Getting started with using Amazon SageMaker Canvas - Amazon SageMaker

Getting started with using Amazon SageMaker Canvas

This guide tells you how to get started with using SageMaker Canvas. If you're an IT administrator and would like more in-depth details, see Setting Up and Managing Amazon SageMaker Canvas (for IT Administrators) to set up SageMaker Canvas for your users.

Prerequisites for setting up Amazon SageMaker Canvas

To set up a SageMaker Canvas application, onboard using one of the following setup methods:

  1. Onboard with the AWS console. To onboard through the AWS console, you first create an Amazon SageMaker domain. SageMaker domains support the various machine learning (ML) environments such as Canvas and SageMaker Studio. For more information about domains, see Amazon SageMaker domain overview.

    1. (Quick) Quick setup to Amazon SageMaker – Choose this option if you’d like to quickly set up a domain. This grants your user all of the default Canvas permissions and basic functionality. Any additional features such as document querying can be enabled later by an admin. If you want to configure more granular permissions, we recommend that you choose the Advanced option instead.

    2. (Standard) Custom setup to Amazon SageMaker – Choose this option if you’d like to complete a more advanced setup of your domain. Maintain granular control over user permissions such as access to data preparation features, generative AI functionality, and model deployments.

  2. Onboard with AWS CloudFormation. AWS CloudFormation automates the provisioning of resources and configurations so that you can set up Canvas for one or more user profiles at the same time. Use this option if you want to automate the onboarding process at scale and make sure that your applications are configured the same way every time. The following CloudFormation template provides a streamlined way to onboard to Canvas, ensuring that all required components are properly set up and allowing you to focus on building and deploying your machine learning models.

The following section describes how to onboard to Canvas by using the AWS console to create a domain.

Important

For you to set up Amazon SageMaker Canvas, your version of Amazon SageMaker Studio must be 3.19.0 or later. For information about updating Amazon SageMaker Studio, see Shut down and Update SageMaker Studio Classic.

Onboard with the AWS console

If you’re doing the quick domain setup, then you can follow the instructions in Quick setup to Amazon SageMaker, skip the rest of this section, and move on to Step 1: Log in to SageMaker Canvas.

If you’re doing the standard domain setup, then you can specify the Canvas features to which you’d like to grant your users access. Use the rest of this section as you complete the standard domain setup to help you configure the permissions that are specific to Canvas.

In the Custom setup to Amazon SageMaker setup instructions, for Step 2: Users and ML Activities, you must select the Canvas permissions that you want to grant. In the ML activities section, you can select the following permissions policies to grant access to Canvas features. You can only select up to 8 ML activities total when setting up your domain. The first two permissions in the following list are required to use Canvas, while the rest are for additional features.

  • Run Studio Applications – These permissions are necessary to start up the Canvas application.

  • Canvas Core Access – These permissions grant you access to the Canvas application and the basic functionality of Canvas, such as creating datasets, using basic data transforms, and building and analyzing models.

  • (Optional) Canvas Data Preparation (powered by Data Wrangler) – These permissions grant you access to create data flows and use advanced transforms to prepare your data in Canvas. These permissions are also necessary for creating data processing jobs and data preparation job schedules.

  • (Optional) Canvas AI Services – These permissions grant you access to the Ready-to-use models, foundation models, and Chat with Data features in Canvas.

  • (Optional) Kendra access – This permission grants you access to the document querying feature, where you can query documents stored in an Amazon Kendra index using foundation models in Canvas.

    If you select this option, then in the Canvas Kendra Access section, enter the IDs for your Amazon Kendra indexes to which you want to grant access.

  • (Optional) Canvas MLOps – This permission grants you access to the model deployment feature in Canvas, where you can deploy models for use in production.

In the domain setup’s Step 3: Applications section, choose Configure Canvas and then do the following:

  1. For the Canvas storage configuration, specify where you want Canvas to store the application data, such as model artifacts, batch predictions, datasets, and logs. SageMaker creates a Canvas/ folder inside this bucket to store the data. For more information, see Configure your Amazon S3 storage. For this section, do the following:

    1. Select System managed if you want to set the location to the default SageMaker-created bucket that follows the pattern s3://sagemaker-{Region}-{your-account-id}.

    2. Select Custom S3 to specify your own Amazon S3 bucket as the storage location. Then, enter the Amazon S3 URI.

    3. (Optional) For Encryption key, specify a KMS key for encrypting Canvas artifacts stored at the specified location.

  2. (Optional) For the Canvas Ready-to-use models configuration, do the following:

    1. Leave the Enable Canvas Ready-to-use models option turned on to give your users permissions to generate predictions with Ready-to-use models in Canvas (it is turned on by default). This option also gives you permissions to chat with generative-AI powered models. For more information, see Use generative AI with foundation models.

