Search code examples

Access Denied read open data into Sagemaker

Cannot read AWS open data datasets into Sagemaker. Error is

download failed: s3://fast-ai-imageclas/cifar100.tgz to ../../../tmp/fastai-images/cifar100.tgz An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

code sagemaker notebook s3 download access denied

The user has the s3:getObjects * permission

The user's permissions are the full s3 read policy and the full Sagemaker policies. The policies are

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:ecr:*:*:repository/*sagemaker*"
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "secretsmanager:ResourceTag/SageMaker": "true"
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "s3:ExistingObjectTag/SageMaker": "true"
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": ""
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": ""
            "Effect": "Allow",
            "Action": [
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [

The Sagemaker instance is in us-east-1 same as the dataset.

The dataset is


  • thanks to Matthew I looked into the permissions of the notebook itself, not just the user using Sagemaker.

    The policies on the notebook look like this and I can download from the aws open data datasets!

    notebook settings

    notebook permissions