Share your feature group catalog
The feature group catalog, DefaultFeatureGroupCatalog
, contains all feature group entities owned by the resource owner account. The
catalog can be shared by the resource owner account to grant discoverability to a single or
multiple resource consumer accounts. This is done by creating a resource share in AWS Resource Access Manager
(AWS RAM). A feature group is the main resource in Amazon SageMaker Feature Store and is composed of feature definitions
and records that are managed by Feature Store. For more information about feature groups, see Feature Store concepts.
Discoverability means that the resource consumer accounts can search for the discoverable resources. The discoverable resources are viewed as if they were in their own account (excluding tags). When allowing the feature group catalog to be discoverable, the resource consumer accounts by default are not granted access permissions (read-only, read-write, or admin). Access permissions are granted at a resource level and not at the account level. For information about granting access permissions, see Enabling cross account access.
In order to enable cross account discoverability you will need to specify the SageMaker AI Resource Catalog and the feature group catalog while using the AWS RAM Create a resources share instructions in the AWS RAM developer guide. In the following we give the specifications for using the AWS RAM console instructions.
-
Specify resource share details:
-
Resource type: Choose SageMaker AI Resource Catalogs.
-
ARN: Choose the feature group catalog ARN with the format:
arn:aws:sagemaker:
us-east-1
:111122223333
:sagemaker-catalog/DefaultFeatureGroupCatalog
is the region of the resource andus-east-1
is the resource owner account ID.111122223333
-
Resource ID: Choose
DefaultFeatureGroupCatalog
.
-
-
Associate managed permissions:
-
Managed permission: Choose
AWSRAMPermissionSageMakerCatalogResourceSearch
.
-
-
Grant access to principals:
-
Choose the principal types (AWS account, Organization, or Organizational unit) and enter the appropriate ID.
If you are an organization, you may want to take advantage of AWS Organizations. With Organizations you can share resources with individual AWS accounts, all accounts in your organization, or with an Organization Unit (OU). This simplifies applying permissions, without having to apply permissions to each account. For more information about sharing your resources and granting permissions within AWS, see Enable resource sharing within AWS Organizations in the AWS Resource Access Manager Developer Guide.
-
-
Review and create:
-
Review then choose Create resource share.
-
It may take a few minutes for the resource share and principal, or resource consumer account,
associations to complete. Once the resource share and principal associations are set, the
specified resource consumer accounts receive an invitation to join the resource share. The
resource consumer accounts can view and accept the invitations by opening the Shared with me: Resource shares
-
If you are part of an organization in AWS Organizations and sharing in your organization is enabled. In this case principals in the organization automatically get access to the shared resources without invitations.
-
If you share with the AWS account that owns the resource, then the principals in that account automatically get access to the shared resources without invitations.
For more information about accepting and using a resource share, see Search discoverable resources.
Share the feature group catalog using the AWS SDK for Python (Boto3)
You can use the AWS SDK for Python (Boto3) for AWS RAM APIs to create a resource share. The following code
is an example of a resource owner account ID
within the region
111122223333
us-east-1
. The resource owner is creating a resource share
named
. They are sharing the
feature group catalog with the resource consumer account ID
test-cross-account-catalog
. To use the Python SDK for AWS RAM
APIs, attach the 444455556666
AWSRAMPermissionSageMakerCatalogResourceSearch
policy with the
execution role. See AWS RAM APIs
#Call list resource catalogs as a prerequisite for RAM share sagemaker_client.list_resource_catalogs() # Share DefaultFeatureGroupCatalog with other account ram_client = boto3.client("ram") response = ram_client.create_resource_share( name='
test-cross-account-catalog
', # Change to your custom resource share name resourceArns=[ 'arn:aws:sagemaker:us-east-1
:111122223333
:sagemaker-catalog/' + 'DefaultFeatureGroupCatalog', # Change111122223333
to the resource owner account ID ], principals=[ '444455556666
', # Change444455556666
to the resource consumer account ID ], permissionArns = ["arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerCatalogResourceSearch"] # AWSRAMPermissionSageMakerCatalogResourceSearch is the only policy allowed for SageMaker Catalog )
Principals are actors in a security system. In a resource-based policy, the allowed principals are IAM users, IAM roles, the root account, or another AWS service.