Aws Cleanrooms

Name: Aws Cleanrooms
Author: aws

aws/agent-toolkit-for-aws

Run a structured AWS CLI diagnostic when Clean Rooms ML training or inference jobs fail to publish CloudWatch logs.

Overview

AWS Cleanrooms is an agent skill for the Operate phase that systematically diagnoses CloudWatch log publishing failures in Clean Rooms ML training and inference jobs.

Install

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill aws-cleanrooms

What is this skill?

Mandatory upfront collection of membership_id and region (trained_model_arn optional)
Step 1 validates identity via aws sts get-caller-identity
Auto-detects resource type from ARN (trained-model-inference-job vs trained model) with fallback list APIs
Lists recent trained models and inference jobs when no ARN is supplied
Multi-step CloudWatch and Clean Rooms ML status checks in a fixed diagnostic order

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 745 installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

Your Clean Rooms ML job status looks fine but CloudWatch logs are missing and you do not know whether the fault is identity, resource ARN, or log pipeline configuration.

Who is it for?

Solo operators already using Clean Rooms ML memberships who need a repeatable CLI checklist when custom model logs fail to appear.

Skip if: Greenfield Clean Rooms setup, non-ML Clean Rooms SQL workflows, or debugging without AWS CLI credentials and required membership identifiers.

When should I use this skill?

CloudWatch log publishing failures for Clean Rooms ML custom model training or inference jobs when you can supply membership_id and region

What do I get? / Deliverables

You get a sequenced AWS CLI investigation with confirmed account, region, resource type, and API-backed status to narrow why logs are not publishing.

Confirmed AWS account and region context
Resolved trained model or inference job status from AWS APIs
Narrowed diagnosis path for missing CloudWatch logs

Recommended Skills

Azure Deploymicrosoft/azure-skills

Azure Deploy is a Microsoft agent skill that executes cloud releases for applications that are already planned and valid…374k installs·1.2k stars

Azure Preparemicrosoft/azure-skills

Azure Prepare is Microsoft's skill for getting applications ready to run on Azure—writing the deployment plan, generatin…374k installs·1.2k stars

Azure Storagemicrosoft/azure-skills

Azure Storage skill helps agents pick the right Azure storage service—Blob for objects, Files for SMB shares, Queues for…374k installs·1.2k stars

Azure Validatemicrosoft/azure-skills

Microsoft-guided preflight validation for Azure deployments including IaC, identity, and service-specific readiness.374k installs·1.2k stars

Appinsights Instrumentationmicrosoft/azure-skills

appinsights-instrumentation is a Microsoft Azure-skills package that walks solo builders through enabling Application In…374k installs·1.2k stars

Azure Resource Lookupmicrosoft/azure-skills

Azure Resource Lookup is a Microsoft agent skill that helps solo builders and small teams answer “what do I have in Azur…373k installs·1.2k stars

Journey fit

Primary fit

OperateError tracking

Operate is the canonical shelf because the skill assumes live Clean Rooms ML jobs and membership context—not greenfield build. Errors fits systematic troubleshooting of log publishing failures on trained models and inference jobs.

How it compares

A narrow AWS runbook for one failure mode—not a general Clean Rooms ML onboarding skill or Infrastructure-as-Code module.

Common Questions / FAQ

Who is aws-cleanrooms for?

Builders and agents operating Amazon Clean Rooms ML trained models or inference jobs who need structured CLI debugging for CloudWatch log issues.

When should I use aws-cleanrooms?

In Operate when trained model or inference jobs run but logs do not show up in CloudWatch—after you have membership_id, region, and optionally the resource ARN.

Is aws-cleanrooms safe to install?

It drives read-oriented AWS CLI calls with your credentials; review the Security Audits panel on this Prism page and scope IAM least privilege before use.

SKILL.md

READMESKILL.md - Aws Cleanrooms

# Clean Rooms ML Custom Model Logging Debugging

Systematic diagnostic procedure for CloudWatch log publishing failures in Clean Rooms ML custom model training and inference jobs.

## Parameters

- **membership_id** (required): The Clean Rooms membership ID
- **region** (required): The AWS region
- **trained_model_arn** (optional): ARN of the specific trained model or inference job

You MUST ask for all required parameters upfront.

