Multiple domains overview
Important
Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see Provide Permissions for Tagging SageMaker Resources.
Amazon Managed Policies for Amazon SageMaker that give permissions to create SageMaker resources already include permissions to add tags while creating those resources.
Amazon SageMaker supports the creation of multiple Amazon SageMaker domains in a single Amazon Web Services Region for each account. Additional domains in a Region have the same features and capabilities as the first domain in a Region. Each domain can have distinct domain settings. The same user profile cannot be added to multiple domains in a single Region within the same account. For more information about domain limits, see Amazon SageMaker endpoints and quotas.
Automatic tag propagation
By default, any SageMaker resources that support tagging and are created from within the Studio Classic UI after 11/30/2022 are automatically tagged with a domain ARN tag. The domain ARN tag is based on the domain ID of the domain that the resource is created in. The following list describes the only SageMaker resources that do not support automatic tag propagation, as well as the impacted API calls where the tag is not returned because it was not automatically set.
You can also use these tags for cost allocation using Amazon Billing and Cost Management. For more information, see Using Amazon cost allocation tags.
Note
All SageMaker List APIs do not support tag-based resource isolation.
The default app, which manages the Studio UI, is not automatically
tagged.
| SageMaker resource | Affected API calls |
| ImageVersionArn | |
| ModelCardExportJobArn | describe-model-card-export-job |
| ModelPackageArn | describe-model-package |
Domain resource display filtering
By default, SageMaker filters resources displayed within Studio Classic at the domain level. SageMaker
implements resource filtration in Studio Classic using the sagemaker:domain-arn tag
attached to SageMaker resources.
Note
This only applies to the Studio Classic UI. SageMaker does not support resource filtering using the Amazon CLI by default.
Using this resource filtration, SageMaker only displays SageMaker resources created in the domain,
as well as SageMaker resources that do not have a sagemaker:domain-arn tag associated
to them. These untagged resources are either created outside the context of a domain or were
created before 11/30/2022. You can add a tag to these untagged resources for better filtration
by following the steps in Backfilling domain tags. Resources created in other domains are
automatically filtered out.
All resources created in shared spaces are automatically filtered to that space.
Backfilling domain tags
If you have created resources in a domain before 11/30/2022, those resources are not automatically tagged with the domain Amazon Resource Name (ARN) tag.
To accurately attribute resources to their respective domain, you must add the domain tag to existing resources using the Amazon CLI, as follows.
-
Map all existing SageMaker resources and their respective ARNs to the domains that exist in your account.
-
Run the following command from your local machine to tag the resource with the ARN of the resource's respective domain. This must be repeated for every SageMaker resource in your account.
aws resourcegroupstaggingapi tag-resources \ --resource-arn-list arn:aws:sagemaker:region:account-id:space/domain-id/space-name\ --tags sagemaker:domain-arn=arn:aws:sagemaker:region:account-id:domain/domain-id