You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . sagemaker ]



Creates a new work team for labeling your data. A work team is defined by one or more Amazon Cognito user pools. You must first create the user pools before you can create a work team.

You cannot create more than 25 work teams in an account and region.

See also: AWS API Documentation


--workteam-name <value>
[--workforce-name <value>]
--member-definitions <value>
--description <value>
[--notification-configuration <value>]
[--worker-access-configuration <value>]
[--tags <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]


--workteam-name (string)

The name of the work team. Use this name to identify the work team.

--workforce-name (string)

The name of the workforce.

--member-definitions (list)

A list of MemberDefinition objects that contains objects that identify the workers that make up the work team.

Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use CognitoMemberDefinition . For workforces created using your own OIDC identity provider (IdP) use OidcMemberDefinition . Do not provide input for both of these parameters in a single request.

For workforces created using Amazon Cognito, private work teams correspond to Amazon Cognito user groups within the user pool used to create a workforce. All of the CognitoMemberDefinition objects that make up the member definition must have the same ClientId and UserPool values. To add a Amazon Cognito user group to an existing worker pool, see Adding groups to a User Pool . For more information about user pools, see `Amazon Cognito User Pools .

For workforces created using your own OIDC IdP, specify the user groups that you want to include in your private work team in OidcMemberDefinition by listing those groups in Groups .


Defines an Amazon Cognito or your own OIDC IdP user group that is part of a work team.

CognitoMemberDefinition -> (structure)

The Amazon Cognito user group that is part of the work team.

UserPool -> (string)

An identifier for a user pool. The user pool must be in the same region as the service that you are calling.

UserGroup -> (string)

An identifier for a user group.

ClientId -> (string)

An identifier for an application client. You must create the app client ID using Amazon Cognito.

OidcMemberDefinition -> (structure)

A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. When you add a user group to the list of Groups , you can add that user group to one or more private work teams. If you add a user group to a private work team, all workers in that user group are added to the work team.

Groups -> (list)

A list of comma seperated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers.


Shorthand Syntax:

CognitoMemberDefinition={UserPool=string,UserGroup=string,ClientId=string},OidcMemberDefinition={Groups=[string,string]} ...

JSON Syntax:

    "CognitoMemberDefinition": {
      "UserPool": "string",
      "UserGroup": "string",
      "ClientId": "string"
    "OidcMemberDefinition": {
      "Groups": ["string", ...]

--description (string)

A description of the work team.

--notification-configuration (structure)

Configures notification of workers regarding available or expiring work items.

NotificationTopicArn -> (string)

The ARN for the Amazon SNS topic to which notifications should be published.

Shorthand Syntax:


JSON Syntax:

  "NotificationTopicArn": "string"

--worker-access-configuration (structure)

Use this optional parameter to constrain access to an Amazon S3 resource based on the IP address using supported IAM global condition keys. The Amazon S3 resource is accessed in the worker portal using a Amazon S3 presigned URL.

S3Presign -> (structure)

Defines any Amazon S3 resource constraints.

IamPolicyConstraints -> (structure)

Use this parameter to specify the allowed request source. Possible sources are either SourceIp or VpcSourceIp .

SourceIp -> (string)

When SourceIp is Enabled the worker's IP address when a task is rendered in the worker portal is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. This IP address is checked by Amazon S3 and must match in order for the Amazon S3 resource to be rendered in the worker portal.

VpcSourceIp -> (string)

When VpcSourceIp is Enabled the worker's IP address when a task is rendered in private worker portal inside the VPC is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. To render the task successfully Amazon S3 checks that the presigned URL is being accessed over an Amazon S3 VPC Endpoint, and that the worker's IP address matches the IP address in the IAM policy. To learn more about configuring private worker portal, see Use Amazon VPC mode from a private worker portal .

Shorthand Syntax:


JSON Syntax:

  "S3Presign": {
    "IamPolicyConstraints": {
      "SourceIp": "Enabled"|"Disabled",
      "VpcSourceIp": "Enabled"|"Disabled"

--tags (list)

An array of key-value pairs.

For more information, see Resource Tag and Using Cost Allocation Tags in the Amazon Web Services Billing and Cost Management User Guide .


A tag object that consists of a key and an optional value, used to manage metadata for SageMaker Amazon Web Services resources.

You can add tags to notebook instances, training jobs, hyperparameter tuning jobs, batch transform jobs, models, labeling jobs, work teams, endpoint configurations, and endpoints. For more information on adding tags to SageMaker resources, see AddTags .

For more information on adding metadata to your Amazon Web Services resources with tagging, see Tagging Amazon Web Services resources . For advice on best practices for managing Amazon Web Services resources with tagging, see Tagging Best Practices: Implement an Effective Amazon Web Services Resource Tagging Strategy .

Key -> (string)

The tag key. Tag keys must be unique per resource.

Value -> (string)

The tag value.

Shorthand Syntax:

Key=string,Value=string ...

JSON Syntax:

    "Key": "string",
    "Value": "string"

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command's default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination.

--output (string)

The formatting style for command output.

  • json
  • text
  • table

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.


WorkteamArn -> (string)

The Amazon Resource Name (ARN) of the work team. You can use this ARN to identify the work team.