AccessDeniedException:未授权执行sagemaker:ListModelPackageGroups

我对IAM角色有以下权限策略

statement {
effect = "Allow"
actions = [
"sagemaker:CreateModelPackageGroup",
"sagemaker:ListModelPackageGroups",
]
resources = [
"arn:aws:sagemaker:my_account_region:my_account_id:model-package-group/*",
]

能够使用boto3 创建ModelPackageGroup

import boto3
import logging
logger = logging.getLogger(__name__)
sagemaker_client = boto3.client('sagemaker')
mpg_name = 'my_model_package_name'
matching_mpg = sagemaker_client.list_model_package_groups(NameContains=mpg_name)[
"ModelPackageGroupSummaryList"
]
if matching_mpg:
logger.info(f"Using existing Model Package Group: {mpg_name}")
else:
mpg_input_dict = {
"ModelPackageGroupName": mpg_name,
"ModelPackageGroupDescription": mpg_description,
}
mpg_response = sagemaker_client.create_model_package_group(**mpg_input_dict)

但是我得到了以下错误

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the ListModelPackageGroups operation: User: arn:aws:sts::my_account_id:assumed-role/my_role_name/botocore-session-some_session_id is not authorized to perform: sagemaker:ListModelPackageGroups because no identity-based policy allows the sagemaker:ListModelPackageGroups action

经过一些研究，我发现SageMaker ActionListModelPackageGroups需要All Resources权限

您的策略中的操作不支持资源级别权限，并要求您选择"所有资源">

事实上，亚马逊SageMaker文档定义的操作提到一些SageMaker操作支持资源级别权限，而其他操作必须指定所有资源

资源类型列指示每个操作是否支持资源级别权限。如果此列没有值，则必须在策略语句的Resource元素中指定所有资源("*"(。如果列包含资源类型，则可以在具有该操作的语句中指定该类型的ARN。

因此，更改为以下策略解决了

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sagemaker:ListModelPackageGroups"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sagemaker:CreateModelPackageGroup"
],
"Resource": "arn:aws:sagemaker:my_account_region:my_account_id:model-package-group/*"
}
]
}

相关内容

最新更新

热门标签：