'Is sagemaker:CreatePresignedDomainUrl required to open jupyter in SageMaker notebook instance?

I'm trying to avoid to use the managed policies AmazonSageMakerReadOnly and AmazonSageMakerFullAccess because I only want the users to be able to start/stop their own notebook instance and to open jupyter in their instance.

So far the user role has the following permissions among others

...
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "sagemaker:StopNotebookInstance",
                "sagemaker:StartNotebookInstance",
                "sagemaker:CreatePresignedNotebookInstanceUrl"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/OwnerRole": "${aws:userid}"
                }
            }
        },

The policy does not have sagemaker:CreatePresignedDomainUrl but it has sagemaker:CreatePresignedNotebookInstanceUrl, when the user with this policy click on Open Jupyter in the AWS Sagemaker console , it opens an url https://xxxxxx.notebook.eu-north-1.sagemaker.aws/auth?authToken=xxxxx but that url will return:

403 Forbidden. Access to xxxxxx.notebook.eu-north-1.sagemaker.aws was denied. You don't have authorisation to view this page. HTTP ERROR 403

As soon as I added sagemaker:CreatePresignedDomainUrl for resource * then the 403 error was gone and the user could open the jupyter notebook.

My question is why is that needed, and what resource should I put instead of *, the documentation mentions arn:aws:sagemaker:regionXXX:account-idXXX:app/domain-id/userProfileNameXXXX/* but I do not have any domain or user profile.

amazon-sagemaker


Solution 1:[1]

CreatePresignedDomainUrl statement allows the role to launch a SageMaker Studio app (and hence the domain-id/user-profile ARN). Opening SageMaker notebook instance does not need the presigned domain url permission.

You'll need to make sure you're tagging the notebook with an OwnerRole key, with value = userid (not username). In addition, you'll need to use the sagemaker:ResourceTag (instead of aws:ResourceTag).

See the service authorization page for a complete list of actions and condition keys.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 durga_sury

Related Questions

Amazon SageMaker Model Monitor for Batch Transform jobs

aws Sagemaker autoscaling with instance metrics per instance

install torchaudio on AWS training container

GPU error: Sagemaker mp.p2.xlarge instance using tensorflow==2.3.0

Use AWS Lambda to execute a jupyter notebook on AWS Sagemaker

Is it possible to use Sagemaker Notebooks with a Docker image as your environment?

How to delete amzon sagemaker studio project

How to train a model in SageMaker Studio with .train and .test extension dataset files?

No space for sagemaker Studio lab to upload or download file

Get notebook outline in sagemaker studio like in Visual Studio Code

Automate the execution of a .ipynb file in SageMaker

AWS SageMaker TensorFlow Serving - Endpoint failure - CloudWatch log ref: "NET_LOG: Entering the event loop ..."

Invocation timed out using Sagemaker to invoke endpoints with pretrained custom PyTorch model [Inference]

SageMaker Studio domain creation fails due to KMS permissions

Deploying Huggingface model for inference - pytorch-scatter issues