时间戳

首页 > 解决方案 > AWS Sagemaker 自动扩展 | 假定角色角色没有访问权限

amazon-web-services - AWS Sagemaker 自动扩展 | 假定角色角色没有访问权限

问题描述

我有一个要自动扩展的 sagemaker 实例,目前它正在处理 4 个实例,但我想根据负载将其从 1 个自动扩展为 4 个。

这是我用来自动缩放的代码

resource_id = 'endpoint/[end-point-name]/variant/config1'
sc_client = boto3.client('application-autoscaling')
role = 'arn:aws:iam::[1234]:role/service-role/AmazonSageMaker-ExecutionRole-[1234]'

response = sc_client.register_scalable_target(
    ServiceNamespace='sagemaker',
    ResourceId=resource_id,
    ScalableDimension='sagemaker:variant:DesiredInstanceCount',
    MinCapacity=1,
    MaxCapacity=4,
    RoleARN= role,
    SuspendedState={
        'DynamicScalingInSuspended': True,
        'DynamicScalingOutSuspended': True,
        'ScheduledScalingSuspended': True
    }
)

我已将所有资源的所有访问权限(sagemaker 和 cloudwatch)授予此角色:AmazonSageMaker-ExecutionRole-[1234]

现在,每当我运行此代码时,我都会收到此错误

ClientError: An error occurred (AccessDeniedException) when calling the RegisterScalableTarget 
operation: User: arn:aws:sts::[1234]:assumed-role/AmazonSageMaker-ExecutionRole-[1234]/SageMaker 
is not authorized to perform: iam:PassRole on resource: arn:aws:iam::[1234]:role/service-role/AmazonSageMaker-ExecutionRole-[1234]

现在我不确定它是如何选择“假定角色”而不是“服务角色”以及如何解决这个问题,我正在使用具有所有访问权限的管理员帐户,并且上述“服务角色”也具有所有使用权

标签: amazon-web-servicesaws-sdkamazon-sagemaker

解决方案

应用程序自动缩放文档

When users call RegisterScalableTarget, Application Auto Scaling creates a service-linked role in your account, if the role does not exist already. The service-linked role grants permissions to Application Auto Scaling, so that it can call other services on your behalf.

For automatic role creation to succeed, users must have permissions for the iam:CreateServiceLinkedRole action.

SageMaker 文档中也提到了这一点。

从错误消息中,您的角色似乎缺少 CreateServiceLinkedRole 操作。我会将 IAM 策略与 SageMaker 自动缩放文档中提供的示例进行比较,确保所有必需的权限都存在,然后重试。

推荐阅读