## Steps

### 1. Validate AWS Credentials and Region

- `aws sts get-caller-identity`
- Inform the user about the AWS account and region being used

### 2. Check Trained Model or Inference Job Status

Determine the resource type by inspecting the ARN: if it contains `trained-model-inference-job`, use the inference job call; otherwise use the trained model call. If `ResourceNotFoundException`, try the other.

- `aws cleanroomsml get-trained-model --membership-identifier ${membership_id} --trained-model-arn ${trained_model_arn} --region ${region}`
- `aws cleanroomsml get-trained-model-inference-job --membership-identifier ${membership_id} --trained-model-inference-job-arn ${trained_model_arn} --region ${region}`

If no ARN provided, list recent resources:

- `aws cleanroomsml list-trained-models --membership-identifier ${membership_id} --region ${region}`
- `aws cleanroomsml list-trained-model-inference-jobs --membership-identifier ${membership_id} --region ${region}`

If multiple returned, present the list and ask the user to confirm which to investigate.

Extract: `logsStatus`, `logsStatusDetails`, `configuredModelAlgorithmAssociationArn`, job status.

If `configuredModelAlgorithmAssociationArn` is not in the response, use: `aws cleanroomsml list-configured-model-algorithm-associations --membership-identifier ${membership_id} --region ${region}`. If multiple associations are returned, present the list and ask the user to confirm which one is relevant to the resource under investigation.

### 3. Check Configured Model Algorithm Association Privacy Configuration

- `aws cleanroomsml get-configured-model-algorithm-association --membership-identifier ${membership_id} --configured-model-algorithm-association-arn ${configured_model_algorithm_association_arn} --region ${region}`
- Check `privacyConfiguration.policies` for:
  - `trainedModels.containerLogs` with `allowedAccountIds` (for training)
  - `trainedModelInferenceJobs.containerLogs` with `allowedAccountIds` (for inference)
- You MUST verify the customer's account ID is included in `allowedAccountIds`
- If `containerLogs` is empty/missing, flag this as a likely root cause — but you MUST continue through all remaining steps before generating the diagnosis, as multiple issues may exist simultaneously
- Explain that logging is configured in CreateConfiguredModelAlgorithmAssociation, NOT CreateTrainedModel

### 4. Check ML Configuration

- `aws cleanroomsml get-ml-configuration --membership-identifier ${membership_id} --region ${region}`
- Extract `defaultOutputLocation.roleArn` — this role publishes logs
- If no ML Configuration exists (ResourceNotFoundException), flag this as a root cause — the user must create one via PutMLConfiguration. Skip Step 5 (role permissions cannot be checked without a role ARN) and continue to Step 6, as multiple issues may exist simultaneously.

### 5. Check ML Configuration Role CloudWatch Permissions

- `aws iam get-role --role-name ${role_name}`
- `aws iam list-role-policies --role-name ${role_name}`
- `aws iam list-attached-role-policies --role-name ${role_name}`
- For each inline policy: `aws iam get-role-policy --role-name ${role_name} --policy-name ${policy_name}`
- For each attached managed policy: `aws iam get-policy --policy-arn ${policy_arn}` then `aws iam get-policy-version --policy-arn ${policy_arn} --version-id ${version_id}`
- Required permissions: `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents` on `arn:aws:logs:*:*:log-group:/aws/cleanroomsml/*`
- Also check `cloudwatch:PutMetricData` (r

What is this skill?

Mandatory upfront collection of membership_id and region (trained_model_arn optional)

Step 1 validates identity via aws sts get-caller-identity

Auto-detects resource type from ARN (trained-model-inference-job vs trained model) with fallback list APIs

Lists recent trained models and inference jobs when no ARN is supplied

Multi-step CloudWatch and Clean Rooms ML status checks in a fixed diagnostic order

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 745 installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

You get a sequenced AWS CLI investigation with confirmed account, region, resource type, and API-backed status to narrow why logs are not publishing.

Confirmed AWS account and region context

Resolved trained model or inference job status from AWS APIs

Narrowed diagnosis path for missing CloudWatch logs

Journey fit

Primary fit

OperateError tracking

SKILL.md

READMESKILL.md - Aws Cleanrooms

# Clean Rooms ML Custom Model Logging Debugging

Systematic diagnostic procedure for CloudWatch log publishing failures in Clean Rooms ML custom model training and inference jobs.

## Parameters

- **membership_id** (required): The Clean Rooms membership ID
- **region** (required): The AWS region
- **trained_model_arn** (optional): ARN of the specific trained model or inference job

You MUST ask for all required parameters upfront.

## Steps

### 1. Validate AWS Credentials and Region

- `aws sts get-caller-identity`
- Inform the user about the AWS account and region being used

### 2. Check Trained Model or Inference Job Status

Determine the resource type by inspecting the ARN: if it contains `trained-model-inference-job`, use the inference job call; otherwise use the trained model call. If `ResourceNotFoundException`, try the other.

- `aws cleanroomsml get-trained-model --membership-identifier ${membership_id} --trained-model-arn ${trained_model_arn} --region ${region}`
- `aws cleanroomsml get-trained-model-inference-job --membership-identifier ${membership_id} --trained-model-inference-job-arn ${trained_model_arn} --region ${region}`

If no ARN provided, list recent resources:

- `aws cleanroomsml list-trained-models --membership-identifier ${membership_id} --region ${region}`
- `aws cleanroomsml list-trained-model-inference-jobs --membership-identifier ${membership_id} --region ${region}`

If multiple returned, present the list and ask the user to confirm which to investigate.

Extract: `logsStatus`, `logsStatusDetails`, `configuredModelAlgorithmAssociationArn`, job status.

If `configuredModelAlgorithmAssociationArn` is not in the response, use: `aws cleanroomsml list-configured-model-algorithm-associations --membership-identifier ${membership_id} --region ${region}`. If multiple associations are returned, present the list and ask the user to confirm which one is relevant to the resource under investigation.

### 3. Check Configured Model Algorithm Association Privacy Configuration

- `aws cleanroomsml get-configured-model-algorithm-association --membership-identifier ${membership_id} --configured-model-algorithm-association-arn ${configured_model_algorithm_association_arn} --region ${region}`
- Check `privacyConfiguration.policies` for:
  - `trainedModels.containerLogs` with `allowedAccountIds` (for training)
  - `trainedModelInferenceJobs.containerLogs` with `allowedAccountIds` (for inference)
- You MUST verify the customer's account ID is included in `allowedAccountIds`
- If `containerLogs` is empty/missing, flag this as a likely root cause — but you MUST continue through all remaining steps before generating the diagnosis, as multiple issues may exist simultaneously
- Explain that logging is configured in CreateConfiguredModelAlgorithmAssociation, NOT CreateTrainedModel

### 4. Check ML Configuration

- `aws cleanroomsml get-ml-configuration --membership-identifier ${membership_id} --region ${region}`
- Extract `defaultOutputLocation.roleArn` — this role publishes logs
- If no ML Configuration exists (ResourceNotFoundException), flag this as a root cause — the user must create one via PutMLConfiguration. Skip Step 5 (role permissions cannot be checked without a role ARN) and continue to Step 6, as multiple issues may exist simultaneously.

### 5. Check ML Configuration Role CloudWatch Permissions

- `aws iam get-role --role-name ${role_name}`
- `aws iam list-role-policies --role-name ${role_name}`
- `aws iam list-attached-role-policies --role-name ${role_name}`
- For each inline policy: `aws iam get-role-policy --role-name ${role_name} --policy-name ${policy_name}`
- For each attached managed policy: `aws iam get-policy --policy-arn ${policy_arn}` then `aws iam get-policy-version --policy-arn ${policy_arn} --version-id ${version_id}`
- Required permissions: `logs:CreateLogGroup`, `logs:CreateLogStream`, `logs:PutLogEvents` on `arn:aws:logs:*:*:log-group:/aws/cleanroomsml/*`
- Also check `cloudwatch:PutMetricData` (r

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is aws-cleanrooms for?

When should I use aws-cleanrooms?

Is aws-cleanrooms safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is aws-cleanrooms for?

When should I use aws-cleanrooms?

Is aws-cleanrooms safe to install?

SKILL.md