本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
IAM 信任關係問題
HyperPod 推論運算子無法從 STS AssumeRoleWithWebIdentity 錯誤開始,表示 IAM 信任關係組態問題。
錯誤訊息:
failed to enable inference watcher for HyperPod cluster *****: operation error SageMaker: UpdateClusterInference, get identity: get credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, https response error StatusCode: 403, RequestID: ****, api error AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
解決方法:
使用下列組態更新推論運算子 IAM 執行角色的信任關係。
取代下列預留位置:
-
<ACCOUNT_ID>: AWS 您的帳戶 ID -
<REGION>:您的 AWS 區域 -
<OIDC_ID>:Amazon EKS 叢集的 OIDC 提供者 ID
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub": "system:serviceaccount:<namespace>:<service-account-name>", "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:aud": "sts.amazonaws.com" } } }, { "Effect": "Allow", "Principal": { "Service": [ "sagemaker.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }
驗證:
更新信任關係之後:
-
在 IAM 主控台中驗證角色組態
-
視需要重新啟動推論運算子
-
監控運算子日誌以成功啟動
