0

I'm using SageMaker Studio in an account, in VPC mode. Studio has the default SageMaker full access policy, but I'm seeing this error -

Something went wrong. please ensure that your account is authorized to read from S3.

Screenshot below - enter image description here

I added full access to S3 to my role as well. Are there specific S3 permissions required for JumpStart? The domain has access to S3 through a VPC endpoint.

navule
  • 3,212
  • 2
  • 36
  • 54
durga_sury
  • 869
  • 4
  • 6

2 Answers2

0

The role needs access to jumpstart-cache-prod-<Region> bucket. Make sure your IAM role and VPC endpoint policy allow access to the JumpStart bucket.

Marc Karp
  • 949
  • 4
  • 6
0

Adding the permissions I've set up to close this thread -

For your Studio user's execution role, set up this IAM policy as an inline policy (replace us-west-2 with your region) -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::jumpstart-cache-prod-us-west-2",
                "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*"
            ],
            "Effect": "Allow"
        }
    ]
}

For my case, my Studio domain was set up in VPC only mode, and the S3 VPC endpoint had a restrictive policy as well. If you do have an S3 VPC endpoint policy, add the below policy statement to your VPCe policy -

        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject*"
            ],
            "Resource": [
                "arn:aws:s3:::jumpstart-cache-prod-us-west-2",
                "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*"
            ],
            "Effect": "Allow",
            "Principal": "*"
        }
durga_sury
  • 869
  • 4
  • 6