Onboard to Amazon SageMaker Domain using IAM
This topic describes how to onboard to Amazon SageMaker Domain using the standard setup procedure for AWS Identity and Access Management (IAM) authentication from the SageMaker console or the AWS CLI. To onboard faster using IAM, see Onboard using Quick setup.
For information on how to onboard using AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), see Onboard using IAM Identity Center.
Onboard using console
To onboard to Domain using IAM
-
Open the SageMaker console
. -
On the left navigation pane, choose Admin configurations.
-
Under Admin configurations, choose Domains.
-
From the Domains page, choose Create domain.
-
On the Setup SageMaker Domain page, choose Standard setup.
-
Select Configure.
Step 1: General settings
-
For Domain Name, enter a unique name for your Domain.
-
For Authentication, choose AWS Identity and Access Management (IAM).
-
Under Permission, for Default execution role, choose an option from the role selector.
If you choose Enter a custom IAM role ARN, the role must have at a minimum, an attached trust policy that grants SageMaker permission to assume the role. For more information, see SageMaker Roles.
If you choose Create a new role, the Create an IAM role dialog box opens:
-
For S3 buckets you specify, specify additional Amazon S3 buckets that users of your notebooks can access. If you don't want to add access to more buckets, choose None.
-
Choose Create role. SageMaker creates a new IAM
AmazonSageMaker-ExecutionPolicy
role with the AmazonSageMakerFullAccesspolicy attached.
-
-
For Space default execution role, choose an option from the role selector.
If you choose Enter a custom IAM role ARN, the role must have at a minimum, an attached trust policy that grants SageMaker permission to assume the role. For more information, see SageMaker Roles.
If you choose Create a new role, the Create an IAM role dialog box opens:
-
For S3 buckets you specify, specify additional Amazon S3 buckets that users of your notebooks can access. If you don't want to add access to more buckets, choose None.
-
Choose Create role. SageMaker creates a new IAM
AmazonSageMaker-ExecutionPolicy
role with the AmazonSageMakerFullAccesspolicy attached.
-
-
Under Network and storage, specify the following:
-
Your Amazon Virtual Private Cloud (Amazon VPC) information – For more information, see Choose an Amazon VPC.
-
(Optional) Encryption key – SageMaker uses an AWS KMS key to encrypt your Amazon Elastic File System (Amazon EFS) and Amazon Elastic Block Store (Amazon EBS) file systems. By default, it uses an AWS managed key. To use a customer managed key, enter its key ID or Amazon Resource Name (ARN). For more information, see Protect Data at Rest Using Encryption.
Note
Encryption in transit is only available for Amazon SageMaker Studio.
-
-
Select Next.
Step 2: Studio settings
-
Under Default JupyterLab version, select a JupyterLab version from the dropdown to use as the default for your Domain. For information on selecting a JupyterLab version, see JupyterLab Versioning.
-
Under Notebook Sharing Configuration, accept the default notebook sharing configuration or customize the options.
-
Under SageMaker Projects and JumpStart, accept the default Project and JumpStart settings or customize whether administrators and user can create projects and use JumpStart. For more information, see SageMaker Studio Permissions Required to Use Projects.
-
Select Next.
Step 3: RStudio settings
-
Under RStudio Workbench, verify that your RStudio license is automatically detected. For more information about getting an RStudio license and activating it with SageMaker, see RStudio license.
-
Select an instance type to launch your RStudio Server on. For more information, see RStudioServerPro instance type.
-
Under Permission, create your role or select an existing role. The role must have the following permissions policy. This policy allows the RStudioServerPro app to access necessary resources and allows Amazon SageMaker to automatically launch an RStudioServerPro app when the existing RStudioServerPro app is in a
Deleted
orFailed
status. For information on adding permissions to a role, see Modifying a role permissions policy (console).{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "license-manager:ExtendLicenseConsumption", "license-manager:ListReceivedLicenses", "license-manager:GetLicense", "license-manager:CheckoutLicense", "license-manager:CheckInLicense", "logs:CreateLogDelivery", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogDelivery", "logs:Describe*", "logs:GetLogDelivery", "logs:GetLogEvents", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:UpdateLogDelivery", "sagemaker:CreateApp" ], "Resource": "*" } ] }
-
Under RStudio Connect, add the URL for your RStudio Connect Server. RStudio Connect is a publishing platform for Shiny applications, R Markdown reports, dashboards, plots, and more. When you onboard to RStudio on Amazon SageMaker, an RStudio Connect server is not created. You must create an RStudio Connect server on an EC2 instance to use Connect with Amazon SageMaker. For more information, see RStudio Connect URL.
-
Under RStudio Package Manager, add the URL for your RStudio Package Manager. SageMaker creates a default package repository for the Package Manager when you onboard RStudio. For more information about RStudio Package Manager, see RStudio Package Manager.
-
Select Next.
Step 4: SageMaker Canvas settings
For the Canvas base permissions configuration, leave the Enable Canvas base permissions option turned on (it is turned on by default). This establishes the minimum required permissions to use the SageMaker Canvas app.
(Optional) For the Time series forecasting configuration, leave the Enable time series forecasting option turned on to give your users permissions to do time series forecasting in SageMaker Canvas (it is turned on by default).
(Optional) If you left Enable time series forecasting turned on, select Create and use a new execution role, or select Use an existing execution role if you already have an IAM role with the required Amazon Forecast permissions attached (for more information, see the IAM role setup method).
Use the default IAM role suffix or provide a custom suffix for the role.
-
For Local file upload configuration, select Enable local file upload to enable users to upload local files into their SageMaker Canvas application (it's already checked by default).
Choose Submit.
Onboard using the AWS CLI
Use the following commands to onboard to a Domain using authentication using IAM from the AWS CLI.
-
Create an execution role that is used to create a Domain and attach the AmazonSageMakerFullAccess
policy. You can also use an existing role that has, at a minimum, an attached trust policy that grants SageMaker permission to assume the role. For more information, see SageMaker Roles. aws iam create-role --role-name
execution-role-name
aws iam attach-role-policy --role-nameexecution-role-name
--policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess -
Get the default Amazon Virtual Private Cloud (Amazon VPC) of your account.
aws --region
region
ec2 describe-vpcs --filters Name=isDefault,Values=true --query "Vpcs[0].VpcId" --output text -
Get the list of subnets in the default Amazon VPC.
aws --region
region
ec2 describe-subnets --filters Name=vpc-id,Values=default-vpc-id
--query "Subnets[*].SubnetId" --output json -
Create a Domain by passing the default Amazon VPC ID, subnets, and execution role ARN. You must also pass a SageMaker image ARN. For information on the available JupyterLab version ARNs, see Setting a default JupyterLab version.
aws --region
region
sagemaker create-domain --domain-namedomain-name
--vpc-iddefault-vpc-id
--subnet-idssubnet-ids
--auth-mode IAM --default-user-settings "ExecutionRole=arn:aws:iam::account-number
:role/execution-role-name
,JupyterServerAppSettings={DefaultResourceSpec={InstanceType=system,SageMakerImageArn=image-arn
}}" \ --query DomainArn --output text -
Verify that the Domain has been created.
aws --region
region
sagemaker list-domains
For information about using Amazon SageMaker Studio, see SageMaker Studio.
For information about using RStudio, see RStudio on Amazon SageMaker.