UpdateWorkforce - Amazon SageMaker


Use this operation to update your workforce. You can use this operation to require that workers use specific IP addresses to work on tasks and to update your OpenID Connect (OIDC) Identity Provider (IdP) workforce configuration.

The worker portal is now supported in VPC and public internet.

Use SourceIpConfig to restrict worker access to tasks to a specific range of IP addresses. You specify allowed IP addresses by creating a list of up to ten CIDRs. By default, a workforce isn't restricted to specific IP addresses. If you specify a range of IP addresses, workers who attempt to access tasks using any IP address outside the specified range are denied and get a Not Found error message on the worker portal.

To restrict access to all the workers in public internet, add the SourceIpConfig CIDR value as "".


Amazon SageMaker does not support Source Ip restriction for worker portals in VPC.

Use OidcConfig to update the configuration of a workforce created using your own OIDC IdP.


You can only update your OIDC IdP configuration when there are no work teams associated with your workforce. You can delete work teams using the DeleteWorkteam operation.

After restricting access to a range of IP addresses or updating your OIDC IdP configuration with this operation, you can view details about your update workforce using the DescribeWorkforce operation.


This operation only applies to private workforces.

Request Syntax

{ "OidcConfig": { "AuthorizationEndpoint": "string", "ClientId": "string", "ClientSecret": "string", "Issuer": "string", "JwksUri": "string", "LogoutEndpoint": "string", "TokenEndpoint": "string", "UserInfoEndpoint": "string" }, "SourceIpConfig": { "Cidrs": [ "string" ] }, "WorkforceName": "string", "WorkforceVpcConfig": { "SecurityGroupIds": [ "string" ], "Subnets": [ "string" ], "VpcId": "string" } }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


Use this parameter to update your OIDC Identity Provider (IdP) configuration for a workforce made using your own IdP.

Type: OidcConfig object

Required: No


A list of one to ten worker IP address ranges (CIDRs) that can be used to access tasks assigned to this workforce.

Maximum: Ten CIDR values

Type: SourceIpConfig object

Required: No


The name of the private workforce that you want to update. You can find your workforce name by using the ListWorkforces operation.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 63.

Pattern: ^[a-zA-Z0-9]([a-zA-Z0-9\-]){0,62}$

Required: Yes


Use this parameter to update your VPC configuration for a workforce.

Type: WorkforceVpcConfigRequest object

Required: No

Response Syntax

{ "Workforce": { "CognitoConfig": { "ClientId": "string", "UserPool": "string" }, "CreateDate": number, "FailureReason": "string", "LastUpdatedDate": number, "OidcConfig": { "AuthorizationEndpoint": "string", "ClientId": "string", "Issuer": "string", "JwksUri": "string", "LogoutEndpoint": "string", "TokenEndpoint": "string", "UserInfoEndpoint": "string" }, "SourceIpConfig": { "Cidrs": [ "string" ] }, "Status": "string", "SubDomain": "string", "WorkforceArn": "string", "WorkforceName": "string", "WorkforceVpcConfig": { "SecurityGroupIds": [ "string" ], "Subnets": [ "string" ], "VpcEndpointId": "string", "VpcId": "string" } } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


A single private workforce. You can create one private work force in each AWS Region. By default, any workforce-related API operation used in a specific region will apply to the workforce created in that region. To learn how to create a private workforce, see Create a Private Workforce.

Type: Workforce object


For information about the errors that are common to all actions, see Common Errors.


There was a conflict when you attempted to modify a SageMaker entity such as an Experiment or Artifact.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: