IAM Identity Center Groups in a domain - Amazon SageMaker
View groups and usersAdd groups and usersRemove groups
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM Identity Center Groups in a domain

If you use Amazon IAM Identity Center authentication for your Amazon SageMaker domain, you can add and edit group and user access to a domain. For more information about IAM Identity Center authentication, see What is IAM Identity Center?. The following topics show how to manage IAM Identity Center users and groups that have access to a domain.

View groups and users

Complete the following procedure to view a list of IAM Identity Center groups and users from the Amazon SageMaker console.

  1. Open the Amazon SageMaker console at https://console.amazonaws.cn/sagemaker/.

  2. On the left navigation pane, choose Admin configurations.

  3. Under Admin configurations, choose domains.

  4. From the list of domains, select the domain that you want to open the domain settings page for.

  5. On the domain details page, choose the Groups tab.

Add groups and users

The following sections show how to add groups and users to a domain from the SageMaker console or Amazon CLI.

Note

If the domain was created before October 1st, 2023, you can only add groups and users to the domain from the SageMaker console.

SageMaker console

Complete the following procedure to add groups and users to your domain from the SageMaker console.

  1. On the Groups tab, choose Assign users and groups.

  2. On the Assign users and groups page, select the users and groups that you want to add.

  3. Choose Assign users and groups.

Amazon CLI

Complete the following procedure to add groups and users to your domain from the Amazon CLI.

  1. Fetch the SingleSignOnApplicationArn of the domain with a call to describe-domain. SingleSignOnApplicationArn is the ARN of the application managed in IAM Identity Center.

    aws sagemaker describe-domain \
--region region \
--domain-id domain-id

  2. Associate the user or group with the domain. To accomplish this, pass the SingleSignOnApplicationArn value returned from the describe-domain command as the application-arn parameter in a call to create-application-assignment.You must also pass the type and ID of the entity to associate.

    aws sso-admin create-application-assignment \
--application-arn application-arn \
--principal-id principal-id \
--principal-type principal-type

Remove groups

Complete the following procedure to remove groups from your domain from the SageMaker console. For information about deleting a user, see Remove user profiles.

  1. On the Groups tab, choose the group that you want to remove.

  2. Choose Unassign groups.

  3. On the pop-up window, choose Yes, unassign groups.

  4. Enter unassign in the field.

  5. Choose Unassign groups.