Grant Users Permissions to Fine-tune Foundation Models - Amazon SageMaker

Grant Users Permissions to Fine-tune Foundation Models

The following page describes how to grant the permissions necessary for fine-tuning foundation models in Amazon SageMaker Canvas. For more information about this functionality in Canvas, see Fine-tune foundation models.

In order to fine-tune foundation models, you must grant the user permissions for Ready-to-use models, which attaches the AmazonSageMakerCanvasAIServicesAccess policy to your user’s AWS Identity and Access Management execution role. You must also specify an IAM execution role that has a trust relationship with Amazon Bedrock so that Amazon Bedrock can assume the role while fine-tuning models.

To grant the necessary permissions, you can either edit the Amazon SageMaker domain or user profile settings, or you can manually add permissions and a trust relationship to a domain’s or user’s IAM role.

Grant permissions through the domain settings

You can edit your domain or user profile settings to turn on the Canvas Ready-to-use models configuration setting and specify an Amazon Bedrock role.

To edit your domain settings and grant foundation model fine-tuning permissions for users in the domain, do the following:

  1. Go to the SageMaker console at https://console.aws.amazon.com/sagemaker/.

  2. In the left navigation pane, choose Domains.

  3. From the list of domains, choose your domain.

  4. Choose the Domain settings tab. In the General settings section, choose Edit.

  5. The Edit domain settings page opens. Choose Step 4: Canvas Settings.

  6. For the Canvas Ready-to-use models configuration, do the following:

    1. Turn on the Enable Canvas Ready-to-use models option to give users permissions to generate predictions with Ready-to-use models in Canvas.

    2. For Amazon Bedrock role, select Create and use a new execution role to create a new IAM execution role that has a trust relationship with Amazon Bedrock. This IAM role is assumed by Amazon Bedrock to fine-tune large language models (LLMs) in Canvas. If you already have an execution role with a trust relationship, then select Use an existing execution role and choose your role from the dropdown.

  7. Choose Submit to save your changes.

Your users should now have the necessary permissions to fine-tune foundation models in Canvas.

You can use the same procedure above for editing an individual user’s settings, except go into the individual user’s profile from the domain page and edit the user settings instead. Note that permissions granted to an individual user don’t apply to other users in the domain, while permissions granted through the domain settings apply to all user profiles in the domain.

For more information on editing your domain settings, see View and Edit domains.

Grant permissions manually through IAM

You can manually grant users permissions to fine-tune foundation models in Canvas by adding permissions to the IAM role specified for the domain or user’s profile. The IAM role must have the AmazonSageMakerCanvasAIServicesAccess policy attached and a trust relationship with Amazon Bedrock.

The following section shows you how to attach the policy to your IAM role and create the trust relationship with Amazon Bedrock.

First, take note of your domain or user profile’s IAM role. Note that permissions granted to an individual user don’t apply to other users in the domain, while permissions granted through the domain apply to all user profiles in the domain.

To configure the IAM role and grant permissions to fine-tune foundation models in Canvas, do the following:

  1. Go to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the left navigation pane, choose Roles.

  3. Search for the user's IAM role by name from the list of roles and select it.

  4. On the Permissions tab, choose Add permissions. From the dropdown menu, choose Attach policies.

  5. Search for the AmazonSageMakerCanvasAIServicesAccess policy and select it.

  6. ChooseAdd permissions.

  7. Back on the IAM role’s page, choose the Trust relationships tab.

  8. Choose Edit trust policy.

  9. In the policy editor, find the Add a principal option in the right panel and choose Add.

  10. In the dialog box, for Principal type, select AWS services.

  11. For ARN, enter bedrock.amazonaws.com.

  12. Choose Add principal.

  13. Choose Update policy.

You should now have an IAM role that has the AmazonSageMakerCanvasAIServicesAccess policy attached and a trust relationship with Amazon Bedrock. For information about AWS managed policies, see Managed policies and inline policies in the IAM User Guide.