Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is iam:GetRole? #2

Open
rbunn80110 opened this issue Aug 27, 2019 · 2 comments
Open

What is iam:GetRole? #2

rbunn80110 opened this issue Aug 27, 2019 · 2 comments

Comments

@rbunn80110
Copy link

If you are running locally, make sure that the account you are running this notebook under has all of the necessary permissions: S3ReadOnlyAccess, SagemakerFullAccess, iam:GetRole, and ECRFullAccess

What is "iam:GetRole" and how do you add it to a role?
@ResidentMario
Copy link
Contributor

AWS is primarily a role-based access control system, which means that, for most things, what you are and are not allowed to do with a service is controlled by the permissions assigned to the role you are currently running under. These set of permissions assigned to a role is known as its access policy.

Permissions can be added to a role one-at-a-time, or they can be added using a managed policy that adds multiple related permissions all at once. S3ReadOnlyAccess, SageMakerFullAccess, and ECRFullAccess are managed policies which provide various levels of access to {S3, SageMaker, ECR}. iam:GetRole is an individual permission that the demo needs that is not provided by any of the other roles.

A single account can have multiple roles, each with its own policy document dictating what it can and cannot do. A role with the iam:GetRole permission is allowed to assume any other role (subject to optional restrictions, which you may specify in the policy document if needed), adopting the set of permissions and restrictions of that role in the process. The iam:GetRole permission is needed because when you launch the training job with clf.fit(), the API will initialize a new connection, assume your current role, and execute the training job using it. You need your role to have iam:GetRole permissions so you can actually do that.

To attach iam:GetRole to your role, you will need to manually edit the policy document associated with the role in the IAM console. You can figure out the format of the statement you need to add by inspecting some of the AWS demo policy documents.

It's unfortunate that this is so cumbersome, but AWS is an enterprise-grade system, so you kind of have to go through the motions.

@ResidentMario
Copy link
Contributor

PS: if you're not worried about the security implications, you can simply add the AdministratorAccess managed policy to your role instead. This will give you every permission in AWS, including iam:GetRole.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ResidentMario @rbunn80110