Setting Up - Amazon SageMaker
Sign up for an Amazon Web Services accountSecure IAM usersCreate roles and storage
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting Up

Before you begin using SageMaker Edge Manager to manage models on your device fleets, you must first create IAM Roles for both SageMaker and Amazon IoT. You will also want to create at least one Amazon S3 bucket where you will store your pre-trained model, the output of your SageMaker Neo compilation job, as well as input data from your edge devices.

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Create roles and storage

SageMaker Edge Manager needs access to your Amazon S3 bucket URI. To facilitate this, create an IAM role that can run SageMaker and has permission to access Amazon S3. Using this role, SageMaker can run under your account and access to your Amazon S3 bucket.

You can create an IAM role by using the IAM console, Amazon SDK for Python (Boto3), or Amazon CLI. The following is an example of how to create an IAM role, attach the necessary policies with the IAM console, and create an Amazon S3 bucket.

  1. Create an IAM role for Amazon SageMaker.

    1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

    2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

    3. For Select type of trusted entity, choose Amazon service.

    4. Choose the service that you want to allow to assume this role. In this case, choose SageMaker. Then choose Next: Permissions.

      • This automatically creates an IAM policy that grants access to related services such as Amazon S3, Amazon ECR, and CloudWatch Logs.

    5. Choose Next: Tags.

    6. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM resources.

    7. Choose Next: Review.

    8. Type in a Role name.

    9. If possible, type a role name or role name suffix. Role names must be unique within your Amazon account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because other Amazon resources might reference the role, you cannot edit the name of the role after it has been created.

    10. (Optional) For Role description, type a description for the new role.

    11. Review the role and then choose Create role.

      Note the SageMaker Role ARN, which you use to create a compilation job with SageMaker Neo and a packaging job with Edge Manager. To find out the role ARN using the console, do the following:

      1. Go to the IAMconsole: https://console.amazonaws.cn/iam/

      2. Select Roles.

      3. Search for the role you just created by typing in the name of the role in the search field.

      4. Select the role.

      5. The role ARN is at the top of the Summary page.

  2. Create an IAM role for Amazon IoT.

    The Amazon IoT IAM role you create is used to authorize your thing objects. You also use the IAM role ARN to create and register device fleets with a SageMaker client object.

    Configure an IAM role in your Amazon account for the credentials provider to assume on behalf of the devices in your device fleet. Then, attach a policy to authorize your devices to interact with Amazon IoT services.

    Create a role for Amazon IoT either programmatically or with the IAM console, similar to what you did when you created a role for SageMaker.

    1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

    2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

    3. For Select type of trusted entity, choose Amazon service.

    4. Choose the service that you want to allow to assume this role. In this case, choose IoT. Select IoT as the Use Case.

    5. Choose Next: Permissions.

    6. Choose Next: Tags.

    7. (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM resources.

    8. Choose Next: Review.

    9. Type in a Role name. The role name must start with SageMaker.

    10. (Optional) For Role description, type a description for the new role.

    11. Review the role and then choose Create role.

    12. Once the role is created, choose Roles in the IAM console. Search for the role you created by typing in role name in the Search field.

    13. Choose your role.

    14. Next, choose Attach Policies.

    15. Search for AmazonSageMakerEdgeDeviceFleetPolicy in the Search field. Select AmazonSageMakerEdgeDeviceFleetPolicy.

    16. Choose Attach policy.

    17. Add the following policy statement to the trust relationship:

      {
  "Version": "2012-10-17",
  "Statement": [
      {
        "Effect": "Allow",
        "Principal": {"Service": "credentials.iot.amazonaws.com"},
        "Action": "sts:AssumeRole"
      },
      {
        "Effect": "Allow",
        "Principal": {"Service": "sagemaker.amazonaws.com"},
        "Action": "sts:AssumeRole"
      }
  ]
}

      A trust policy is a JSON policy document in which you define the principals that you trust to assume the role. For more information about trust policies, see Roles terms and concepts.

    18. Note the Amazon IoT role ARN. You use the Amazon IoT Role ARN to create and register the device fleet. To find the IAM role ARN with the console:

      1. Go to the IAM console: https://console.amazonaws.cn/iam/

      2. Choose Roles.

      3. Search for the role you created by typing in the name of the role in the Search field.

      4. Select the role.

      5. The role ARN is on the Summary page.

  3. Create an Amazon S3 bucket.

    SageMaker Neo and Edge Manager access your pre-compiled model and compiled model from an Amazon S3 bucket. Edge Manager also stores sample data from your device fleet in Amazon S3.

    1. Open the Amazon S3 console at https://console.amazonaws.cn/s3/.

    2. Choose Create bucket.

    3. In Bucket name, enter a name for your bucket.

    4. In Region, choose the Amazon Region where you want the bucket to reside.

    5. In Bucket settings for Block Public Access, choose the settings that you want to apply to the bucket.

    6. Choose Create bucket.

    For more information about creating Amazon S3 buckets, see Getting started with Amazon S3.