How to create Sagemaker studio project using aws cdk

Question

I am trying to create sagemaker studio project using aws cdk following below steps:

create domain (using this example) create user (using this example) create jupyter app create project

Code for creating jupyter app:

def __init__(self, scope: Construct,
             construct_id: str, *,
             app_name: str,
             app_type: str,
             domain_id: str,
             user_profile_name: str,
             depends_on=None, **kwargs) -> None:
    super().__init__(scope, construct_id)

    sagemaker_jupyter_app = sg.CfnApp(self, construct_id,
                                      app_name=app_name,
                                      app_type=app_type,
                                      domain_id=domain_id,
                                      user_profile_name=user_profile_name
                                      )
    sagemaker_jupyter_app.add_depends_on(depends_on_user_creation)

Code for creating project:

def __init__(self, scope: Construct,
             construct_id: str, *,
             project_name: str,
             project_description: str,
             product_id: str,
             depends_on=None,
             **kwargs) -> None:
    super().__init__(scope, construct_id)

    sagemaker_studio_project = sg.CfnProject(self, construct_id,
                                             project_name=project_name,
                                             service_catalog_provisioning_details={
                                                 "ProductId": "prod-7tjedn5dz4jrw"
                                             },
                                             project_description=project_description
                                             )

Domain, user, jupyter app all gets created successfully. The problem comes in with project. Below is the error :

Resource handler returned message: "Product prod-7tjedn5dz4jrw does not exist or access was denied (Service: SageMaker, Status Code: 400, Request ID: 768116aa-e77b-4691-a972-38b83093fdc4)" (RequestToken: 45ca2a0c-3f03-e3e0-f29d-d9443ff4dfc1, HandlerErrorCode: GeneralServiceException)

I am running this code from an ec2 instance that has SagemakerFullAccess I also tried attaching SagemakerFullAccess execution role with project...but got the same error. I have also attached below policy to my domain:

• AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy

Answer 1

Basically this was an issue related to IAM. Running cdk program requires bootstrapping it using the command cdk bootstrap After running this command cdk was creating a bunch of roles out of which one role will be related to cloudformation's execution role. Something like

cdk-serialnumber-cfn-exec-role-Id-region

Now this role was used by cloudformation to run the stack.

Using sagemaker from console automatically adds the role associated with domain/user at

ServiceCatalog -> Portfolios -> Imported -> Amazon SageMaker Solutions and ML Ops products -> Groups, roles, and users

Thats was the reason why product id was accessible from console.

After adding the role created by cdk bootsrap to the above path I was able to run my stack.

Answer 2

Please ensure that the SageMaker Execution Role on the Studio Domain has access to SageMaker Projects. You can check by navigating to ServiceCatalog -> Portfolios -> Imported -> Amazon SageMaker Solutions and ML Ops products -> Groups, roles, and users.

Under this tab, you should see your domain's execution role. If you do not, please add it and then try creating the Project.