01 Define the trust relationship policy for the execution role. This trust policy allows Amazon SageMaker to use the role's permissions by giving the service principal "sagemaker.amazonaws.com" permission to call the AWS Security Token Service "AssumeRole" action. To create the required trust policy for the new role, save the following policy document to a JSON file named cc-role-trust-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "sagemaker.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
02 Run create-role command (OSX/Linux/UNIX) to create the necessary execution role using the trust relationship policy defined at the previous step:
aws iam create-role
--role-name cc-sagemaker-new-execution-role
--assume-role-policy-document file://cc-role-trust-policy.json
03 The command output should return the information available for the new IAM role:
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "sagemaker.amazonaws.com"
}
}
]
},
"RoleId": "AAAABBBBCCCCDDDDEEEE",
"CreateDate": "2024-06-05T10:00:00Z",
"RoleName": "cc-sagemaker-new-execution-role",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/service-role/cc-sagemaker-new-execution-role"
}
}
04 Run attach-role-policy command (OSX/Linux/UNIX) to attach one or more IAM policies to the newly created execution role, according to your use case. The following example makes use of the "AmazonSageMakerFullAccess" managed policy, which grants the execution role permission to perform certain Amazon S3 actions on buckets or objects with SageMaker, Sagemaker, sagemaker, or aws-glue in the name (the command does not produce an output). If your use case requires more granular permissions, consult this page to create an execution role that meets your business needs:
aws iam attach-role-policy
--role-name cc-lambda-stream-new-execution-role
--policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
05 Run stop-notebook-instance command (OSX/Linux/UNIX) to stop the Amazon SageMaker notebook instance that you want to configure (the command does not produce an output):
aws sagemaker stop-notebook-instance
--region us-east-1
--notebook-instance-name cc-sagemaker-ml-instance
06 Once the selected instance is stopped, run update-notebook-instance command (OSX/Linux/UNIX) with the name of the SageMaker notebook instance that you want to configure as the identifier parameter, to replace the missing execution role with the new role created and configured at the previous steps (the command does not return an output):
aws sagemaker update-notebook-instance
--region us-east-1
--notebook-instance-name cc-sagemaker-ml-instance
--role-arn arn:aws:iam::123456789012:role/service-role/cc-sagemaker-new-execution-role
07 Run start-notebook-instance command (OSX/Linux/UNIX) to stop the Amazon SageMaker notebook instance that you want to configure (the command does not produce an output):
aws sagemaker start-notebook-instance
--region us-east-1
--notebook-instance-name cc-sagemaker-ml-instance
08 Repeat steps no. 1 – 7 for each SageMaker notebook instance that you want to configure, available in the selected AWS region.
09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.