英文:
AWS Sagemaker model creation failing with internal error
问题
我正在尝试在多模型模式下创建一个SageMaker模型。为此,我使用了Terraform,并且有以下要创建的资源:
module.main.module.toing.aws_sagemaker_model.sagemaker_multimodel 将被创建+ 资源 "aws_sagemaker_model" "sagemaker_multimodel" {+ arn = (apply后知道)+ execution_role_arn = "arn:aws:iam::XXXXX:role/us-west-1-toing_role"+ id = (apply后知道)+ name = "dev-us-west-test-model"+ primary_container {+ image = "us-west-1-toing_image"+ mode = "MultiModel"+ model_data_url = "s3://toing_bucket/"}}
这个模型的资源创建第一次失败,出现以下错误:
Error: 创建SageMaker模型时出错: ValidationException: 执行角色ARN "arn:aws:iam::XXXXX:role/us-west-1-toing_role" 无效。请确保该角色存在,并且其信任关系策略允许服务主体 "sagemaker.amazonaws.com" 执行 "sts:AssumeRole" 操作。│ status code: 400, request id: XXX-XXX-XXX-XXX-XXX
但是,当我在IAM上检查toing_role角色时,它具有必要的权限和信任关系。
信任关系
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "sagemaker.amazonaws.com"},"Action": "sts:AssumeRole"}]}
权限策略
AmazonS3FullAccessAmazonSageMakerFullAccess
当我重新应用时,模型的创建在Terraform上挂起。我在云跟踪中进行了检查,并且对来自Terraform的CreateModel请求出现以下错误响应。这种情况反复发生。
..."errorCode": "InternalFailure","errorMessage": "发生未知错误",...
当我尝试使用相同的角色手动创建模型时,我收到了 ThrottlingException。当我等待一段时间然后重新运行请求时,我再次收到 InternalFailure。
我不明白这是否是我的执行角色的问题,因为相同的代码在eu-west-1中完美运行,但在us-west-1中不行。并且这些角色具有完全相同的权限,如上所示。
S3存储桶也在其各自正确的区域中创建。因此,我不明白这个失败是从何而来的,因为S3存储桶也具有完全相同的权限。
PS1:我还验证了toing_image 容器分别存在于其各自区域的ECR存储库中。
PS2:角色附加到模型如下:
# 定义SageMaker的“假定角色”策略data "aws_iam_policy_document" "sm_assume_role_policy" {statement {actions = ["sts:AssumeRole"]principals {type = "Service"identifiers = ["sagemaker.amazonaws.com"]}}}resource "aws_iam_role" "sagemaker_inferencer_iam_role" {name = "${var.app_environment}-inferencer-sm-${var.aws_region}-iam-role-${var.endpoint_postfix}"assume_role_policy = data.aws_iam_policy_document.sm_assume_role_policy.json}# 附加AWS默认策略,“AmazonSageMakerFullAccess”data "aws_iam_policy" "sm_required_policy" {name = "AmazonSageMakerFullAccess"}resource "aws_iam_role_policy_attachment" "sm_full_access_attach" {role = aws_iam_role.sagemaker_inferencer_iam_role.namepolicy_arn = data.aws_iam_policy.sm_required_policy.arn}# 附加AWS默认策略,“AmazonS3FullAccess”data "aws_iam_policy" "s3_required_policy" {name = "AmazonS3FullAccess"}resource "aws_iam_role_policy_attachment" "s3_full_access_attach" {role = aws_iam_role.sagemaker_inferencer_iam_role.namepolicy_arn = data.aws_iam_policy.s3_required_policy.arn}resource "aws_sagemaker_model" "sagemaker_multimodel" {name = "${var.app_environment}-${var.endpoint_postfix}-model"execution_role_arn = aws_iam_role.sagemaker_inferencer_iam_role.arnprimary_container {image = local.multi_model_inferencer_container_namemode = "MultiModel"model_data_url = "s3://${local.model_bucket_name}/"}tags = var.default_tags}
我做错了什么?
