I’m not able to associate a new role for my EC2 instance created via : CreatePresignedNotebookInstanceUrl.
I’ve created a notebook instance via sagemaker like here : cloud.hacktricks.xyz. I’ve got my EC2 instance hosted in an AWS-owned account. When I do :
aws sts get-caller-identity
{
"UserId": XXXXXXXXXX
"Account": YYYYYYYYY
"Arn":"arn:aws:sts::YYYYYYYYY:assumed-role/sagemakerRole/SageMaker
}
With this role it’s not possible to do aws s3 ls which is normal so I’ve tried to associate another role MyNewRole which contains : AdministratorAccess, AmazonS3FullAccess and AmazonSSMManagedInstanceCore : aws ec2 associate-iam-instance-profile --instance-id <ec2-instance-id-of-notebook> --iam-instance-profile Name=MyNewRole
It gives me :
An error occured (InvalidInstanceID.NotFound) when calling the AssociateIamInstanceProfile operation: The instance ID does not exist.
How is that possible that it could not found the instance? o_O
Is it because it’s hosted in AWS-owned account??
2
Answers
To update an IAM role for a SageMaker notebook instance, you’d have to stop the notebook instance and update the notebook’s associated IAM role.
Console instructions – https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-update.html
If you’re using the CLI, use the stop-notebook-instance and update-notebook-instance calls.
For example,
You can also attach these policies directly to your SageMaker assumed role (instead of updating the notebook’s role).
While SageMaker notebook instances use EC2, the service is AWS managed, so you won’t be able to update the EC2 instance directly (you won’t see the EC2 instance in your list of running EC2 instances for the same reason).
The behavior you’re experiencing is because the SageMaker Notebook Instances are not traditional EC2 instances in the context you might expect, even though they do run on EC2 infrastructure managed by AWS.
When you create a SageMaker Notebook Instance, AWS SageMaker sets it up in their own managed account, not directly in your AWS account. Even though it’s technically an EC2 instance behind the scenes, it’s abstracted away and managed by the SageMaker service. This means you don’t have direct access to manage this "EC2 instance" like you would with regular EC2 instances created directly in your account.
Here’s a breakdown of the issues:
STS
get-caller-identityCommand: This command returns the ARN of the assumed SageMaker role. This role is what the SageMaker notebook uses to interact with other AWS services. This role should have the necessary permissions to interact with S3 or any other service you want to use within SageMaker.Associating a New Role: Directly associating an IAM role to the SageMaker "EC2 instance" using the
aws ec2 associate-iam-instance-profilecommand won’t work because, as mentioned, this isn’t a traditional EC2 instance in your account. It’s a managed resource by SageMaker.Access to S3 and Other Services: Instead of trying to associate an EC2 IAM role, you need to update the permissions of the SageMaker execution role (
sagemakerRolein your example). You can do this by attaching the necessary policies (e.g.,AmazonS3FullAccess) to this role in the IAM dashboard. Once the role has the necessary permissions, your SageMaker notebook will have the appropriate access.In summary, to give your SageMaker notebook more permissions:
sagemakerRole).AmazonS3FullAccess) to this role.[1] https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_service-with-iam.html