如果所有实例都使用相同的 IAM 角色,如何确定哪个 SageMaker 笔记本实例进行了特定 API 调用?
上次更新日期:2021 年 11 月 11 日
我有多个 Amazon SageMaker 笔记本实例。它们都使用相同的 AWS Identity and Access Management (IAM) 角色。无论哪个笔记本实例执行了操作,每个 API 操作的 AWS CloudTrail 事件都会显示相同的 PrincipalID(会话名称)。我如何判断哪个笔记本实例执行了哪些 API 操作?
简短描述
当您有多个具有相同 IAM 角色的 SageMaker 实例时,您无法通过 CloudTrail 事件确定哪个笔记本实例执行了特定 API 操作。
示例:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AAAAAAAAAAAAAAAAAA:SageMaker",
"arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMaker-ExecutionRole/SageMaker",
解决方法
1. 为 SageMaker 笔记本实例创建 IAM 执行角色。或者,使用现有的执行角色。在以下步骤中,执行角色的 Amazon 资源名称 (ARN) 为 arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole。
2. 附加执行角色中包括 sts:AssumeRole 的 IAM 策略。sts:AssumeRole 操作允许执行角色使用不同的会话名称代入自己。
示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole"
}
]
}
3. 创建开始笔记本生命周期配置脚本,类似于下面的示例。此示例脚本检索笔记本实例名称,然后使用该名称作为会话名称。
#Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
#Permission is hereby granted, free of charge, to any person obtaining a copy of this
#software and associated documentation files (the "Software"), to deal in the Software
#without restriction, including without limitation the rights to use, copy, modify,
#merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
#permit persons to whom the Software is furnished to do so.
#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
#INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
#PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
#HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
#OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
#SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#!/bin/bash
set -ex
# Obtain the name of the notebook instance
nbname=$(jq -r '.ResourceName' /opt/ml/metadata/resource-metadata.json)
echo "Notebook Name = $nbname"
# Use the AWS Command Line Interface (AWS CLI) to obtain the Amazon Resource Name (ARN) of the IAM execution role
nbinfo=$(aws sagemaker describe-notebook-instance --notebook-instance-name $nbname)
nbrole=$(jq -r '.RoleArn' <<< "$nbinfo")
echo "Notebook Role = $nbrole"
# Obtain the Region of the notebook instance
nbregion=$(aws configure get region)
echo "Notebook Region = $nbregion"
# Write Assume Role Provider Settings to a new config file
echo "Writing new config file"
cat > /home/ec2-user/.aws/config.new <<EOF1
[default]
region=$nbregion
role_arn = $nbrole
credential_source = Ec2InstanceMetadata
role_session_name = $nbname
sts_regional_endpoints = regional
EOF1
echo "Moving new config to config file"
sudo mv /home/ec2-user/.aws/config.new /home/ec2-user/.aws/config
# Secure the "config" file so that it can't be deleted/updated without root user permissions
sudo chattr +i /home/ec2-user/.aws/config
4. 创建 SageMaker 笔记本实例(如 test-2)并附上您在上一步骤中创建的生命周期配置脚本。
5. 创建一个已关闭 root 访问权限的 SageMaker 笔记本实例。这限制了用户 ec2-user 删除或更新配置文件。
6. 要识别执行 API 操作的笔记本实例,请检查 CloudTrail 事件。在 userIdentity 对象下面,principalId 和 arn 显示笔记本实例名称。例如,以下事件详细信息显示 test-2 的 SageMaker 笔记本实例进行了 API 调用。
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AAAAAAAAAAAAAAAAAAAA:test-2",
"arn": "arn:aws:sts::111122223333:assumed-role/AmazonSageMaker-ExecutionRole/test-2",
"accountId": "111122223333",
"accessKeyId": "AAAAAAAAAAAAAAAAAAAA",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AAAAAAAAAAAAAAAAAAAA",
"arn": "arn:aws:iam::111122223333:role/service-role/AmazonSageMaker-ExecutionRole",
"accountId": "111122223333",
"userName": "AmazonSageMaker-ExecutionRole"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-09-12T00:45:04Z"
}
},
"invokedBy": "im.amazonaws.com"
},
"eventTime": "2020-09-12T00:49:04Z",
"eventSource": "sagemaker.amazonaws.com",
"eventName": "CreateEndpoint",
"awsRegion": "us-east-1",
"sourceIPAddress": "im.amazonaws.com",
"userAgent": "im.amazonaws.com",
"requestParameters": {
"endpointName": "sagemaker-mxnet-ep",
"endpointConfigName": "sagemaker-mxnet-epc",
"tags": []
},
"responseElements": {
"endpointArn": "arn:aws:sagemaker:us-east-1:111122223333:endpoint/sagemaker-mxnet-ep"
},
"requestID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"eventID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}