VPC ENI permission issue - Amazon SageMaker AI
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

VPC ENI permission issue

SageMaker AI endpoint creation fails due to insufficient permissions for creating network interfaces in VPC.

Error message:

Please ensure that the execution role for variant AllTraffic has sufficient permissions for creating an endpoint variant within a VPC

Root cause:

The inference operator's execution role lacks the required Amazon EC2 permission to create network interfaces (ENI) in VPC.

Resolution:

Add the following IAM permission to the inference operator's execution role:

{
    "Effect": "Allow",
    "Action": [
        "ec2:CreateNetworkInterfacePermission",
        "ec2:DeleteNetworkInterfacePermission"
     ],
    "Resource": "*"
}

Verification:

After adding the permission:

  1. Delete the failed endpoint (if exists)

  2. Retry the endpoint creation

  3. Monitor the deployment status for successful completion

Note

This permission is essential for SageMaker AI endpoints running in VPC mode. Ensure the execution role has all other necessary VPC-related permissions as well.