I'm using SageMaker Studio in an account, in VPC mode. Studio has the default SageMaker full access policy, but I'm seeing this error -
Something went wrong. please ensure that your account is authorized to read from S3.
I added full access to S3 to my role as well. Are there specific S3 permissions required for JumpStart? The domain has access to S3 through a VPC endpoint.
Adding the permissions I've set up to close this thread -
For your Studio user's execution role, set up this IAM policy as an inline policy (replace us-west-2
with your region) -
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetObject*"
],
"Resource": [
"arn:aws:s3:::jumpstart-cache-prod-us-west-2",
"arn:aws:s3:::jumpstart-cache-prod-us-west-2/*"
],
"Effect": "Allow"
}
]
}
For my case, my Studio domain was set up in VPC only mode, and the S3 VPC endpoint had a restrictive policy as well. If you do have an S3 VPC endpoint policy, add the below policy statement to your VPCe policy -
{
"Action": [
"s3:ListBucket",
"s3:GetObject*"
],
"Resource": [
"arn:aws:s3:::jumpstart-cache-prod-us-west-2",
"arn:aws:s3:::jumpstart-cache-prod-us-west-2/*"
],
"Effect": "Allow",
"Principal": "*"
}