aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

sagemaker: can not launch studio app for a SSO user that is created with CDK

Open hossein-jazayeri opened this issue 2 years ago • 21 comments

Describe the bug

I'd like to create sagemaker user and app in a stack along the sagemaker domain using the SSO users in the account. While the stack is deployed without any error, the attempts to open the studio app from the console, yield the following error:

Access Denied. Please check if user is assigned to Studio Domain [...] and SSO Application [Amazon SageMaker Studio (...)] is Active.

Expected Behavior

The studio app should create jupyter server without any issues.

Current Behavior

The user and app are created with the stack successfully, but upon accessing the jupyter server via user's profile in the console, it fails with the above mentioned error.

Reproduction Steps

Here's the stack:

class SagemakerDomainUsersStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, config: dict, **kwargs):
        super().__init__(scope, construct_id, **kwargs)

        domain = aws_sagemaker.CfnDomain(
            scope=scope,
            id="sagemaker-domain",
            auth_mode="SSO",
            default_user_settings=aws_sagemaker.CfnDomain.UserSettingsProperty(execution_role=config["execution_role"]),
            domain_name=config["domain_name"],
            subnet_ids=config["subnet_ids"],
            vpc_id=config["vpc_id"],
        )

        for user in config["users"]:
            user_profile = aws_sagemaker.CfnUserProfile(
                scope=scope,
                id=...,
                domain_id=domain.attr_domain_id,
                user_profile_name=user["aws_username"].split("@")[0].replace(".", "-"),
                single_sign_on_user_identifier="UserName",
                single_sign_on_user_value=user["aws_username"],
            )
            
            aws_sagemaker.CfnApp(
                scope=scope,
                id=...
                app_name="default",
                app_type="JupyterServer",
                domain_id=domain.attr_domain_id,
                user_profile_name=user_profile.user_profile_name,
            )

Configurations look like this:

vpc_id: ...
subnet_ids:
  - ...
  - ...
execution_role: ...
domain_name: ...
users:
  - aws_username: [email protected]
  - aws_username: [email protected]

Possible Solution

No response

Additional Information/Context

  • The role has access to sagemaker:CreateApp.
  • If the profile is created via the console (with or without the execution role for the user), the studio app works without the abovementioned issue and jupyter server opens successfully.

CDK CLI Version

2.59.0

Framework Version

No response

Node.js Version

v18.0.0

OS

Linux

Language

Python

Language Version

Python (3.10.8)

Other information

No response

hossein-jazayeri avatar Jan 10 '23 12:01 hossein-jazayeri