aws-samples / sagemaker-custom-project-templates

MIT No Attribution
215 stars 156 forks source link

Adding sagemaker:AddTags permissions for SM-Gitlab-Example-Launch-Policy #41

Closed mttanke closed 2 years ago

mttanke commented 2 years ago

Issue #, if available: Instantiating a new project from the gitlab template currently has a permission error:

User: arn:aws:sts::XXXXX:assumed-role/SM-Gitlab-Example-Launch-Role-XXXX/servicecatalog is not authorized to perform: sagemaker:AddTags on resource: arn:aws:sagemaker:XXX:XXXX:code-repository/sm-model-deploy-XXX because no identity-based policy allows the sagemaker:AddTags action (Service: AmazonSageMaker; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxxx; Proxy: null)

Description of changes: Adding sagemaker:AddTags permissions to SM-Gitlab-Example-Launch-Policy

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

mikeengland commented 2 years ago

@mttanke we have also just started to run into this. All new sagemaker domains are failing to create due to this missing permission. Did AWS mistakenly add this as a required permission when creating a domain?