英文:
I am trying to create a sagemaker model in multimodel mode. For this, I use terraform and I have the following resources to be created:
module.main.module.toing.aws_sagemaker_model.sagemaker_multimodel will be created+ resource "aws_sagemaker_model" "sagemaker_multimodel" {+ arn = (known after apply)+ execution_role_arn = "arn:aws:iam::XXXXX:role/us-west-1-toing_role"+ id = (known after apply)+ name = "dev-us-west-test-model"+ primary_container {+ image = "us-west-1-toing_image"+ mode = "MultiModel"+ model_data_url = "s3://toing_bucket/"}}
The resource creation of this model fails the first time with the error:
Error: creating SageMaker model: ValidationException: The execution role ARN "arn:aws:iam::XXXXX:role/us-west-1-toing_role" is invalid. Please ensure that the role exists and that its trust relationship policy allows the action "sts:AssumeRole" for the service principal "sagemaker.amazonaws.com".│ status code: 400, request id: XXX-XXX-XXX-XXX-XXX
However, when I check the toing_role role on iam it has the neccesary permissions and trust relationships.
Trust Relationships
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "sagemaker.amazonaws.com"},"Action": "sts:AssumeRole"}]}
Permissions policies
AmazonS3FullAccessAmazonSageMakerFullAccess
When I re-apply, the creation of the model hangs on terraform. I checked on cloud trails, and it has the following error response to the CreateModel request from terraform. This happens repeatedly.
..."errorCode": "InternalFailure","errorMessage": "An unknown error occurred",...
When I try to create the model manually using the GUI with the same role, I get a ThrottlingException. When I wait for some time and re-run the request, I get an InternalFailure agian.
I do not understand if this is problem with my execution role, since the same code works perfectly in eu-west-1, but not in us-west-1. And the roles have exactly the same permissions as above.
The S3 bucket is also created in their right respective regions. Hence I do not understand where this failure comes from, since the S3 buckets too have exactly the same permissions.
PS1: I have also verified that the container toing_image exists separately in the ECR repositories of their respective regions.
PS2: The role is attached to the model as follows:
# Defining the SageMaker "Assume Role" policydata "aws_iam_policy_document" "sm_assume_role_policy" {statement {actions = ["sts:AssumeRole"]principals {type = "Service"identifiers = ["sagemaker.amazonaws.com"]}}}resource "aws_iam_role" "sagemaker_inferencer_iam_role" {name = "${var.app_environment}-inferencer-sm-${var.aws_region}-iam-role-${var.endpoint_postfix}"assume_role_policy = data.aws_iam_policy_document.sm_assume_role_policy.json}# Attaching the AWS default policy, "AmazonSageMakerFullAccess"data "aws_iam_policy" "sm_required_policy" {name = "AmazonSageMakerFullAccess"}resource "aws_iam_role_policy_attachment" "sm_full_access_attach" {role = aws_iam_role.sagemaker_inferencer_iam_role.namepolicy_arn = data.aws_iam_policy.sm_required_policy.arn}# Attaching the AWS default policy, "AmazonSageMakerFullAccess"data "aws_iam_policy" "s3_required_policy" {name = "AmazonS3FullAccess"}resource "aws_iam_role_policy_attachment" "s3_full_access_attach" {role = aws_iam_role.sagemaker_inferencer_iam_role.namepolicy_arn = data.aws_iam_policy.s3_required_policy.arn}resource "aws_sagemaker_model" "sagemaker_multimodel" {name = "${var.app_environment}-${var.endpoint_postfix}-model"execution_role_arn = aws_iam_role.sagemaker_inferencer_iam_role.arnprimary_container {image = local.multi_model_inferencer_container_namemode = "MultiModel"model_data_url = "s3://${local.model_bucket_name}/"}tags = var.default_tags}
What am I doing wrong?
答案1
得分: 0
这是由于在我尝试运行我的基础架构时,特定地区未启用STS(AWS安全令牌服务)引起的。显然,在某些地区,STS不是默认启用的,必须通过IAM -> 帐户设置 -> STS -> 终端点启用,如此处所解释的那样。
英文:
This was caused by STS (AWS Security Token Service) not being enabled for the specific regions that I was trying to run my infrastructure. Apparently in some regions, STS is not e,nabled by default, and has to be enabled through IAM -> Account Settings -> STS -> Endpoints as explained here.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论