0

I have a sagemaker instance which I want to auto scale, currently it is working on 4 instances but I want to auto-scale it from 1 to 4, as per the load.

This is the code I am using to auto-scale 

resource_id = 'endpoint/[end-point-name]/variant/config1'
sc_client = boto3.client('application-autoscaling')
role = 'arn:aws:iam::[1234]:role/service-role/AmazonSageMaker-ExecutionRole-[1234]'

response = sc_client.register_scalable_target(
    ServiceNamespace='sagemaker',
    ResourceId=resource_id,
    ScalableDimension='sagemaker:variant:DesiredInstanceCount',
    MinCapacity=1,
    MaxCapacity=4,
    RoleARN= role,
    SuspendedState={
        'DynamicScalingInSuspended': True,
        'DynamicScalingOutSuspended': True,
        'ScheduledScalingSuspended': True
    }
)

I have given all the access (sagemaker and cloudwatch) on all resources to this role : AmazonSageMaker-ExecutionRole-[1234]

Now I am getting this error whenever i ran this code 

ClientError: An error occurred (AccessDeniedException) when calling the RegisterScalableTarget 
operation: User: arn:aws:sts::[1234]:assumed-role/AmazonSageMaker-ExecutionRole-[1234]/SageMaker 
is not authorized to perform: iam:PassRole on resource: arn:aws:iam::[1234]:role/service-role/AmazonSageMaker-ExecutionRole-[1234]

Now I am not sure how it is pickin 'assumed-role' instead of 'service-role' and how to fix the issue, I am using admin account which have all the access and the above 'service-role' also have all the access

Vineet
  • 1,492
  • 4
  • 17
  • 31
  • does this help? https://stackoverflow.com/questions/51911382/cloudformation-is-not-authorized-to-perform-iampassrole-on-resource – Banjo Obayomi Sep 19 '19 at 15:42

1 Answers1

0

From Application Autoscaling documentation:

When users call RegisterScalableTarget, Application Auto Scaling creates a service-linked role in your account, if the role does not exist already. The service-linked role grants permissions to Application Auto Scaling, so that it can call other services on your behalf.

For automatic role creation to succeed, users must have permissions for the iam:CreateServiceLinkedRole action.

The same is mentioned in SageMaker documentation.

From the error message, it looks like your role is missing the CreateServiceLinkedRole action. I would compare the IAM policy against the sample one provided in SageMaker autoscaling documentation, make sure all required permissions are present, and try again.

yijieyjq
  • 39
  • 3