-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-stepfunctions-tasks: state machine role is missing sagemaker:AddTags permission for SageMakerCreateTransformJob task #26012
Comments
I was able to work around this by adding the policy statement manually but IMO it should be there by default:
|
Thanks for the report. I think we probably should add the missing permissions here: aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/sagemaker/create-transform-job.ts Lines 237 to 271 in acfdbfa
|
Previous PR was closed over 2 months ago, and there has been no activity after that. So I submitted the new PR. |
…Tags permission for SageMakerCreateTransformJob task (#27264) If we specified RUN_JOB as IntegrationPattern prop for SageMakerCreateTransformJob construct, StepFunctions executes SageMaker batch transform job [synchronously](https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html#connect-sync). In this case, StepFunctions add a tag (key: MANAGED_BY_AWS, value: STARTED_BY_STEP_FUNCTIONS) to the job, so state machine role needs the permission to do that. However, currently CDK does not add the permission automatically. This PR solves the issue by adding `sagemaker:AddTags` permission to state machine role when RUN_JOB is specified as IntegrationPattern prop. Closes #26012 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
Using Python, I am trying to create a step functions state machine that runs an AWS SageMaker batch transform job using the
.sync
version of the API like this:Note that I am not providing anything in the
role
parameter when I instantiate theStateMachine
. When I try to execute the state machine, I get the following type of error:When I take a closer look at what tags step functions is trying to set for the transform job (I am not setting any tags for the job myself), I see some AWS managed tags, which presumably the step functions service appends:
So from my viewpoint it seems that the role generated by CDK for the state machine should already by default include a policy that allows the sagemaker:AddTags action. When I tried spinning up the batch transform job with
sfn.IntegrationPattern.REQUEST_RESPONSE
, step functions didn't try to set any tags and submitting the job worked as expected.Expected Behavior
The default role generated by cdk for the step functions state machine should have all the necessary permissions to start a job when using
integration_pattern=sfn.IntegrationPattern.RUN_JOB
, includingsagemaker:AddTags
.Current Behavior
Got an error when step functions tried to create the batch transform job:
Reproduction Steps
Possible Solution
Not tested, but it seems that the policies for the role are added in: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/sagemaker/create-transform-job.ts#L273. So simply adding a policy statement that allows
sagemaker:AddTags
there.Additional Information/Context
No response
CDK CLI Version
2.81.0
Framework Version
No response
Node.js Version
v18.16.0
OS
MacOS 12.5
Language
Python
Language Version
3.10.9
Other information
No response
The text was updated successfully, but these errors were encountered: