I am using a user-specific sharing S3 prefix in the SharingSettings of the CreateUserProfile request like so: s3://BUCKET_NAME/sharing/USER_PROFILE_NAME/. The idea is to restrict access with IAM policies to the S3 bucket, so that only the user that initiates the sharing has write permissions to this prefix whereas other users with whom the notebook is shared with can only read shared resources from this prefix.
When I share the notebook with e.g. user profile user-profile-a, it gets correctly written to the S3 prefix s3://BUCKET_NAME/sharing/user-profile-a/. However, when I try to open the link I copied from user-profile-a with another user profile user-profile-b, Studio does not open the notebook and redirects to the main page.
{
"message": "Unhandled error",
"reason": null,
"traceback": "Traceback (most recent call last):\n File \"/opt/conda/envs/studio/lib/python3.9/site-packages/tornado/web.py\", line 1704, in _execute\n result = await result\n File \"/opt/conda/envs/studio/lib/python3.9/site-packages/sagemaker_sharing/handlers.py\", line 38, in get\n await self.sharing_utilities.get_shareable_resource(resource_id)\n File \"/opt/conda/envs/studio/lib/python3.9/site-packages/sagemaker_sharing/sharing_utilities.py\", line 450, in get_shareable_resource\n (content_bytes, metadata_bytes) = await self.download_resource(\n File \"/opt/conda/envs/studio/lib/python3.9/site-packages/sagemaker_sharing/sharing_utilities.py\", line 238, in download_resource\n [content, metadata] = await asyncio.gather(\n File \"/opt/conda/envs/studio/lib/python3.9/site-packages/sagemaker_sharing/sharing_utilities.py\", line 67, in get_object_with_content\n response = await s3_client.get_object(Bucket=Bucket, Key=Key)\n File \"/opt/conda/envs/studio/lib/python3.9/site-packages/aiobotocore/client.py\", line 225, in _make_api_call\n raise error_class(parsed_response, operation_name)\nbotocore.errorfactory.NoSuchKey: An error occurred (NoSuchKey) when calling the GetObject operation: The specified key does not exist.\n"
}
For debugging, I activated CloudTrail data logging on the S3 bucket and it seems that SageMaker is trying to access the resource from the sharing prefix of user-profile-b instead of the user-profile-a sharing prefix:
So to me this seems that SageMaker expects that all users have the same sharing S3 prefix, or otherwise sharing won't work. However, I would like that users with whom the content is shared with shouldn't be able to have write access to the shared objects in S3.
Expected Behavior
The shared notebook should be openable when being logged in as user-profile-b when being shared from user-profile-a.
Observed Behavior
SageMaker Studio Classic does not open the notebook when logged in as user-profile-b when being shared from user-profile-a.
Product Version
Issue Description
I am using a user-specific sharing S3 prefix in the
SharingSettings
of the CreateUserProfile request like so:s3://BUCKET_NAME/sharing/USER_PROFILE_NAME/
. The idea is to restrict access with IAM policies to the S3 bucket, so that only the user that initiates the sharing has write permissions to this prefix whereas other users with whom the notebook is shared with can only read shared resources from this prefix.When I share the notebook with e.g. user profile
user-profile-a
, it gets correctly written to the S3 prefixs3://BUCKET_NAME/sharing/user-profile-a/
. However, when I try to open the link I copied fromuser-profile-a
with another user profileuser-profile-b
, Studio does not open the notebook and redirects to the main page.When I open chrome dev tools for debugging purposes, it seems that Studio is trying to request resources from an URL like this https://SM_DOMAIN_ID/studio.eu-west-1.sagemaker.aws/jupyter/default/sagemaker_sharing/shareable_resource/RESOURCE_HASH?123123123123, but fails with a HTTP 500 error with response payload:
For debugging, I activated CloudTrail data logging on the S3 bucket and it seems that SageMaker is trying to access the resource from the sharing prefix of
user-profile-b
instead of theuser-profile-a
sharing prefix:So to me this seems that SageMaker expects that all users have the same sharing S3 prefix, or otherwise sharing won't work. However, I would like that users with whom the content is shared with shouldn't be able to have write access to the shared objects in S3.
Expected Behavior
The shared notebook should be openable when being logged in as
user-profile-b
when being shared fromuser-profile-a
.Observed Behavior
SageMaker Studio Classic does not open the notebook when logged in as
user-profile-b
when being shared fromuser-profile-a
.Product Category
JupyterLab
Feedback Category
User Interface
Other Details
No response