Home > Software engineering >  create sagemaker notebook instance via Terraform
create sagemaker notebook instance via Terraform

Time:04-12

I am taking my first steps into the Terraform world so please be gentle with me. I have a user with AmazonSageMakerFullAccess, which I stored via AWS CLI in a profile called terraform. I can create an S3 bucket as follows no problem referring this user in Windows in VSC:

provider "aws" {
    region = "eu-west-2"
    shared_credentials_files = ["C:\\Users\\amazinguser\\.aws\\credentials"]
    profile = "terraform"
}

resource "aws_s3_bucket" "b" {
  bucket = "blabla-test-bucket"

  tags = {
    Name        = "amazing_tag"
    Environment = "dev"
  }
}

I try to implement this documented here and try to this:

resource "aws_sagemaker_notebook_instance" "notebook_instance" {
  name = "titanic-sagemaker-byoc-notebook"
  role_arn = aws_iam_role.notebook_iam_role.arn
  instance_type = "ml.t2.medium"
  #lifecycle_config_name = aws_sagemaker_notebook_instance_lifecycle_configuration.notebook_config.name
  #default_code_repository = aws_sagemaker_code_repository.git_repo.code_repository_name
}

I am a bit confused about the role_arn which is defined here:

https://github.com/dkhundley/terraform-sagemaker-tutorial/blob/main/Part 2a - Creating a SageMaker Notebook/terraform/iam.tf

Can I not use the above user? Thanks!

CodePudding user response:

AWS services trying to call other AWS services and perform actions are not allowed to do so by default. For example, SageMaker Notebooks are basically EC2 instances. In order for SageMaker to create EC2 instances, it has to have a policy which allows e.g., injecting ENIs to a VPC. Since you probably do not want to do all that by yourself (it is a managed Notebook service after all), you have to give SageMaker permissions to perform actions on your behalf. Enter execution roles. For SageMaker, you can read more in [1]. Other services that you will commonly find using execution roles are Lambda, ECS and many others. An IAM role usually consists of two parts:

  1. Trust relationship (I like to call it trust policy)
  2. Permissions policy

The first one decides which principal (AWS identifier, Service etc. [2]) will be able to assume the role. In your example, that is:

data "aws_iam_policy_document" "sm_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]
    
    principals {
      type = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  }
}

What this policy says is "I am going to allow SageMaker (which is of type Service) to assume any role to which this policy is attached and perform actions that are defined in the permissions policy". The permissions policy is:

# Attaching the AWS default policy, "AmazonSageMakerFullAccess"
resource "aws_iam_policy_attachment" "sm_full_access_attach" {
  name = "sm-full-access-attachment"
  roles = [aws_iam_role.notebook_iam_role.name]
  policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
}

Without going into too much details about what the AWS managed policy for SageMaker does, it is enough to see the FullAccess part for it to be clear. What you could do if you want to be extra careful is to define a customer managed policy [3] for SageMaker notebooks. This permissions policy will be attached to the IAM role(s) defined in the roles argument. Note that it is a list, so multiple roles can have the same permissions policy attached.

Last, but not the least, the glue between the trust and permissions policy is the role itself:

resource "aws_iam_role" "notebook_iam_role" {
  name = "sm_notebook_role"
  assume_role_policy = data.aws_iam_policy_document.sm_assume_role_policy.json
}

As you can see, the assume_role_policy is the policy which will allow SageMaker to perform actions in the AWS account based on the permissions defined in the permissions policy.

This topic is much more complex than in this answer, but it should give you a fair amount of information.

NOTE: In theory, the same role accessing information in AWS and running the AWS API actions when using Terraform could be used for SageMaker, but I would strongly advise against it. Always keep in mind separation of concerns and principle of least privilege.


[1] https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-create-execution-role

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

[3] https://docs.aws.amazon.com/acm/latest/userguide/authen-custmanagedpolicies.html

  • Related