    2. Leave the Enable document query using Amazon Kendra option turned on to give your users permissions to use foundation models for querying documents stored in an Amazon Kendra index. Then, from the dropdown menu, select the existing indexes to which you want to grant access. For more information, see Use generative AI with foundation models.

    3. For Amazon Bedrock role, select Create and use a new execution role to create a new IAM execution role that has a trust relationship with Amazon Bedrock. This IAM role is assumed by Amazon Bedrock to fine-tune large language models (LLMs) in Canvas. If you already have an execution role with a trust relationship, then select Use an existing execution role and choose your role from the dropdown. For more information about manually configuring permissions for your own execution role, see Grant Users Permissions to Fine-tune Foundation Models.

  3. (Optional) For the ML Ops permissions configuration section, do the following:

    1. Leave the Enable direct deployment of Canvas models option turned on to give your users permissions to deploy their models from Canvas to a SageMaker endpoint. For more information about model deployment in Canvas, see Deploy your models to an endpoint.

    2. Leave the Enable Model Registry registration permissions for all users option turned on to give your users permissions to register their model version to the SageMaker model registry (it is turned on by default). For more information, see Register a model version in the SageMaker model registry.

    3. If you left the Enable Model Registry registration permissions for all users option turned on, then select either Register to Model Registry only or Register and approve model in Model Registry.

  4. (Optional) For the Local file upload configuration section, turn on the Enable local file upload option to give your users permissions to upload files to Canvas from their local machines. Turning this option on attaches a cross-origin resource sharing (CORS) policy to the Amazon S3 bucket specified in the Canvas storage configuration (and overrides any existing CORS policy). To learn more about local file upload permissions, see Grant Your Users Permissions to Upload Local Files.

  5. (Optional) For the OAuth settings section, do the following:

    1. Choose Add OAuth configuration.

    2. For Data source, select your data source.

    3. For Secret setup, select Create a new secret and enter the information you have from your identity provider. If you haven’t done the initial OAuth setup with your data source yet, see Set up connections to data sources with OAuth.

  6. (Optional) For the Time series forecasting configuration, leave the Enable time series forecasting option turned on to give your users permissions to do time series forecasting in SageMaker Canvas (it is turned on by default).

    1. If you left Enable time series forecasting turned on, select Create and use a new execution role, or select Use an existing execution role if you already have an IAM role with the required Amazon Forecast permissions attached (for more information, see the IAM role setup method).

  7. Finish configuring the rest of the domain settings using the Custom setup to Amazon SageMaker procedures.

Note

If you encounter any issues with granting permissions through the console, such as permissions for Ready-to-use models, see the topic Troubleshooting issues with granting permissions through the SageMaker console.

You should now have a SageMaker domain set up and all of the Canvas permissions configured.

You can edit the Canvas permissions for a domain or a specific user after the initial domain setup. Individual user settings override the domain settings. To learn how to view or edit your Canvas permissions in the domain settings, see View and edit domains.

Give yourself permissions to use specific features in Canvas

The following information outlines the various permissions that you can grant to a Canvas user to allow the use of various features and functionalities within Canvas. Some of these permissions can be granted during the domain setup, but some require additional permissions or configuration. Refer to the specific permissions information for each feature that you want to enable:

  • Local file upload. The permissions for local file upload are turned on by default in the Canvas base permissions when setting up your domain. If you can't upload local files from your machine to SageMaker Canvas, you can attach a CORS policy to the Amazon S3 bucket that you specified in the Canvas storage configuration. If you allowed SageMaker to use the default bucket, the bucket follows the naming pattern s3://sagemaker-{Region}-{your-account-id}. For more information, see Grant Your Users Permissions to Upload Local Files.

  • Custom image and text prediction models. The permissions for building custom image and text prediction models are turned on by default in the Canvas base permissions when setting up your domain. However, if you have a custom IAM configuration and don't want to attach the AmazonSageMakerCanvasFullAccess policy to your user's IAM execution role, then you must explicitly grant your user the necessary permissions. For more information, see Grant Your Users Permissions to Build Custom Image and Text Prediction Models.

  • Ready-to-use models and foundation models. You might want to use the Canvas Ready-to-use models to make predictions for your data. With the Ready-to-use models permissions, you can also chat with generative AI-powered models. The permissions are turned on by default when setting up your domain, or you can edit the permissions for a domain that you’ve already created. The Canvas Ready-to-use models permissions option adds the AmazonSageMakerCanvasAIServicesAccess policy to your execution role. For more information, see the Get started section of the Ready-to-use models documentation.

    For more information about getting started with generative AI foundation models, see Use generative AI with foundation models.

