I'm setting up processing jobs in a closed network. I'm creating a processing job script using the SageMaker SDK to call the SageMaker API and register a model from S3 to the model registry. During this process, I'm specifying the netconfig for the job.
network_config = NetworkConfig(security_group_ids=security_ids, subnets=subnets, enable_network_isolation=True)
script_processor = ScriptProcessor(
network_config=network_config,
When I set 'enable_network_isolation' to True, I encounter an error botocore.exceptions.NoCredentialsError: Unable to locate credentials
As for the questions:
What does it really mean when 'enable_network_isolation' is set to True? Even if I specify private security groups and subnet IDs in netconfig, I assume the processing job is already within a closed network. However, when I further set 'enable_network_isolation' to true or false, what happens?
I've checked the official documentation, but the explanation is vague. We need your help.
enable_network_isolation defines whether if inbound and outbound network calls to and from the containers used for the processing job are allowed.
It is covered in the infrastructure security documentation, but only Training Jobs are mentioned, but the same applies for Processing Jobs:
If you enable network isolation, the containers can't make any outbound network calls, even to other AWS services such as Amazon S3. Additionally, no AWS credentials are made available to the container runtime environment
The latter explains also why you're getting the error NoCredentialsError: Unable to locate credentials.