Skip to main content

Connection and authentication issues

Resolve common connection and authentication issues when integrating Amazon SageMaker with Atlan.

Access denied

Error

Access denied: Unable to access SageMaker resources

Cause

The AWS credentials don't have the required permissions to access SageMaker resources.

Solution

  1. Verify the IAM user or role has the required policies:
    • AmazonSageMakerReadOnlyAccess
    • AmazonS3ReadOnlyAccess (for datasets and model artifacts)
    • AmazonGlueReadOnlyAccess (for dataset metadata)
  2. Check that the policies are attached to the correct user/role.
  3. Test permissions with AWS CLI: 
    aws sagemaker list-models --region us-east-1
    aws s3 ls s3://your-sagemaker-bucket/
  4. If using IAM role, verify the trust relationship permits Atlan's account.

Invalid credentials

Error

Invalid credentials: AWS authentication failed

Cause

The provided AWS Access Key ID or Secret Access Key is incorrect, expired, or the user account doesn't exist.

Solution

  1. For access key authentication:
    • Verify the Access Key ID and Secret Access Key are correct
    • Check that the access keys are active and not expired
    • Test authentication with AWS CLI: 
      aws configure list
      aws sts get-caller-identity
  2. For IAM role authentication:
    • Verify the IAM role ARN is correct
    • Check that the role exists and is available
    • Make sure the trust relationship is configured properly
  3. Generate new access keys if necessary:
    • Navigate to IAMUsersYour UserSecurity credentials
    • Click Create access key

Region mismatch

Error

Region mismatch: Resources not found in specified region

Cause

The AWS region specified in the connection doesn't match where your SageMaker resources are located.

Solution

  1. Identify the correct AWS region where your SageMaker resources are located:
    • Check the SageMaker console for your models, training jobs, and datasets
    • Note the region shown in the AWS console URL
  2. Update the connection configuration with the correct region.
  3. Common regions include:
    • us-east-1 (N. Virginia)
    • us-west-2 (Oregon)
    • eu-west-1 (Ireland)
    • ap-southeast-1 (Singapore)
  4. Test the connection with the correct region.

S3 access denied

Error

S3 access denied: Unable to access dataset or model artifacts

Cause

The AWS credentials don't have read access to S3 buckets containing SageMaker datasets or model artifacts.

Solution

  1. Identify the S3 buckets used by SageMaker:
    • Check SageMaker console for model artifacts locations
    • Review training job configurations for input/output data locations
  2. Make sure your IAM user/role has read access to these buckets: 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::your-sagemaker-bucket",
            "arn:aws:s3:::your-sagemaker-bucket/*"
          ]
        }
      ]
    }
  3. Test S3 access with AWS CLI: 
    aws s3 ls s3://your-sagemaker-bucket/

API rate limiting

Error

API rate limiting: Too many requests to SageMaker API

Cause

The crawler is making too many API requests too quickly, exceeding AWS rate limits.

Solution

  1. Reduce the crawl frequency in the crawler configuration.
  2. Implement retry logic with exponential backoff.
  3. Consider crawling during off-peak hours.
  4. Monitor AWS CloudWatch metrics for API usage.
  5. If needed, request a rate limit increase from AWS support.

Network timeout

Error

Network timeout: Connection to AWS services timed out

Cause

Network latency is too high or the connection is unstable between Atlan and AWS services.

Solution

  1. Check network connectivity between Atlan and AWS: 
    ping sagemaker.us-east-1.amazonaws.com
    telnet sagemaker.us-east-1.amazonaws.com 443
  2. Verify that network latency is under 200ms.
  3. Make sure sufficient bandwidth is available.
  4. Check for any network interruptions or packet loss.
  5. Consider using VPC endpoints if SageMaker is in a private subnet.

Resource not found

Error

Resource not found: SageMaker resource doesn't exist

Cause

The SageMaker resource (model, training job, dataset) has been deleted or doesn't exist in the specified region.

Solution

  1. Verify the resource exists in the AWS SageMaker console.
  2. Check that you're looking in the correct AWS region.
  3. Make sure the resource hasn't been deleted since the last crawl.
  4. Update the crawler filters to exclude deleted resources.
  5. Run a fresh crawl to discover current resources.

Cross-account access issues

Error

Cross-account access denied: Unable to assume IAM role

Cause

The IAM role trust relationship isn't configured correctly for cross-account access.

Solution

  1. Verify the trust relationship in the IAM role: 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::ATLAN_ACCOUNT_ID:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "EXTERNAL_ID"
            }
          }
        }
      ]
    }
  2. Make sure the external ID matches what's configured in Atlan.
  3. Verify the Atlan account ID is correct.
  4. Test the role assumption: 
    aws sts assume-role --role-arn ROLE_ARN --external-id EXTERNAL_ID

See also

Need help

If you need assistance after trying the steps, contact Atlan support: Submit a request.