Grant Your Users Permissions to Perform Time Series Forecasting - Amazon SageMaker
SageMaker domain settings methodUser setup methodIAM role setup method

Grant Your Users Permissions to Perform Time Series Forecasting

In order to perform time series forecasts in Amazon SageMaker Canvas, your users must have the necessary permissions. The preferred method to give your users these permissions is to turn on the time series forecasting option when setting up the Amazon SageMaker domain, or when editing the settings for a domain or user profile. You can also use the manual method of attaching a policy and trust relationship for Amazon Forecast to the AWS Identity and Access Management (IAM) role.

If you want to encrypt your time series forecasts with your own key, you must use an AWS KMS key and modify your KMS key's policy to grant permissions to the role used by Amazon Forecast. For more information about setting up your KMS key and modifying the policy for time series forecasting, see Prerequisites for time series forecasting.

SageMaker domain settings method

SageMaker provides you with the option to grant time series forecasting permissions to users through the domain settings. You can toggle the permissions for all of the users in your domain, and SageMaker manages attaching the required IAM policy and trust relationship for you.

If you have an existing domain and want to turn on time series forecasting permissions for all users in the domain, then use the following procedure:

  1. Open the SageMaker console at https://console.aws.amazon.com/sagemaker/.

  2. In the left navigation pane, choose Domains.

  3. From the list of domains, select your domain.

  4. On the Domain settings page, choose the App Configurations tab.

  5. In the Canvas section, choose Edit.

  6. The Edit Canvas settings page opens. In the Time series forecasting configuration section, turn on the Enable time series forecasting toggle.

  7. For Amazon Forecast role, select either Create and use a new execution role or Use an existing execution role.

  8. Based on your select in the previous step, either enter a suffix for the new IAM role, or select an existing IAM role.

    Note

    If you want to use an existing IAM role, make sure that it has the IAM policy AWS managed policy: AmazonSageMakerCanvasForecastAccess attached and has a trust relationship that establishes Amazon Forecast as a service principal. For more information, see the section IAM role setup method.

  9. Choose Submit.

Your users should now have the necessary permissions to perform time series forecasting in SageMaker Canvas.

User setup method

You can configure time series forecasting permissions for individual users in an existing domain. The user profile settings override the general domain settings, so you can grant permissions to specific users without giving permissions to all of your users. To grant time series forecasting permissions to a specific user that doesn't already have permissions, use the following procedure.

  1. Open the SageMaker console at https://console.aws.amazon.com/sagemaker/.

  2. In the left navigation pane, choose Domains.

  3. From the list of domains, choose your domain.

  4. Choose the User profiles tab.

  5. On the User Details page, choose the App Configurations tab.

  6. In the Canvas section, choose Edit.

  7. The Canvas settings page opens. In the Time series forecasting configuration section, turn on the Enable time series forecasting toggle.

  8. For Amazon Forecast role, select either Create and use a new execution role or Use an existing execution role.

  9. Based on your select in the previous step, either enter a suffix for the new IAM role, or select an existing IAM role.

    Note

    If you want to use an existing IAM role, make sure that it has the IAM policy AWS managed policy: AmazonSageMakerCanvasForecastAccess attached and has a trust relationship that establishes Amazon Forecast as a service principal. For more information, see the section IAM role setup method.

  10. Choose Submit.

Your user should now have permission to do time series forecasting in SageMaker Canvas.

You can also remove your user's permissions by using the preceding procedure and turning off the Enable time series forecasting option.

IAM role setup method

You can manually grant your users permissions to perform time series forecasting in Amazon SageMaker Canvas by adding additional permissions to the AWS Identity and Access Management (IAM) role specified for the user’s profile. The IAM role must have a trust relationship with Amazon Forecast and an attached policy that gives permissions to Forecast.

The following section shows you how to create the trust relationship and attach the AmazonSageMakerCanvasForecastAccess managed policy to your IAM role, which grants the minimum permissions necessary for time series forecasting to work in SageMaker Canvas.

Note

The AmazonSageMakerCanvasForecastAccess policy grants permissions to access the SageMaker created Amazon S3 bucket, which is the default storage location for Canvas application data. If you've specified a custom Amazon S3 storage location for Canvas application data, you must update the permissions in the policy to your own Amazon S3 bucket. For more information about custom Amazon S3 storage locations for Canvas, see Configure your Amazon S3 storage.

To configure an IAM role with the manual method, use the following procedure.

  1. Open the SageMaker console at https://console.aws.amazon.com/sagemaker/.

  2. On the left navigation pane, choose Admin configurations.

  3. Under Admin configurations, choose domains.

  4. On the Domains page, choose your domain.

  5. From the list of User profiles, select the profile of the user you to whom want to grant time series forecasting permissions.

  6. Under Details, copy or make a note of the name of the user's Execution role. The name of the IAM role should be similar to the following: 111122223333.

    Screenshot of the user's profile in the SageMaker console.

  7. Once you have the name of the user's IAM role, go to the IAM console.

  8. Choose Roles.

  9. Search for the user's IAM role by name from the list of roles and select it.

  10. Under Permissions, choose Add permissions.

  11. Choose Attach policies.

  12. Search for the AmazonSageMakerCanvasForecastAccess managed policy and select it. Choose Attach policies to attach the policy to the role.

    After attaching the policy, the role's Permissions section should now include AmazonSageMakerCanvasForecastAccess.

  13. Return to the IAM role's page, and under Trust relationships, choose Edit trust policy.

  14. In the Edit trust policy editor, update the trust policy to add Forecast as a service principal. The policy should look like the following example.

    
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
            "sagemaker.amazonaws.com",
            "forecast.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  15. After editing the trust policy, choose Update policy.

You should now have an IAM role that has the policy AmazonSageMakerCanvasForecastAccess attached to it and a trust relationship established with Amazon Forecast, giving users permission to perform time series forecasting in SageMaker Canvas. For information about AWS managed policies, see Managed policies and inline policies.

Note

If you use this method to set up time series forecasting and want to use AWS KMS encryption for your forecasts, then you must configure your KMS key’s policy to grant additional permissions. For more information, see Prerequisites for time series forecasting.