Onboard to Amazon SageMaker Domain Using IAM - Amazon SageMaker
Onboard Using consoleOnboard Using the AWS CLI

Onboard to Amazon SageMaker Domain Using IAM

This topic describes how to onboard to Amazon SageMaker Domain using the standard setup procedure for AWS Identity and Access Management (IAM) authentication from the SageMaker console or the AWS CLI. To onboard faster using IAM, see Onboard Using Quick setup.

For information on how to onboard using AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), see Onboard Using IAM Identity Center.

Onboard Using console

To onboard to Domain using IAM

  1. Open the SageMaker console.

  2. Choose Domains at the top left of the page.

  3. From the Domains page, choose Create domain.

  4. On the Setup SageMaker Domain page, choose Standard setup.

  5. Select Configure.

Step 1: General settings

  1. For Domain Name, enter a unique name for your Domain.

  2. For Authentication, choose AWS Identity and Access Management (IAM).

  3. Under Permission, for Default execution role, choose an option from the role selector.

    If you choose Enter a custom IAM role ARN, the role must have at a minimum, an attached trust policy that grants SageMaker permission to assume the role. For more information, see SageMaker Roles.

    If you choose Create a new role, the Create an IAM role dialog opens:

    1. For S3 buckets you specify, specify additional Amazon S3 buckets that users of your notebooks can access. If you don't want to add access to more buckets, choose None.

    2. Choose Create role. SageMaker creates a new IAM AmazonSageMaker-ExecutionPolicy role with the AmazonSageMakerFullAccess policy attached.

  4. For Space default execution role, choose an option from the role selector.

    If you choose Enter a custom IAM role ARN, the role must have at a minimum, an attached trust policy that grants SageMaker permission to assume the role. For more information, see SageMaker Roles.

    If you choose Create a new role, the Create an IAM role dialog opens:

    1. For S3 buckets you specify, specify additional Amazon S3 buckets that users of your notebooks can access. If you don't want to add access to more buckets, choose None.

    2. Choose Create role. SageMaker creates a new IAM AmazonSageMaker-ExecutionPolicy role with the AmazonSageMakerFullAccess policy attached.

  5. Under Network and storage, specify the following:

    • Your Amazon Virtual Private Cloud (Amazon VPC) information – For more information, see Choose an Amazon VPC.

    • (Optional) Encryption key – SageMaker uses an AWS KMS key to encrypt your Amazon Elastic File System (Amazon EFS) and Amazon Elastic Block Store (Amazon EBS) file systems. By default, it uses an AWS managed key. To use a customer managed key, enter its key ID or Amazon Resource Name (ARN). For more information, see Protect Data at Rest Using Encryption.

      Note

      Encryption in transit is only available for Amazon SageMaker Studio.

  6. Select Next.

Step 2: Studio settings

  1. Under Default JupyterLab version, select a JupyterLab version from the dropdown to use as the default for your Domain. For information on selecting a JupyterLab version, see JupyterLab Versioning.

  2. Under Notebook Sharing Configuration, accept the default notebook sharing configuration or customize the options.

  3. Under SageMaker Projects and JumpStart, accept the default Project and JumpStart settings or customize whether administrators and user can create projects and use Jumpstart. For more information, see SageMaker Studio Permissions Required to Use Projects.

  4. Select Next.

Step 3: RStudio settings

  1. Under RStudio Workbench, verify that your RStudio license is automatically detected. For more information about getting an RStudio license and activating it with SageMaker, see RStudio license.

  2. Select an instance type to launch your RStudio Server on. For more information, see RStudioServerPro instance type.

  3. Under Permission, create your role or select an existing role. The role must have the following permissions policy. This policy allows the RStudioServerPro app to access necessary resources and allows Amazon SageMaker to automatically launch an RStudioServerPro app when the existing RStudioServerPro app is in a Deleted or Failed status. For information on adding permissions to a role, see Modifying a role permissions policy (console).

