I am getting error when i call get_execution_role() from sagemaker in python.
I have attached the error for the same.
I have added the SagemakerFullAccess Policy to role and user both.
Asked
Active
Viewed 1.8k times
26
Josh Davis
- 6,651
- 2
- 25
- 25
Karan Nadagoudar
- 434
- 1
- 5
- 10
-
you sure you used role arn not user arn ? – Kush Vyas Dec 08 '17 at 11:06
-
I tried with both role and user arn, but it failed to work – Karan Nadagoudar Dec 09 '17 at 12:42
3 Answers
57
get_execution_role() is a function helper used in the Amazon SageMaker Examples GitHub repository.
These examples were made to be executed from the fully managed Jupyter notebooks that Amazon SageMaker provides.
From inside these notebooks, get_execution_role() will return the IAM role name that was passed in as part of the notebook creation. That allows the notebook examples to be executed without code changes.
From outside these notebooks, get_execution_role() will return an exception because it does not know what is the role name that SageMaker requires.
To solve this issue, pass the IAM role name instead of using get_execution_role().
Instead of:
role = get_execution_role()
kmeans = KMeans(role=role,
train_instance_count=2,
train_instance_type='ml.c4.8xlarge',
output_path=output_location,
k=10,
data_location=data_location)
you need to do:
role = 'role_name_with_sagemaker_permissions'
kmeans = KMeans(role=role,
train_instance_count=2,
train_instance_type='ml.c4.8xlarge',
output_path=output_location,
k=10,
data_location=data_location)
Marcio dos Santos
- 835
- 5
- 8
-
4You can use the AWS CLI to create and retrieve your execution role: https://medium.com/ml-bytes/how-to-a-create-a-sagemaker-execution-role-539866910bda?source=linkShare-4bd3124f2454-1532513189 – Marcio dos Santos Jul 25 '18 at 10:08
-
1Hi, inside a SM managed notebook instance I'm getting an error while running `get_execution_role`: NoCredentialsError: Unable to locate credentials. Any idea why? – Austin Mar 05 '20 at 17:51
11
I struggled with this for a while and there are a few different pieces but I believe these are the steps to solve (according to this doc)
You must add a role to your aws config file. Go to terminal and enter:
~/.aws/config
Add your own profile
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = default
Then Edit Trust Relationships in the AWS Dashboard:
add this and update:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "sagemaker.amazonaws.com",
"AWS": "arn:aws:iam::XXXXXXX:user/YOURUSERNAME"
},
"Action": "sts:AssumeRole"
}
]
}
Lastly, I clicked the link that says
Give this link to users who can switch roles in the console
After adding my credentials - it worked.
B-Tron of the Autobots
- 479
- 6
- 14
-
2It works for me as well. Btw, I didn't find and didn't click "Give this link ..." link. – Serhiy Jan 17 '20 at 10:16
1
thanks for trying out SageMaker!
The exception you are seeing already suggests the reason. The credentials you are using are not a role credentials but most likely a user. The format of 'user' credentials will look like:
'arn:aws:iam::accid:user/name' as opposed to a role: 'arn:aws:iam::accid:role/name'
Hope this helps!
luk75
- 44
- 2
-
Thanks luk75, I have tried both for user and role it didn't work. – Karan Nadagoudar Dec 09 '17 at 12:43
-
Hey, another option that comes to me is that the pattern matching failed for some reason. Maybe you could show the string after the account id? Specifically, the role name (string after role/) - perhaps it has some characters that make the pattern matching off. Alternatively, if the name is other than some simple name - please try to create another role and try with that to see if this is the issue. – luk75 Dec 11 '17 at 16:57
-
Also, when you say it didn't work for a role - can you explain what you mean? Do you get the exact same error as you mentioned above for the user? – ishaaq Dec 13 '17 at 05:30