Grant Your Users Permissions to Upload Local Files - Amazon SageMaker

Grant Your Users Permissions to Upload Local Files

If your users are uploading files from their local machines to SageMaker Canvas, you must attach a CORS (cross-origin resource sharing) configuration to the Amazon S3 bucket that they're using. When setting up the SageMaker domain or user profile, you can specify either a custom Amazon S3 location or the default location, which is a SageMaker created Amazon S3 bucket with a name that uses the following pattern: s3://sagemaker-{Region}-{your-account-id}. SageMaker Canvas adds your users' data to the bucket whenever they upload a file.

To grant users permissions to upload local files to the bucket, you can attach a CORS configuration to it using either of the following procedures. You can use the first method when setting up your domain or editing the existing domain settings, where you opt in to allow SageMaker to attach the CORS configuration to the bucket for you. The second method is the manual method, where you can attach the CORS configuration to the bucket yourself.

domain setup method

To grant your users permissions to upload local files, you can choose Enable Canvas permissions when setting up your domain. This attaches a Cross-Origin Resource Sharing (CORS) configuration to the Canvas storage configuration's Amazon S3 bucket and grants all users in the domain permission to upload local files into SageMaker Canvas. By default, the permissions option is turned on when you set up a domain, but you can turn off this option if you don’t want to grant your users permission to upload files.


If you have an existing CORS configuration on the storage configuration Amazon S3 bucket, turning on Enable Canvas permissions overwrites the existing configuration with the new configuration.

The following procedure shows how you can turn on this option when doing a Quick setup for your domain in the console.

  1. In the User profile section, enter a Name for the user.

  2. Select an Execution role for the user.

  3. Turn on Enable SageMaker Canvas permissions. (By default, this option is turned on.)

  4. Finish setting up the domain.

If you are doing a Standard setup for your domain, then use the following procedure for the Canvas settings section to turn on local file upload.

  1. For Enable and configure Canvas permissions, select Local file upload. (It's already checked by default.)

  2. Choose Next.

  3. Finish setting up the domain.

Your users can now upload local files into their SageMaker Canvas application.

You can also turn on or turn off local upload permissions for an existing domain by using the following procedure.

  1. Go to the Amazon SageMaker console.

  2. On the left navigation pane, choose Admin configurations.

  3. Under Admin configurations, choose domains.

  4. From the list of Domains, choose your domain.

  5. On the Domain settings page, choose the Domain settings, tab.

  6. Choose Edit.

  7. In the navigation pane, choose Canvas settings.

  8. Select or deselect Enable local file upload.

  9. Finish any other modifications you want to make to the domain, and then choose Submit to submit your changes.

Amazon S3 bucket method

If you want to manually attach the CORS configuration to the SageMaker Amazon S3 bucket, use the following procedure.

  1. Sign in to

  2. Choose your bucket. If your domain uses the default SageMaker created bucket, the bucket’s name uses the following pattern: s3://sagemaker-{Region}-{your-account-id}.

  3. Choose Permissions.

  4. Navigate to Cross-origins resource sharing (CORS).

  5. Choose Edit.

  6. Add the following CORS policy:

    [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "POST" ], "AllowedOrigins": [ "*" ], "ExposeHeaders": [] } ]
  7. Choose Save changes.

In the preceding procedure, the CORS policy must have "POST" listed under AllowedMethods.

After you've gone through the procedure, you should have:

  • An IAM role assigned to each of your users.

  • Amazon SageMaker Studio Classic runtime permissions for each of your users. SageMaker Canvas uses Studio Classic to run the commands from your users.

  • If the users are uploading files from their local machines, a CORS policy attached to their Amazon S3 bucket.

If your users still can't upload the local files after you update the CORS policy, the browser might be caching the CORS settings from a previous upload attempt. If they're running into issues, instruct them to clear their browser cache and try again.