fix: Allow sagemaker to have the proper IAM permission to autostop itself #515
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #515 +/- ##
========================================
Coverage 49.04% 49.04%
========================================
Files 243 243
Lines 12503 12503
Branches 2012 2012
========================================
Hits 6132 6132
Misses 5564 5564
Partials 807 807 Continue to review full report at Codecov.
|
| Action: | ||
| - sagemaker:DescribeNotebookInstance | ||
| - sagemaker:StopNotebookInstance | ||
| Resource: '*' |
There was a problem hiding this comment.
Can we restrict the resource here?
There was a problem hiding this comment.
Can the reference be - !Ref BasicNotebookInstance?
There was a problem hiding this comment.
I don't think we can reference it because the notebook is created after this policy is created. More info here. Also since this is a permission boundary I think it's ok to have a broader resource section here. In the actual Sagemaker IAM role, we do scope the permission down to just the notebook.
There was a problem hiding this comment.
Yeah, that's what I was trying to understand. If the IAM policy can reference the instance then why can't permission boundary policy do the same.
I think it's ok to have a broader resource section here. In the actual Sagemaker IAM role, we do scope the permission down to just the notebook.
Yeah, that's why I approved the change. But I am still curious if it could have been done just like we did with IAM policy
* feature: updated UI for AWS accounts page with cards instead of a list box. * feature: added API calls to update AWS Account, added functionality to check permissions status and update with DB table on backend * feat: adds filter buttons for accounts as well as code cleanup and general UX improvements. * fix: fixed budget buttons on account cards to correctly direct to the budget page * fix: cleaned up code, added unit test, added entry to openapi.yaml * fix: removed unused file * fix: made some buttons look better * fix: added unit test to increase codecov and fixed a minor bug in AwsAccountsStore * chore: docs dependency fix (#505) * chore(deps): bump dns-packet from 1.3.1 to 1.3.4 in /docs (#507) * chore(deps): bump dns-packet from 1.3.1 to 1.3.4 in /docs Bumps [dns-packet](https://github.com/mafintosh/dns-packet) from 1.3.1 to 1.3.4. - [Release notes](https://github.com/mafintosh/dns-packet/releases) - [Changelog](https://github.com/mafintosh/dns-packet/blob/master/CHANGELOG.md) - [Commits](mafintosh/dns-packet@v1.3.1...v1.3.4) Signed-off-by: dependabot[bot] <support@github.com> * fix: trigger build * feat: Add warning that internal authentication shouldn't be used in production (#506) * feat: Encrypt s3 buckets for EMR log bucket and CICD Artifact bucket (#508) * chore: Disable EBS volume for storage gateway (#511) Co-authored-by: Tim Nguyen <thingut@amazon.com> * fix: changes suggested by Yanyu in CR * fix: minor change to openapi.yml * fix: removed unneccessary script * fix: removed reliance on undefined value for needsPermissionUpdate * fix: changed NEW to ONBOARDME for better clarity * Update settings.json * Update settings.json * removed confusing half-implemented function and replaced with placeholder * chore: Add encryption to CICD SNS topic (#512) Co-authored-by: Tim Nguyen <thingut@amazon.com> * fix: Allow sagemaker to have the proper IAM permission to autostop itself (#515) * chore: Enable access logging for env-type-configs bucket (#520) * chore: Enable server side encryption on prepare master and edge lambda bucket (#521) * fix: Corrected Spark defaults to fix read/write functionality from Spark (#526) Co-authored-by: Yanyu Zheng <yz2690@columbia.edu> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tim Nguyen <nguyen102@users.noreply.github.com> Co-authored-by: Tim Nguyen <thingut@amazon.com> Co-authored-by: Jeet <68876606+jn1119@users.noreply.github.com>
…ostop itself (awslabs#515)" This reverts commit 6d6e0ed.
Issue #, if available:
Description of changes:
envStatusPollHandlerto run once every minute instead of once every 3 minutes. (More accurate, since users can choose to have Sagemaker stop itself after 1 minute of inactivity)I tested that Sagemaker was able to stop itself after inactivity. I saw the Sagemaker instance was stopped on the AWS Console and within SWB UI.
Checklist:
AS review ticket id:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.