Error while trying to access ML Studio from the UI

[dosiennik]

Describe the bug

I am getting the following error when try to click on the ML Studio link in the data.all UI:

How to Reproduce

1. Setup ML Studio in the data.all UI
2. Try to access it by clicking on the ML Studio Name

Expected behavior

No response

Your project

No response

Screenshots

No response

OS

mac

Python version

3.8

AWS data.all version

Additional context

No response

[LEUNGUU]

The root cause I find is that the pivot role does not have enough permission to get the sagemaker user profile. Below are the error messages.

After adding related permissions to the role, ML studio can be seen from the UI.
PR is #50

[dosiennik]

Thanks, I moved a bit forward with the mentioned fix although it still doesn't work for me. It ends up with the following error when I am trying to access SageMaker generated pre-signed url:

SageMaker is unable to use your associated ExecutionRole [arn:aws:iam:::role/dataall-int-pihvzcf8] to create app. Verify that your associated ExecutionRole has permission for 'sagemaker:CreateApp'.

Looks like the role assigned to the SageMaker UserProfile doesn't have a privilege to create an app although I see the following in its policy:

{
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/Team": [
                        "DAAdministrators"
                    ]
                }
            },
            "Action": "sagemaker:Create*",
            "Resource": "*",
            "Effect": "Allow"
        }

    When I add the following createApp privilege explicitly to the role:

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sagemaker:CreateApp",
            "Resource": "*"
        }
    ]
}

Then it works. Not sure what is the root cause, is it related somehow to the tagging? Shouldn't the tags from the UserProfile be propagated to the application? Looks like the Team tag is not propagated to the SageMaker App but the IAM Role requires the tag hence the action is denied.

[LEUNGUU]

@dosiennik Hello. Thanks for your reply. I dig into it and below is my findings.

• The meaning of below policy is to allow request to create sagemaker related resource only when the request contains the tag {Team: DAAdministrators}. But what we use now is create_presigned_domain_url, which will launch a default app without the required tags. That is why we have the policy but it doesn't work.

{
           "Condition": {
               "StringEquals": {
                   "aws:RequestTag/Team": [
                       "DAAdministrators"
                   ]
               }
           },
           "Action": "sagemaker:Create*",
           "Resource": "*",
           "Effect": "Allow"
       }

• I also check another one called aws:ResourceTag. This determine whether to allow access to the resource based on the tags that are attached to the resource. So I changed the _ RequestTag_ to ResourceTag, but it still doesn't work. I think this is normal because we cannot control the access to what we don't have now.

So I propose a simple solution that we can remove the condition to make it work for now. Later when we add the creation of sagemaker domain we can orchestrate all these things, such as domain, user profile and app.

Reference

access_tags

[dosiennik]

@LEUNGUU thanks a lot for checking and replying. Yeah this will fix it since it works when I did such a change manually for testing.

It is actually odd considering UserProfile's tags definition:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-userprofile.html

Especially at the part: 'Tags that you specify for the User Profile are also added to all apps that the User Profile launches.'

I checked the tags on the user profile, they are there as expected but seems like they are not propagated to the SageMaker app.

Anyway I agree that the proposed fix will solve the issue although not fully sure about the root cause.

[LEUNGUU]

@dlpzx How about the PR? Or you will propose another solution?

[dlpzx]

The PR passed all controls and I just merged it. Thank you for contributing :)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.