Attach Cloudwatch to Sagemaker Endpoint Deployment

csnick93 · July 7, 2021, 1:46pm

Hi,
I am currently trying to deploy a Sagemaker Endpoint with an attached cloudwatch log to aws using terraform. For the deployment of the endpoint I have the required code, as shown below, but I don’t fully understand which resources are required to enable logging to CloudWatch. Any help would be much appreciated!

resource "aws_sagemaker_endpoint" "knn-endpoint" {
  name                 = "knn-endpoint"
  endpoint_config_name = aws_sagemaker_endpoint_configuration.knn_config.name

  tags = {
    Name = "foo"
  }
}

resource "aws_sagemaker_endpoint_configuration" "knn_config" {
  name = "knn-endpoint-config"

  production_variants {
    variant_name           = "variant-1"
    model_name             = aws_sagemaker_model.knn_model.name
    initial_instance_count = 1 
    instance_type          = "ml.t2.medium"
  }

  tags = { 
    Name = "foo"
  }
}

resource "aws_sagemaker_model" "knn_model" {
  name               = "knn-model"
  execution_role_arn = aws_iam_role.example.arn

  primary_container {
    image = "<account_number>.dkr.ecr.eu-central-1.amazonaws.com/knn_scaler:latest"
  }
}

resource "aws_iam_role" "example" {
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name = "sagemaker-permissions"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [ 
        {   
          Action   = ["sagemaker:*", "ecr:*"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  }
}

mckornfield · October 31, 2024, 9:08pm

Hello! I had the same problem, it just comes down to the policy you have attached. Once I had cloudwatch pieces added they started appearing there

resource "aws_iam_role" "sagemaker_role" {
  name               = "sagemaker-role"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
  inline_policy {
    name = "terraform-inferences-policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow",
          Action = [
            "cloudwatch:PutMetricData",
            "logs:CreateLogStream",
            "logs:PutLogEvents",
            "logs:CreateLogGroup",
            "logs:DescribeLogStreams",
            "s3:GetObject",
            "s3:PutObject",
            "s3:ListBucket",
          ],
          Resource = "*"
        }
      ]
    })
  }
}

Since you already have sagemaker:* and ecr:* you could just add the cloudwatch and log ones from my example

Topic		Replies	Views
How to create and deploy AWS Sagemaker using terraform AWS	0	820	February 22, 2021
Sagemaker endpoint not updating with configuration change? AWS	3	4395	March 27, 2024
AWS' SageMaker runtime integration AWS	1	1155	July 26, 2022
Encrypt CloudWatch loggroup using CMK Terraform Providers	0	32	January 13, 2025
Create WAFv2 logging configuration to Cloudwatch AWS	2	4837	January 20, 2022

Attach Cloudwatch to Sagemaker Endpoint Deployment

Related topics