When trying to deploy the stepFunction with the sagemaker "TrainingJob" integration the following error is thrown:
mystepfunction-role-WOALXN3M2BWR' is not authorized to create managed-rule. (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: {long-hex-code}; Proxy: null).
The problem is that the following policy is required to be attached to the auto generated role linked to the step function:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateTransformJob",
"sagemaker:DescribeTransformJob",
"sagemaker:StopTransformJob"
],
"Resource": [
"arn:aws:sagemaker:[[region]]:[[accountId]]:transform-job/[[transformJobName]]*"
]
},
{
"Effect": "Allow",
"Action": [
"sagemaker:ListTags"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"[[roleArn]]"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "sagemaker.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule"
]
}
]
}As stated in the AWS documentation
Potentially it could be defined separately and then attached to the step function with the role: field, but it would override the autogenerated iamrole making the function uneable to call the lambda functions linked to it.
I guess the role mentioned above needs to be attached to the autogenerated role at creation time.
Any work around on that?
When trying to deploy the stepFunction with the sagemaker "TrainingJob" integration the following error is thrown:
mystepfunction-role-WOALXN3M2BWR' is not authorized to create managed-rule. (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: {long-hex-code}; Proxy: null).The problem is that the following policy is required to be attached to the auto generated role linked to the step function:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:CreateTransformJob", "sagemaker:DescribeTransformJob", "sagemaker:StopTransformJob" ], "Resource": [ "arn:aws:sagemaker:[[region]]:[[accountId]]:transform-job/[[transformJobName]]*" ] }, { "Effect": "Allow", "Action": [ "sagemaker:ListTags" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "[[roleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "sagemaker.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule" ] } ] }As stated in the AWS documentation
Potentially it could be defined separately and then attached to the step function with the
role:field, but it would override the autogenerated iamrole making the function uneable to call the lambda functions linked to it.I guess the role mentioned above needs to be attached to the autogenerated role at creation time.
Any work around on that?