I'm having an issue with AWS when I try to create a device fleet with sagemaker :
import boto3
sagemaker_client = boto3.client('sagemaker', region_name=AWS_REGION)
sagemaker_client.create_device_fleet(
DeviceFleetName=device_fleet_name,
RoleArn=iot_role_arn,
OutputConfig={
'S3OutputLocation': s3_device_fleet_output
}
)
It raises the following exception:
ClientError: An error occurred (ValidationException) when calling the CreateDeviceFleet operation: The account id <my-account-id> does not have ownership on bucket: <bucket-name>
I dont get it because I created the bucket so I should be the owner. I have not found how to check or change bucket ownership.
I tried changing the bucket policy as follows but it didn't help.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Principal": {
"AWS": "arn:aws:iam::<id>:user/<user>"
},
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
}
]
}
I also tried with sagemaker's GUI, it fails for the same reason (ValidationException, the account id <my-account-id> does not have ownership on bucket : <bucket-name>).
This bucket policy made it work :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:role/<iot-role>"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
}
]
}
I still don't fully get it, because the role had full access on s3 buckets so i don't know why editing the bucket's policy changed something, but it works.