I'm having an issue with AWS when I try to create a device fleet with sagemaker :

import boto3

sagemaker_client = boto3.client('sagemaker', region_name=AWS_REGION)
sagemaker_client.create_device_fleet(
    DeviceFleetName=device_fleet_name,
    RoleArn=iot_role_arn,
    OutputConfig={
        'S3OutputLocation': s3_device_fleet_output
    }
)

It raises the following exception:

ClientError: An error occurred (ValidationException) when calling the CreateDeviceFleet operation: The account id <my-account-id> does not have ownership on bucket: <bucket-name>

I dont get it because I created the bucket so I should be the owner. I have not found how to check or change bucket ownership.

I tried changing the bucket policy as follows but it didn't help.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Principal": {
                "AWS": "arn:aws:iam::<id>:user/<user>"
            },
            "Effect": "Allow",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}

I also tried with sagemaker's GUI, it fails for the same reason (ValidationException, the account id <my-account-id> does not have ownership on bucket : <bucket-name>).

CodePudding user response：

This bucket policy made it work :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-id>:role/<iot-role>"
            },
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}

I still don't fully get it, because the role had full access on s3 buckets so i don't know why editing the bucket's policy changed something, but it works.