Cross-Account Support for SageMaker Pipelines
You can use cross-account support for Amazon SageMaker Model Building Pipelines to share pipeline entities across AWS accounts and access shared pipelines through direct API calls.
Set up cross-account pipeline sharing
SageMaker uses AWS Resource Access Manager (AWS RAM) to help you securely share your pipeline entities across accounts.
Create a resource share
-
Select Create a resource share through the AWS RAM console
. -
When specifying resource share details, choose the SageMaker Pipelines resource type and select one or more pipelines that you want to share. When you share a pipeline with any other account, all of its executions are also shared implicitly.
-
Associate permissions with your resource share. Choose either the default read-only permission policy or the extended pipeline execution permission policy. For more detailed information, see Permission policies for SageMaker Pipelines resources.
Note
If you select the extended pipeline execution policy, note that any start, stop, and retry commands called by shared accounts use resources in the AWS account that shared the pipeline.
-
Use AWS account IDs to specify the accounts to which you want to grant access to your shared resources.
-
Review your resource share configuration and select Create resource share. It may take a few minutes for the resource share and principal associations to complete.
For more information, see Sharing your AWS resources in the AWS Resource Access Manager User Guide.
Get responses to your resource share invitation
Once the resource share and principal associations are set, the specified AWS accounts receive an invitation to join the resource share. The AWS accounts must accept the invite to gain access to any shared resources.
For more information on accepting a resource share invite through AWS RAM, see Using shared AWS resources in the AWS Resource Access Manager User Guide.
Permission policies for SageMaker Pipelines resources
When creating your resource share, choose one of two supported permission policies to associate with the SageMaker pipeline resource type. Both policies grant access to any selected pipeline and all of its executions.
Default read-only permissions
The AWSRAMDefaultPermissionSageMakerPipeline policy allows the following
read-only actions:
"sagemaker:DescribePipeline" "sagemaker:DescribePipelineDefinitionForExecution" "sagemaker:DescribePipelineExecution" "sagemaker:ListPipelineExecutions" "sagemaker:ListPipelineExecutionSteps" "sagemaker:ListPipelineParametersForExecution" "sagemaker:Search"
Extended pipeline execution permissions
The AWSRAMPermissionSageMakerPipelineAllowExecution policy includes all
of the read-only permissions from the default policy and also allows shared accounts to
start, stop, and retry pipeline executions.
Note
Be mindful of AWS resource usage when using the extended pipeline execution permission policy. With this policy, shared accounts are allowed to start, stop, and retry pipeline executions. Any resources used for shared pipeline executions are consumed by the owner account.
The extended pipeline execution permission policy allows the following actions:
"sagemaker:DescribePipeline" "sagemaker:DescribePipelineDefinitionForExecution" "sagemaker:DescribePipelineExecution" "sagemaker:ListPipelineExecutions" "sagemaker:ListPipelineExecutionSteps" "sagemaker:ListPipelineParametersForExecution" "sagemaker:StartPipelineExecution" "sagemaker:StopPipelineExecution" "sagemaker:RetryPipelineExecution" "sagemaker:Search"
Access shared pipeline entities through direct API calls
Once cross-account pipeline sharing is set up, you can call the following SageMaker API actions using a pipeline ARN:
Note
You can only call API commands if they are included in the permissions associated with your
resource share. If you select the
AWSRAMPermissionSageMakerPipelineAllowExecution policy, then the start,
stop, and retry commands use resources in the AWS account that shared the
pipeline.
