如果所有实例都使用相同的 IAM 角色,如何确定哪个 SageMaker 笔记本实例进行了特定 API 调用?

上次更新日期:2021 年 11 月 11 日

我有多个 Amazon SageMaker 笔记本实例。它们都使用相同的 AWS Identity and Access Management (IAM) 角色。无论哪个笔记本实例执行了操作,每个 API 操作的 AWS CloudTrail 事件都会显示相同的 PrincipalID(会话名称)。我如何判断哪个笔记本实例执行了哪些 API 操作?

简短描述

当您有多个具有相同 IAM 角色的 SageMaker 实例时,您无法通过 CloudTrail 事件确定哪个笔记本实例执行了特定 API 操作。

示例:

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AAAAAAAAAAAAAAAAAA:SageMaker",
       
    "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMaker-ExecutionRole/SageMaker",

解决方法

1.    为 SageMaker 笔记本实例创建 IAM 执行角色。或者,使用现有的执行角色。在以下步骤中,执行角色的 Amazon 资源名称 (ARN) 为 arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole

2.    附加执行角色中包括 sts:AssumeRole 的 IAM 策略。sts:AssumeRole 操作允许执行角色使用不同的会话名称代入自己。

示例:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole"
        }
    ]
}

3.    创建开始笔记本生命周期配置脚本,类似于下面的示例。此示例脚本检索笔记本实例名称,然后使用该名称作为会话名称。

#Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

#Permission is hereby granted, free of charge, to any person obtaining a copy of this
#software and associated documentation files (the "Software"), to deal in the Software
#without restriction, including without limitation the rights to use, copy, modify,
#merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
#permit persons to whom the Software is furnished to do so.

#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
#INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
#PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
#HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
#OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
#SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

#!/bin/bash

set -ex

# Obtain the name of the notebook instance
nbname=$(jq -r '.ResourceName' /opt/ml/metadata/resource-metadata.json)
echo "Notebook Name = $nbname"

# Use the AWS Command Line Interface (AWS CLI) to obtain the Amazon Resource Name (ARN) of the IAM execution role
nbinfo=$(aws sagemaker describe-notebook-instance --notebook-instance-name $nbname)
nbrole=$(jq -r '.RoleArn' <<< "$nbinfo")
echo "Notebook Role = $nbrole"

# Obtain the Region of the notebook instance
nbregion=$(aws configure get region)
echo "Notebook Region = $nbregion"

# Write Assume Role Provider Settings to a new config file
echo "Writing new config file"
cat > /home/ec2-user/.aws/config.new <<EOF1
[default]
region=$nbregion
role_arn = $nbrole
credential_source = Ec2InstanceMetadata
role_session_name = $nbname
sts_regional_endpoints = regional
EOF1

echo "Moving new config to config file"
sudo mv /home/ec2-user/.aws/config.new /home/ec2-user/.aws/config

# Secure the "config" file so that it can't be deleted/updated without root user permissions
sudo chattr +i /home/ec2-user/.aws/config

4.    创建 SageMaker 笔记本实例(如 test-2)并附上您在上一步骤中创建的生命周期配置脚本。

5.    创建一个已关闭 root 访问权限的 SageMaker 笔记本实例。这限制了用户 ec2-user 删除或更新配置文件。

6.    要识别执行 API 操作的笔记本实例,请检查 CloudTrail 事件。在 userIdentity 对象下面,principalIdarn 显示笔记本实例名称。例如,以下事件详细信息显示 test-2 的 SageMaker 笔记本实例进行了 API 调用。

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AAAAAAAAAAAAAAAAAAAA:test-2",
        "arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMaker-ExecutionRole/test-2",
        "accountId": "111122223333",
        "accessKeyId": "AAAAAAAAAAAAAAAAAAAA",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AAAAAAAAAAAAAAAAAAAA",
                "arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole",
                "accountId": "111122223333",
                "userName": "AmazonSageMaker-ExecutionRole"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2020-09-12T00:45:04Z"
            }
        },
        "invokedBy": "im.amazonaws.com"
    },
    "eventTime": "2020-09-12T00:49:04Z",
    "eventSource": "sagemaker.amazonaws.com",
    "eventName": "CreateEndpoint",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "im.amazonaws.com",
    "userAgent": "im.amazonaws.com",
    "requestParameters": {
        "endpointName": "sagemaker-mxnet-ep",
        "endpointConfigName": "sagemaker-mxnet-epc",
        "tags": []
    },
    "responseElements": {
        "endpointArn": "arn:aws:sagemaker:us-east-1:111122223333:endpoint/sagemaker-mxnet-ep"
    },
    "requestID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "eventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "eventType": "AwsApiCall",
    "recipientAccountId": "111122223333"
}

SageMaker 角色

这篇文章对您有帮助吗?

提交反馈

您是否需要账单或技术支持?

联系 AWS Support