  • Fine-tune foundation models. If you'd like to fine-tune foundation models in Canvas, you can either add the permissions when setting up your domain, or you can edit the permissions for the domain or user profile after creating your domain. You must add the AmazonSageMakerCanvasAIServicesAccess policy to the AWS IAM role you chose when setting up the user profile, and you must also add a trust relationship with Amazon Bedrock to the role. For instructions on how to add these permissions to your IAM role, see Grant Users Permissions to Fine-tune Foundation Models.

  • Time series forecasting. If you’d like to perform forecasts on time series data, you can add time series forecasting permissions when setting up your domain, or you can edit the permissions for a domain or user profile after creating your domain. The required permissions are the AmazonSageMakerCanvasForecastAccess managed policy and a trust relationship with Amazon Forecast to the AWS IAM role you chose when setting up the user profile. For instructions on how to add these permissions to your IAM role, see Grant Your Users Permissions to Perform Time Series Forecasting.

  • Send batch predictions to Amazon QuickSight. You might want to send batch predictions, or datasets of predictions you generate from a custom model, to Amazon QuickSight for analysis. In QuickSight, you can build and publish predictive dashboards with your prediction results. For instructions on how to add these permissions to your Canvas user's IAM role, see Grant Your Users Permissions to Send Predictions to Amazon QuickSight.

  • Deploy Canvas models to a SageMaker endpoint. SageMaker Hosting offers endpoints which you can use to deploy your model for use in production. You can deploy models built in Canvas to a SageMaker endpoint and then make predictions programmatically in a production environment. For more information, see Deploy your models to an endpoint.

  • Register model versions to the model registry. You might want to register versions of your model to the SageMaker model registry, which is a repository for tracking the status of updated versions of your model. A data scientist or MLOps team working in the SageMaker model registry can view the versions of your model that you’ve built and approve or reject them. Then, they can deploy your model version to production or kick off an automated workflow. Model registration permissions are turned on by default for your domain. You can manage permissions at the user profile level and grant or remove permissions to specific users. For more information, see Register a model version in the SageMaker model registry.

  • Collaboration with data scientists. If you want to collaborate with Studio Classic users and share models, you must add additional permissions to the AWS IAM role you chose when setting up the user profile. For instructions on how to add the policy to the role, see Grant Users Permissions to Collaborate with Studio Classic.

  • Import data from Amazon Redshift. If you want to import data from Amazon Redshift, you must give yourself additional permissions. You must add the AmazonRedshiftFullAccess managed policy to the AWS IAM role you chose when setting up the user profile. For instructions on how to add the policy to the role, see Grant Users Permissions to Import Amazon Redshift Data.

Note

The necessary permissions to import through other data sources, such as Amazon Athena and SaaS platforms, are included in the AmazonSageMakerFullAccess and AmazonSageMakerCanvasFullAccess policies. If you followed the standard setup instructions, these policies should already be attached to your execution role. For more information about these data sources and their permissions, see Connect to data sources.

Step 1: Log in to SageMaker Canvas

When the initial setup is complete, you can access SageMaker Canvas with any of the following methods, depending on your use case:

  • In the SageMaker console, choose the Canvas in the left navigation pane. Then, on the Canvas page, select your user from the dropdown and launch the Canvas application.

  • Open SageMaker Studio, and in the Studio interface, go to the Canvas page and launch the Canvas application.

  • Use your organization’s SAML 2.0-based SSO methods, such as Okta or the IAM Identity Center.

When you log into SageMaker Canvas for the first time, SageMaker creates the application and a SageMaker space for you. The Canvas application’s data is stored in the space. To learn more about spaces, see Collaborate with shared spaces. The space consists of your user profile’s applications and a shared directory for all of your applications’ data. If you don’t want to use the default space created by SageMaker and would prefer to create your own space for storing application data, see the page Store SageMaker Canvas application data in your own SageMaker space.

Step 2: Use SageMaker Canvas to get predictions

After you’ve logged in to Canvas, you can start building models and generating predictions for your data.

You can either use Canvas Ready-to-use models to make predictions without building a model, or you can build a custom model for your specific business problem. Review the following information to decide whether Ready-to-use models or custom models are best for your use case.

  • Ready-to-use models. With Ready-to-use models, you can use pre-built models to extract insights from your data. The Ready-to-use models cover a variety of use cases, such as language detection and document analysis. To get started making predictions with Ready-to-use models, see Use Ready-to-use models.

  • Custom models. With custom models, you can build a variety of model types that are customized to make predictions for your data. Use custom models if you’d like to build a model that is trained on your business-specific data and if you’d like to use features such as collaborating with data scientists and evaluating your model’s performance. To get started with building a custom model, see Use custom models.

You can also bring your own model (BYOM) from other features in SageMaker. An Amazon SageMaker Studio user can share their model with a Canvas user, and the Canvas user can generate predictions with the model. To learn more, see Bring your own model to SageMaker Canvas.