'SageMaker Studio domain creation fails due to KMS permissions

Question

Please help understand the cause and solution for the problem.

Problem

SageMaker Studio domain creation fails due to KMS permissions. The IAM Role specified to the SageMaker arn:aws:iam::316725000538:role/SageMaker has the permissions for KMS required as specified in https://docs.aws.amazon.com/sagemaker/latest/dg/api-permissions-reference.html.

Domain creation failed
Unable to create Amazon EFS for domain 'd-1dq5c9rpkswy' because you don't have permissions to use the KMS key 'arn:aws:kms:us-east-2:316725000538:key/1e2dbf9d-daa0-408d-a290-1633b615c54f'. See https://docs.aws.amazon.com/sagemaker/latest/dg/api-permissions-reference.html for required permissions for CreateDomain action.

tells the IAM permissions

IAM Permission for CreateDomain action

Amazon SageMaker API Permissions: Actions, Permissions, and Resources Reference

The IAM permission required for the CreateDomain action have been attached to the IAM role.

amazon-sagemaker amazon-kms

Solution 1:^[1]

I had the same problem when trying to use the aws/s3 key. I created my own Customer Managed Key (CMK) and it worked just fine. I think it's related to the AWS assigned policy on the aws/s3 key.

This part:

    "Condition": {
        "StringEquals": {
            "kms:CallerAccount": "120455730103",
            "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }

I don't think SageMaker meets the kms:ViaService condition.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	DigitalEd