Domain resource isolation

Important

Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see Provide Permissions for Tagging SageMaker Resources.

Amazon Managed Policies for Amazon SageMaker that give permissions to create SageMaker resources already include permissions to add tags while creating those resources.

You can isolate resources between each of the domains in your account and Region using an Amazon Identity and Access Management policy. With resource isolation, SageMaker resources, such as models, experiments, training jobs, and pipelines created in one domain, cannot be accessed from other domains . The following topic shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain. You must repeat this process for each domain in your account. For more information about domain tags and backfilling these tags, see Multiple domains overview.

Console

The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain, from the Amazon SageMaker console.

Note

This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.

Create an IAM policy named StudioDomainResourceIsolationPolicy-domain-id with the following JSON policy document by completing the steps in Creating IAM policies (console).


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAPIs",
            "Effect": "Allow",
            "Action": "sagemaker:Create*",
            "NotResource": [
                "arn:aws:sagemaker:*:*:domain/*",
                "arn:aws:sagemaker:*:*:user-profile/*",
                "arn:aws:sagemaker:*:*:space/*"
            ]
        },
        {
            "Sid": "ResourceAccessRequireDomainTag",
            "Effect": "Allow",
            "Action": [
                "sagemaker:Update*",
                "sagemaker:Delete*",
                "sagemaker:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:domain-arn": "domain-arn"
                }
            }
        },
        {
            "Sid": "AllowActionsThatDontSupportTagging",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribeImageVersion",
                "sagemaker:UpdateImageVersion",
                "sagemaker:DeleteImageVersion",
                "sagemaker:DescribeModelCardExportJob",
                "sagemaker:DescribeAction"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeleteDefaultApp",
            "Effect": "Allow",
            "Action": "sagemaker:DeleteApp",
            "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default"
        }
    ]
}

Attach the StudioDomainResourceIsolationPolicy-domain-id policy to the domain's execution role by completing the steps in Modifying a role (console).

Amazon CLI

Note

This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience.

Create a file named StudioDomainResourceIsolationPolicy-domain-id with the following content from your local machine.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAPIs",
            "Effect": "Allow",
            "Action": "sagemaker:Create*",
            "NotResource": [
                "arn:aws:sagemaker:*:*:domain/*",
                "arn:aws:sagemaker:*:*:user-profile/*",
                "arn:aws:sagemaker:*:*:space/*"
            ]
        },
        {
            "Sid": "ResourceAccessRequireDomainTag",
            "Effect": "Allow",
            "Action": [
                "sagemaker:Update*",
                "sagemaker:Delete*",
                "sagemaker:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/sagemaker:domain-arn": "domain-arn"
                }
            }
        },
        {
            "Sid": "AllowActionsThatDontSupportTagging",
            "Effect": "Allow",
            "Action": [
                "sagemaker:DescribeImageVersion",
                "sagemaker:UpdateImageVersion",
                "sagemaker:DeleteImageVersion",
                "sagemaker:DescribeModelCardExportJob",
                "sagemaker:DescribeAction"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeleteDefaultApp",
            "Effect": "Allow",
            "Action": "sagemaker:DeleteApp",
            "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default"
        }
    ]
}

Create a new IAM policy using the StudioDomainResourceIsolationPolicy-domain-id file.


aws iam create-policy --policy-name StudioDomainResourceIsolationPolicy-domain-id --policy-document file://StudioDomainResourceIsolationPolicy-domain-id

Attach the newly created policy to a new or existing role that is used as the domain's execution role.


aws iam attach-role-policy --policy-arn arn:aws:iam:account-id:policy/StudioDomainResourceIsolationPolicy-domain-id --role-name domain-execution-role

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Multiple domains overview

Setting defaults for a domain