search

aws-samples / reinvent2019-aim362-sagemaker-debugger-model-monitor

Build, train & debug, and deploy & monitor with Amazon SageMaker
Apache License 2.0
120 stars 97 forks source link

AccessDenied to endtoendmlapp bucket #3

Open wags1999 opened 4 years ago

wags1999 commented 4 years ago

Followed the instructions to create a Sagemaker notebook, including creating a new IAM role as specified.

The output of cell 1 is

us-east-2
arn:aws:iam::865267486142:role/service-role/AmazonSageMaker-ExecutionRole-20200220T142024
sagemaker-us-east-2-865267486142

When I run cell 2 of train_and_Debug.ipynb, I get 

---------------------------------------------------------------------------
ClientError                               Traceback (most recent call last)
<ipython-input-2-0ad42f80fc1c> in <module>()
    7 source_bucket = s3.Bucket(source_bucket_name)
    8 
----> 9 for s3_object in source_bucket.objects.filter(Prefix=source_bucket_prefix):
    10     copy_source = {
    11         'Bucket': source_bucket_name,

~/anaconda3/envs/python3/lib/python3.6/site-packages/boto3/resources/collection.py in __iter__(self)
    81 
    82         count = 0
---> 83         for page in self.pages():
    84             for item in page:
    85                 yield item

~/anaconda3/envs/python3/lib/python3.6/site-packages/boto3/resources/collection.py in pages(self)
    164         # we start processing and yielding individual items.
    165         count = 0
--> 166         for page in pages:
    167             page_items = []
    168             for item in self._handler(self._parent, params, page):

~/anaconda3/envs/python3/lib/python3.6/site-packages/botocore/paginate.py in __iter__(self)
    253         self._inject_starting_params(current_kwargs)
    254         while True:
--> 255             response = self._make_request(current_kwargs)
    256             parsed = self._extract_parsed_response(response)
    257             if first_request:

~/anaconda3/envs/python3/lib/python3.6/site-packages/botocore/paginate.py in _make_request(self, current_kwargs)
    330 
    331     def _make_request(self, current_kwargs):
--> 332         return self._method(**current_kwargs)
    333 
    334     def _extract_parsed_response(self, response):

~/anaconda3/envs/python3/lib/python3.6/site-packages/botocore/client.py in _api_call(self, *args, **kwargs)
    314                     "%s() only accepts keyword arguments." % py_operation_name)
    315             # The "self" in this scope is referring to the BaseClient.
--> 316             return self._make_api_call(operation_name, kwargs)
    317 
    318         _api_call.__name__ = str(py_operation_name)

~/anaconda3/envs/python3/lib/python3.6/site-packages/botocore/client.py in _make_api_call(self, operation_name, api_params)
    624             error_code = parsed_response.get("Error", {}).get("Code")
    625             error_class = self.exceptions.from_code(error_code)
--> 626             raise error_class(parsed_response, operation_name)
    627         else:
    628             return parsed_response

ClientError: An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

What am I missing?

GodKratos commented 4 years ago

I got the same thing, did you manage to resolve the issue?

NVM, I got it working by editing the IAM policy it created to grant full S3 access. Seems the instructions provided do not work correctly.

wags1999 commented 4 years ago

@GodKratos, thanks for the suggestion. Unfortunately, that didn't work.

After discussing with a co-worker, I found that my company's AWS account has a Service Control Policy that blocks access to all non-US regions. The endtoendmlapp is housed in eu-west-1, thus I couldn't access it.

Is there any way this can be copied to a US-region bucket?

giuseppeporcelli commented 4 years ago

Hi, thanks for the feedback. We are looking to ways for improving the current implementation and solve bucket copy issues caused by specific IAM configurations.