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "license-manager:ExtendLicenseConsumption",
                "license-manager:ListReceivedLicenses",
                "license-manager:GetLicense",
                "license-manager:CheckoutLicense",
                "license-manager:CheckInLicense",
                "logs:CreateLogDelivery",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DeleteLogDelivery",
                "logs:Describe*",
                "logs:GetLogDelivery",
                "logs:GetLogEvents",
                "logs:ListLogDeliveries",
                "logs:PutLogEvents",
                "logs:PutResourcePolicy",
                "logs:UpdateLogDelivery",
                "sagemaker:CreateApp"
            ],
            "Resource": "*"
        }
    ]
}

  4. Under RStudio Connect, add the URL for your RStudio Connect Server. RStudio Connect is a publishing platform for Shiny applications, R Markdown reports, dashboards, plots, and more. When you onboard to RStudio on Amazon SageMaker, an RStudio Connect server is not created. You must create an RStudio Connect server on an EC2 instance to use Connect with Amazon SageMaker. For more information, see RStudio Connect URL.

  5. Under RStudio Package Manager, add the URL for your RStudio Package Manager. SageMaker creates a default package repository for the Package Manager when you onboard RStudio. For more information about RStudio Package Manager, see RStudio Package Manager.

  6. Select Next.

Step 4: SageMaker Canvas settings

  1. For the Canvas base permissions configuration, leave the Enable Canvas base permissions option turned on (it is turned on by default). This establishes the minimum required permissions to use the SageMaker Canvas app.

  2. (Optional) For the Time series forecasting configuration, leave the Enable time series forecasting option turned on to give your users permissions to do time series forecasting in SageMaker Canvas (it is turned on by default).

  3. (Optional) If you left Enable time series forecasting turned on, select Create and use a new execution role, or select Use an existing execution role if you already have an IAM role with the required Amazon Forecast permissions attached (for more information, see the IAM role setup method).

  4. Use the default IAM role suffix or provide a custom suffix for the role.

  5. For Local file upload configuration, select Enable local file upload to enable users to upload local files into their SageMaker Canvas application (it's already checked by default).

  6. Choose Submit.

Onboard Using the AWS CLI

Use the following commands to onboard to a Domain using authentication using IAM from the AWS CLI.

  1. Create an execution role that is used to create a Domain and attach the AmazonSageMakerFullAccess policy. You can also use an existing role that has, at a minimum, an attached trust policy that grants SageMaker permission to assume the role. For more information, see SageMaker Roles.

    aws iam create-role --role-name execution-role-name
aws iam attach-role-policy --role-name execution-role-name --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess

  2. Get the default Amazon Virtual Private Cloud (Amazon VPC) of your account.

    aws --region region ec2 describe-vpcs --filters Name=isDefault,Values=true --query "Vpcs[0].VpcId" --output text

  3. Get the list of subnets in the default Amazon VPC.

    aws --region region ec2 describe-subnets --filters Name=vpc-id,Values=default-vpc-id --query "Subnets[*].SubnetId" --output json

  4. Create a Domain by passing the default Amazon VPC ID, subnets, and execution role ARN. You must also pass a SageMaker image ARN. For information on the available JupyterLab version ARNs, see Setting a default JupyterLab version.

    aws --region region sagemaker create-domain --domain-name domain-name --vpc-id default-vpc-id --subnet-ids subnet-ids --auth-mode IAM --default-user-settings "ExecutionRole=arn:aws:iam::account-number:role/execution-role-name,JupyterServerAppSettings={DefaultResourceSpec={InstanceType=system,SageMakerImageArn=image-arn}}" \ --query DomainArn --output text

  5. Verify that the Domain has been created.

    aws --region region sagemaker  list-domains

For information about using Amazon SageMaker Studio, see SageMaker Studio.

For information about using RStudio, see RStudio on Amazon SageMaker.