amazon-s3amazon-sagemakeramazon-sagemaker-studioamazon-sagemaker-jumpstart

Unable to use SageMaker JumpStart with S3 authorization error


I'm using SageMaker Studio in an account, in VPC mode. Studio has the default SageMaker full access policy, but I'm seeing this error -

Something went wrong. please ensure that your account is authorized to read from S3.

Screenshot below - enter image description here

I added full access to S3 to my role as well. Are there specific S3 permissions required for JumpStart? The domain has access to S3 through a VPC endpoint.


Solution

  • Adding the permissions I've set up to close this thread -

    For your Studio user's execution role, set up this IAM policy as an inline policy (replace us-west-2 with your region) -

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject*"
                ],
                "Resource": [
                    "arn:aws:s3:::jumpstart-cache-prod-us-west-2",
                    "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*"
                ],
                "Effect": "Allow"
            }
        ]
    }
    

    For my case, my Studio domain was set up in VPC only mode, and the S3 VPC endpoint had a restrictive policy as well. If you do have an S3 VPC endpoint policy, add the below policy statement to your VPCe policy -

            {
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject*"
                ],
                "Resource": [
                    "arn:aws:s3:::jumpstart-cache-prod-us-west-2",
                    "arn:aws:s3:::jumpstart-cache-prod-us-west-2/*"
                ],
                "Effect": "Allow",
                "Principal": "*"
            }