I am trying to pull a prebuilt xgboost image from the public aws xgboost registry specified here: https://docs.aws.amazon.com/sagemaker/latest/dg/ecr-us-west-2.html#xgboost-us-west-2.title, however whenever I run the sagemaker pipeline I get the error:
ClientError: Failed to invoke sagemaker:CreateModelPackage.
Error Details: Access denied for registry ID: 246618743249, repository name: sagemaker-xgboost.
Please check if your ECR image exists and has proper pull permissions for SageMaker.
Here is the attached role boundary I am using to run the pipeline:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codebuild:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"codepipeline:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"events:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::xxxxxxxxxxxx:role/ml-*"
],
"Effect": "Allow"
},
{
"Action": [
"ecr:*"
],
"Resource": [
"arn:aws:ecr:us-west-2:246618743249:repository/246618743249.dkr.ecr.us-west-2.amazonaws.com/sagemaker-xgboost:1.0-1"
],
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
and below is the attached policies for the role:
{
"Statement": [
{
"Action": "ecr:*",
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}
plus the AWSCodePipelineFullAccess, AWSCodeBuildAdminAccess, and AmazonSageMakerFullAccess managed policies.
Why can't I access the image/why am I getting this error? As you can see I gave my role full permissions for the ecr registry in the boundary, and full permissions for ecr in the attached policy.
I had to change the boundary to be this: arn:aws:ecr:us-west-2:246618743249:repository/sagemaker-xgboost