0

I am trying to create featureGroup using sagemaker API in ec2 instance. got below error while running python script which creates featureGroup.

botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the CreateFeatureGroup operation: The execution role ARN is invalid. Please ensure that the role exists and that its trust relationship policy allows the action 'sts:AssumeRole' for the service principal 'sagemaker.amazonaws.com'.

I observed that the role I am using doesn't have "sagemaker.amazonaws.com" as a Trusted entity so I tried to add that however getting error "user: arn:aws:sts::xxxxxx11:assumed-role/engineer/abcUser is not authorized to perform: iam:UpdateAssumeRolePolicy on resource: role app-role-12345 with an explicit deny in an identity-based policy"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": ["ec2.amazonaws.com","sagemaker.amazonaws.com"]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I tried through terraform as well

data "aws_iam_policy_document" "instance-assume-role-policy" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["ec2.amazonaws.com", "sagemaker.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "instance" {
  name  = "engineer-12345"
  assume_role_policy = data.aws_iam_policy_document.instance-assume-role-policy.json
}

however its not working. Got access denied error.

Can anyone help to resolve this?

code used:

import pandas as pd
import sagemaker
from time import gmtime, strftime, sleep
from sagemaker.feature_store.feature_group import FeatureGroup
import time

sagemaker_session = sagemaker.Session()
region = sagemaker_session.boto_region_name
role = sagemaker.get_execution_role()

print("role : ",role)


print("start")

try:
    customer_data = pd.read_csv("data.csv",dtype={'customer_id': int,'city_code': int, 'state_code': int, 'country_code': int, 'eventtime': float })

    customers_feature_group_name = "customers-fg-01"
    customers_feature_group = FeatureGroup(name=customers_feature_group_name, sagemaker_session=sagemaker_session
                                           )

    current_time_sec = int(round(time.time()))

    record_identifier_feature_name = "customer_id"

    customers_feature_group.load_feature_definitions(data_frame=customer_data)

    customers_feature_group.create(
        s3_uri="s3://xxxx/sagemaker-featurestore/",
        record_identifier_name=record_identifier_feature_name,
        event_time_feature_name="eventtime",
        role_arn='arn:aws:iam::1234:role/role-1234',
        enable_online_store=True,
        online_store_kms_key_id = 'arn:aws:kms:us-east-1:1234:key/1111'
    )
except Exception as e:
    print(str(e))
ashwini
  • 531
  • 5
  • 13
  • 28
  • Looks like your `engineer` role does not have access to update the trust policy with an "explicit" deny. If possible, I'd suggest using an Admin role to update the trust policy through the console. Otherwise, your role needs to have the explicit deny removed and a policy added to allow iam:UpdateAssumeRolePolicy. – durga_sury Jul 19 '22 at 18:23
  • unfortunately I don't have access to update engineer role and don't have admin role access as well. Through terraform I can try but getting code issues while TFL apply – ashwini Jul 19 '22 at 19:10
  • Got it. Can you share the issues you face when updating through terraform? Also, do you have a different role created for SageMaker actions? We maybe able to pass that role instead based on your action. – durga_sury Jul 19 '22 at 19:31
  • yes i tried other roles too - no luck, also I have added TF code and error I got – ashwini Jul 19 '22 at 19:37
  • Have you tried typing in the TF code? If it's pasted from some other editor, the curly quotes may be the issue. Also, since I don't have the entire code, I don't know which line is 148. – durga_sury Jul 19 '22 at 22:55
  • yeah I was able to fix that sytax error however I got same access denied issue. engineer role doesn't have access seems so I raised ticket to admin team. Hope they would able to help thanks for your response – ashwini Jul 20 '22 at 15:44
  • HI I tried adding that still getting same error – ashwini Jul 25 '22 at 21:08
  • Can you share the code you're using to create the feature group from EC2? – durga_sury Jul 26 '22 at 00:04
  • I added code however issue is resolved now... issue with s3 bucket policy – ashwini Jul 27 '22 at 18:58

0 Answers0