A data engineer is configuring Amazon SageMaker Studio to use AWS Glue interactive sessions to prepare data for machine learning (ML) models.
The data engineer receives an access denied error when the data engineer tries to prepare the data by using SageMaker Studio.
Which change should the engineer make to gain access to SageMaker Studio?
To address the access denied error the data engineer is experiencing while using SageMaker Studio and AWS Glue interactive sessions, two changes should be made. First, the AmazonSageMakerFullAccess managed policy should be added to the data engineer’s IAM user to ensure that SageMaker has the necessary permissions to interact with AWS Glue and other related services. This policy grants broad permissions required for using SageMaker features, including SageMaker Studio. Second, the data engineer’s IAM user should have a policy that includes the sts:AssumeRole action for the AWS Glue and SageMaker service principals in the trust policy. This action allows the IAM user to assume a role with the necessary permissions, facilitating proper cross-service access.
I don't believe you're supposed to assign a FullAccess policy, so I will go with B.
I will go with C
Option A (AWSGlueServiceRole managed policy) is not relevant, as this policy is intended for the AWS Glue service itself, not for users accessing SageMaker Studio. Option B (adding a policy with sts:AssumeRole action) is not necessary, as SageMaker handles the role assumption process internally. Option D (sts:AddAssociation action) is not a valid action and is not required for accessing SageMaker Studio or using AWS Glue interactive sessions.
I will go with B since you can get access denied even with the AmazonSageMakerFullAccess. See here: https://stackoverflow.com/questions/64709871/aws-sagemaker-studio-createdomain-access-error
Amazon SageMaker requires permissions to perform actions on your behalf. By attaching the AmazonSageMakerFullAccess managed policy to the data engineer’s IAM user, you grant the necessary permissions for SageMaker Studio to access AWS Glue and other related services.
Ans. C https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSageMakerFullAccess.html
B. Add a policy to the data engineer’s IAM user that includes the sts:AssumeRole action for the AWS Glue and SageMaker service principals in the trust policy. • This is the most appropriate solution. The sts:AssumeRole action allows the data engineer’s IAM user to assume a role that has the necessary permissions for both AWS Glue and SageMaker. This is a common approach for granting cross-service access in AWS.
OPtion A https://docs.aws.amazon.com/glue/latest/dg/glue-is-security.html
and You can attach AWSGlueServiceRole to your users, groups, and roles.
SageMaker Permissions: The AmazonSageMakerFullAccess managed policy provides broad permissions for using Amazon SageMaker features, including SageMaker Studio and the ability to interact with other AWS services like AWS Glue. Least Privilege: While this policy is quite permissive, it's the most direct solution to the immediate access issue. After resolving the error, you can refine permissions for a more granular approach.
https://repost.aws/knowledge-center/sagemaker-featuregroup-troubleshooting