skip to Main Content

I’m not able to associate a new role for my EC2 instance created via : CreatePresignedNotebookInstanceUrl.

I’ve created a notebook instance via sagemaker like here : cloud.hacktricks.xyz. I’ve got my EC2 instance hosted in an AWS-owned account. When I do :

aws sts get-caller-identity 

{ 
   "UserId": XXXXXXXXXX
   "Account": YYYYYYYYY
   "Arn":"arn:aws:sts::YYYYYYYYY:assumed-role/sagemakerRole/SageMaker
  
}

With this role it’s not possible to do aws s3 ls which is normal so I’ve tried to associate another role MyNewRole which contains : AdministratorAccess, AmazonS3FullAccess and AmazonSSMManagedInstanceCore : aws ec2 associate-iam-instance-profile --instance-id <ec2-instance-id-of-notebook> --iam-instance-profile Name=MyNewRole

It gives me :
An error occured (InvalidInstanceID.NotFound) when calling the AssociateIamInstanceProfile operation: The instance ID does not exist.

How is that possible that it could not found the instance? o_O
Is it because it’s hosted in AWS-owned account??

2

Answers


  1. To update an IAM role for a SageMaker notebook instance, you’d have to stop the notebook instance and update the notebook’s associated IAM role.
    Console instructions – https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-update.html

    If you’re using the CLI, use the stop-notebook-instance and update-notebook-instance calls.

    For example,

    aws sagemaker stop-notebook-instance 
    --notebook-instance-name my-notebook-name
    
    # wait until the notebook is stopped and then run the update command
    aws sagemaker update-notebook-instance 
    --notebook-instance-name my-notebook-name 
    --role-arn my-new-role
    

    You can also attach these policies directly to your SageMaker assumed role (instead of updating the notebook’s role).

    While SageMaker notebook instances use EC2, the service is AWS managed, so you won’t be able to update the EC2 instance directly (you won’t see the EC2 instance in your list of running EC2 instances for the same reason).

    Login or Signup to reply.
  2. The behavior you’re experiencing is because the SageMaker Notebook Instances are not traditional EC2 instances in the context you might expect, even though they do run on EC2 infrastructure managed by AWS.

    When you create a SageMaker Notebook Instance, AWS SageMaker sets it up in their own managed account, not directly in your AWS account. Even though it’s technically an EC2 instance behind the scenes, it’s abstracted away and managed by the SageMaker service. This means you don’t have direct access to manage this "EC2 instance" like you would with regular EC2 instances created directly in your account.

    Here’s a breakdown of the issues:

    1. STS get-caller-identity Command: This command returns the ARN of the assumed SageMaker role. This role is what the SageMaker notebook uses to interact with other AWS services. This role should have the necessary permissions to interact with S3 or any other service you want to use within SageMaker.

    2. Associating a New Role: Directly associating an IAM role to the SageMaker "EC2 instance" using the aws ec2 associate-iam-instance-profile command won’t work because, as mentioned, this isn’t a traditional EC2 instance in your account. It’s a managed resource by SageMaker.

    3. Access to S3 and Other Services: Instead of trying to associate an EC2 IAM role, you need to update the permissions of the SageMaker execution role (sagemakerRole in your example). You can do this by attaching the necessary policies (e.g., AmazonS3FullAccess) to this role in the IAM dashboard. Once the role has the necessary permissions, your SageMaker notebook will have the appropriate access.

    In summary, to give your SageMaker notebook more permissions:

    1. Go to the IAM dashboard in the AWS Management Console.
    2. Locate the SageMaker execution role (e.g., sagemakerRole).
    3. Attach the necessary policies (like AmazonS3FullAccess) to this role.
    4. The changes will take effect in the SageMaker Notebook without needing to restart or recreate the notebook instance.

    [1] https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_service-with-iam.html

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search