsTaskRun",
"glue:UpdateUserDefinedFunction",
"glue:CancelMLTaskRun",
"glue:StopWorkflowRun",
"glue:PutSchemaVersionMetadata",
"glue:UpdateCrawlerSchedule",
"glue:UpdateConnection",
"glue:CreateDevEndpoint",
"glue:UpdateDevEndpoint",
"lambda:DeleteFunctionConcurrency",
"glue:DeleteTrigger"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"iam:PassRole",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:iam::############:role/query_training_status-role"
]
}
]
}
从您发布的 IAM 政策中可以清楚地看出,当 Glue 尝试使用 arn:aws:iam::############:role/AWS-Glue-S3-Bucket-Access 时,您只能在 arn:aws:iam::############:role/query_training_status-role 上执行 iam:PassRole。因此,您只需要更新 IAM 策略以允许 iam:PassRole 角色以及其他角色。