IAM Identity Center Groups in a domain
If you use Amazon IAM Identity Center authentication for your Amazon SageMaker domain, you can add and edit group and user access to a domain. For more information about IAM Identity Center authentication, see What is IAM Identity Center?. The following topics show how to manage IAM Identity Center users and groups that have access to a domain.
View groups and users
Complete the following procedure to view a list of IAM Identity Center groups and users from the Amazon SageMaker console.
-
Open the Amazon SageMaker console at https://console.amazonaws.cn/sagemaker/
. -
On the left navigation pane, choose Admin configurations.
-
Under Admin configurations, choose domains.
-
From the list of domains, select the domain that you want to open the domain settings page for.
-
On the domain details page, choose the Groups tab.
Add groups and users
The following sections show how to add groups and users to a domain from the SageMaker console or Amazon CLI.
Note
If the domain was created before October 1st, 2023, you can only add groups and users to the domain from the SageMaker console.
SageMaker console
Complete the following procedure to add groups and users to your domain from the SageMaker console.
-
On the Groups tab, choose Assign users and groups.
-
On the Assign users and groups page, select the users and groups that you want to add.
-
Choose Assign users and groups.
Amazon CLI
Complete the following procedure to add groups and users to your domain from the Amazon CLI.
-
Fetch the
SingleSignOnApplicationArn
of the domain with a call to describe-domain. SingleSignOnApplicationArn
is the ARN of the application managed in IAM Identity Center.aws sagemaker describe-domain \ --region
region
\ --domain-iddomain-id
-
Associate the user or group with the domain. To accomplish this, pass the
SingleSignOnApplicationArn
value returned from the describe-domaincommand as the application-arn
parameter in a call to create-application-assignment.You must also pass the type and ID of the entity to associate. aws sso-admin create-application-assignment \ --application-arn
application-arn
\ --principal-idprincipal-id
\ --principal-typeprincipal-type
Remove groups
Complete the following procedure to remove groups from your domain from the SageMaker console. For information about deleting a user, see Remove user profiles.
-
On the Groups tab, choose the group that you want to remove.
-
Choose Unassign groups.
-
On the pop-up window, choose Yes, unassign groups.
-
Enter unassign in the field.
-
Choose Unassign groups.