AWS Sagemaker自动扩展|假定角色角色无权访问

时间:2019-09-18 07:31:53

标签: amazon-web-services aws-sdk amazon-sagemaker

我有一个要自动缩放的sagemaker实例,目前它正在4个实例上工作,但我想根据负载将其从1缩放到4。

这是我用来自动缩放的代码

resource_id = 'endpoint/[end-point-name]/variant/config1'
sc_client = boto3.client('application-autoscaling')
role = 'arn:aws:iam::[1234]:role/service-role/AmazonSageMaker-ExecutionRole-[1234]'

response = sc_client.register_scalable_target(
    ServiceNamespace='sagemaker',
    ResourceId=resource_id,
    ScalableDimension='sagemaker:variant:DesiredInstanceCount',
    MinCapacity=1,
    MaxCapacity=4,
    RoleARN= role,
    SuspendedState={
        'DynamicScalingInSuspended': True,
        'DynamicScalingOutSuspended': True,
        'ScheduledScalingSuspended': True
    }
)

我已授予所有访问权限(sagemaker和cloudwatch)以使用此角色:AmazonSageMaker-ExecutionRole- [1234]

现在,每当我运行此代码时,我都会收到此错误

ClientError: An error occurred (AccessDeniedException) when calling the RegisterScalableTarget 
operation: User: arn:aws:sts::[1234]:assumed-role/AmazonSageMaker-ExecutionRole-[1234]/SageMaker 
is not authorized to perform: iam:PassRole on resource: arn:aws:iam::[1234]:role/service-role/AmazonSageMaker-ExecutionRole-[1234]

现在,我不确定它是如何选择“假定角色”而不是“ service-role”的,以及如何解决此问题,我正在使用具有所有访问权限的管理员帐户,并且上面的“ service-role”拥有所有访问权限

1 个答案:

答案 0 :(得分:0)

来自Application Autoscaling documentation

When users call RegisterScalableTarget, Application Auto Scaling creates a service-linked role in your account, if the role does not exist already. The service-linked role grants permissions to Application Auto Scaling, so that it can call other services on your behalf.

For automatic role creation to succeed, users must have permissions for the iam:CreateServiceLinkedRole action. 

SageMaker documentation中也提到了同样的情况。

从错误消息中,您的角色似乎缺少CreateServiceLinkedRole操作。我将IAM策略与SageMaker自动缩放文档中提供的示例进行比较,确保存在所有必需的权限,然后重试。