Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignored IAM role passed to Pipeline Steps breaks Local Mode #5031

Open
lorenzwalthert opened this issue Feb 11, 2025 · 0 comments
Open

Ignored IAM role passed to Pipeline Steps breaks Local Mode #5031

lorenzwalthert opened this issue Feb 11, 2025 · 0 comments
Labels
component: local mode type: bug

Comments

@lorenzwalthert
Copy link

lorenzwalthert commented Feb 11, 2025
edited
Loading

Describe the feature you'd like

In non-local mode, I can pass a role to each step of my SageMaker Pipeline and this role will be assumed a step. This helps scoping permissions narrowly as well as working around the IAM limit of 10 managed policies per role and 10240 bytes character limit for inline policies.

    processor_select_delivery_periods = sagemaker.processing.Processor(
        entrypoint=["bash", "processing.sh"],
        role=role_arn, # <- pass role for specific step
        instance_type="ml.m5.large",
        instance_count=1,
        sagemaker_session=signals.sagemaker.pipeline_session.cache,
    )

    step_args = processor_select_delivery_periods.run(
        arguments=...,
    )

However, the argument seems not respected in local mode. Even worse, not even the IAM role defined at pipeline level seems to be respected

        upsert_response = pipeline.upsert(
            role_arn='arn:/xxx/yzzc',
            description=description or "",
            tags=tags,
        )

The credentials seem to be purely generated from the sagemaker_session passed to Pipeline:

sagemaker.workflow.pipeline.Pipeline(
        name=str(name),
        parameters=list(parameters),
        steps=[step_a, step_b],
        sagemaker_session=sagemaker_session
)

In my understanding, the local mode's docker-compose file (one per step) contains credentials via environment variables (AWS_*) that are then used in the container. Before generating these credentials, one would need use sagemaker_session to assume the role passed to a step and then generate the credentials from these roles instead of directly from that session.

How would this feature be used? Please describe.

The inconsistency between local and remote execution breaks the highly efficient local developer workflow.

Describe alternatives you've considered

  • Refrain from using step-specific roles, i.e. one role for all steps. Drawback is IAM policy restrictions mentioned above.
  • Splitting my pipeline into multiple pipelines since it contains many steps that are only loosely related. Drawback: Need another orchestration tool on top.

Additional context
@lorenzwalthert lorenzwalthert changed the title Respect IAM role passed to step in Local Mode Respect IAM role passed to Pipeline Steps in Local Mode Feb 11, 2025
@lorenzwalthert lorenzwalthert changed the title Respect IAM role passed to Pipeline Steps in Local Mode Ignored IAM role passed to Pipeline Steps breaks Local Mode Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: local mode type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lorenzwalthert @nargokul