Share your feature group entities - Amazon SageMaker
Share online store feature groups using the Amazon SDK for Python (Boto3)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Share your feature group entities

As the resource owner account you can use the feature group resource type for Amazon SageMaker Feature Store to share feature group entities, by creating a resource share in Amazon Resource Access Manager (Amazon RAM).

Use the following instructions along with the Sharing your Amazon resources instructions in the Amazon RAM User Guide.

When sharing the feature group resource type using the Amazon RAM console, you need to make the following choices.

  1. Specify resource share details:

    • Resource type: Choose SageMaker Feature Groups.

    • ARN: Choose your feature group ARN with the format: arn:aws:sagemaker:us-east-1:111122223333:feature-group/your-feature-group-name.

      us-east-1 is the region of the resource, 111122223333 is the resource owner account ID, and your-feature-group-name is the feature group you are sharing.

    • Resource ID: Choose the feature group, your-feature-group-name, to which you want to grant access permissions.

  2. Associate managed permissions:

  3. Grant access to principals:

    • Choose the principal type (Amazon Web Services account, Organization, Organizational unit, IAM role, or IAM user) and enter the appropriate ID or ARN.

  4. Review and create:

    • Review then choose Create resource share.

Granting any access permission does not grant resource consumer accounts the discoverability permission, so the resource consumer accounts with access permissions cannot search and discover those feature groups. To allow for resource consumer accounts to search and discover feature groups from the resource owner account, the resource owner account must grant the discoverability permission to the resource consumer accounts, where all of the feature groups within the resource owner account are discoverable by the resource consumer accounts. For more information about granting the discoverability permission, see Enabling cross account discoverability.

If the resource consumer accounts are only granted access permissions, the feature group entities can still be viewed on Amazon RAM. To view resources on Amazon RAM, see Access Amazon resources shared with you in the Amazon RAM User Guide.

It may take a few minutes for the resource share and principal, or resource consumer account, associations to complete. Once the resource share and principal associations are set, the specified resource consumer accounts receive an invitation to join the resource share. The resource consumer accounts can view and accept the invitations by opening the Shared with me: Resource shares page in the Amazon RAM console. Invitations are not sent in these cases:

  • If you are part of an organization in Amazon Organizations and sharing in your organization is enabled, then principals in the organization automatically get access to the shared resources without invitations.

  • If you share with the Amazon Web Services account that owns the resource, then the principals in that account automatically get access to the shared resources without invitations.

For more information about accepting and using a resource share in Amazon RAM, see Using shared Amazon resources in the Amazon RAM User Guide.

Share online store feature groups using the Amazon SDK for Python (Boto3)

You can use the Amazon SDK for Python (Boto3) for Amazon RAM APIs to create a resource share. The following code is an example of a resource owner account ID 111122223333 creating a resource share named 'test-cross-account-fg', sharing the feature group named 'my-feature-group' with the resource consumer account ID 444455556666 while granting the AWSRAMPermissionSageMakerFeatureGroupReadOnly permission. For more information about access permissions, see Enabling cross account access. To use the Python SDK for Amazon RAM APIs, you need to attach Amazon RAM full access managed policy with execution role. See create_resource_share Amazon RAM API for more details.

import boto3

# Choose feature group name
feature_group_name = 'my-feature-group' # Change to your feature group name 

# Share 'my-feature-group' with other account
ram_client = boto3.client("ram")
response = ram_client.create_resource_share(
    name='test-cross-account-fg', # Change to your custom resource share name
    resourceArns=[
        'arn:aws:sagemaker:us-east-1:111122223333:feature-group/' + feature_group_name, # Change 111122223333 to the resource owner account ID
    ],
    principals=[
        '444455556666', # Change 444455556666 to the resource consumer account ID
    ],
    permissionArns = ["arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerFeatureGroupReadOnly"]
)

Principals are actors in a security system. In a resource-based policy, the allowed principals are IAM users, IAM roles, the root account, or another Amazon Web Service.