Isolate domain resources
Important
Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see Provide permissions for tagging SageMaker AI resources.
AWS managed policies for Amazon SageMaker AI that give permissions to create SageMaker resources already include permissions to add tags while creating those resources.
You can isolate resources between each of the domains in your account and AWS Region using an AWS Identity and Access Management (IAM) policy. The isolated resources will no longer be accessed from other domains. In this topic we will discuss the conditions required for the IAM policy and how to apply them.
The resources that can be isolated by this policy are the resource types that have
condition keys containing aws:ResourceTag/${TagKey} or
sagemaker:ResourceTag/${TagKey}. For a reference on the SageMaker AI resources and
associated condition keys, see Actions,
resources, and condition keys for Amazon SageMaker AI.
Warning
The resource types that do not contain the above condition keys (and therefore the Actions that use the resource types) are not impacted by this resource isolation policy. For example, the pipeline-execution resource type does not contain the above condition keys and is not impacted by this policy. Therefore, the following are a few actions, with the pipeline-execution resource type, are not supported for resource isolation:
-
DescribePipelineExecution
-
StopPipelineExecution
-
UpdatePipelineExecution
-
RetryPipelineExecution
-
DescribePipelineDefinitionForExecution
-
ListPipelineExecutionSteps
-
SendPipelineExecutionStepSuccess
-
SendPipelineExecutionStepFailure
The following topic shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain. You must repeat this process for each domain in your account. For more information about domain tags and backfilling these tags, see Multiple domains overview
Console
The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain, from the Amazon SageMaker AI console.
Note
This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.
-
Create an IAM policy named
StudioDomainResourceIsolationPolicy-with the following JSON policy document by completing the steps in Creating IAM policies (console).domain-id{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "domain-arn" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default" } ] } -
Attach the
StudioDomainResourceIsolationPolicy-policy to the domain's execution role by completing the steps in Modifying a role (console).domain-id
AWS CLI
The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the execution role of the domain, from the AWS CLI.
Note
This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.
-
Create a file named
StudioDomainResourceIsolationPolicy-with the following content from your local machine.domain-id{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "domain-arn" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default" } ] } -
Create a new IAM policy using the
StudioDomainResourceIsolationPolicy-file.domain-idaws iam create-policy --policy-nameStudioDomainResourceIsolationPolicy---policy-document file://domain-idStudioDomainResourceIsolationPolicy-domain-id -
Attach the newly created policy to a new or existing role that is used as the domain's execution role.
aws iam attach-role-policy --policy-arn arn:aws:iam:account-id:policy/StudioDomainResourceIsolationPolicy---role-namedomain-iddomain-execution-role
