Share your feature group catalog
The feature group catalog, DefaultFeatureGroupCatalog
, contains all feature group entities owned by the resource owner account. The
catalog can be shared by the resource owner account to grant discoverability to a single or
multiple resource consumer accounts. This is done by creating a resource share in Amazon Resource Access Manager
(Amazon RAM). A feature group is the main resource in Amazon SageMaker Feature Store and is composed of feature definitions
and records that are managed by Feature Store. For more information about feature groups, see Feature Store concepts.
Discoverability means that the resource consumer accounts can search for the discoverable resources. The discoverable resources are viewed as if they were in their own account (excluding tags). When allowing the feature group catalog to be discoverable, the resource consumer accounts by default are not granted access permissions (read-only, read-write, or admin). Access permissions are granted at a resource level and not at the account level. For information about granting access permissions, see Enabling cross account access.
In order to enable cross account discoverability you will need to specify the SageMaker Resource Catalog and the feature group catalog while using the Amazon RAM Create a resources share instructions in the Amazon RAM developer guide. In the following we give the specifications for using the Amazon RAM console instructions.
-
Specify resource share details:
-
Resource type: Choose SageMaker Resource Catalogs.
-
ARN: Choose the feature group catalog ARN with the format:
arn:aws:sagemaker:
us-east-1
:111122223333
:sagemaker-catalog/DefaultFeatureGroupCatalog
is the region of the resource andus-east-1
is the resource owner account ID.111122223333
-
Resource ID: Choose
DefaultFeatureGroupCatalog
.
-
-
Associate managed permissions:
-
Managed permission: Choose
AWSRAMPermissionSageMakerCatalogResourceSearch
.
-
-
Grant access to principals:
-
Choose the principal types (Amazon Web Services account, Organization, or Organizational unit) and enter the appropriate ID.
If you are an organization, you may want to take advantage of Amazon Organizations. With Organizations you can share resources with individual Amazon Web Services accounts, all accounts in your organization, or with an Organization Unit (OU). This simplifies applying permissions, without having to apply permissions to each account. For more information about sharing your resources and granting permissions within Amazon, see Enable resource sharing within Amazon Organizations in the Amazon Resource Access Manager Developer Guide.
-
-
Review and create:
-
Review then choose Create resource share.
-
It may take a few minutes for the resource share and principal, or resource consumer account,
associations to complete. Once the resource share and principal associations are set, the
specified resource consumer accounts receive an invitation to join the resource share. The
resource consumer accounts can view and accept the invitations by opening the Shared with me: Resource shares
-
If you are part of an organization in Amazon Organizations and sharing in your organization is enabled. In this case principals in the organization automatically get access to the shared resources without invitations.
-
If you share with the Amazon Web Services account that owns the resource, then the principals in that account automatically get access to the shared resources without invitations.
For more information about accepting and using a resource share, see Search discoverable resources.
Share the feature group catalog using the Amazon SDK for Python (Boto3)
You can use the Amazon SDK for Python (Boto3) for Amazon RAM APIs to create a resource share. The following code
is an example of a resource owner account ID
within the region
111122223333
us-east-1
. The resource owner is creating a resource share
named
. They are sharing the
feature group catalog with the resource consumer account ID
test-cross-account-catalog
. To use the Python SDK for Amazon RAM
APIs, attach the 444455556666
AWSRAMPermissionSageMakerCatalogResourceSearch
policy with the
execution role. See Amazon RAM APIs
#Call list resource catalogs as a prerequisite for RAM share sagemaker_client.list_resource_catalogs() # Share DefaultFeatureGroupCatalog with other account ram_client = boto3.client("ram") response = ram_client.create_resource_share( name='
test-cross-account-catalog
', # Change to your custom resource share name resourceArns=[ 'arn:aws:sagemaker:us-east-1
:111122223333
:sagemaker-catalog/' + 'DefaultFeatureGroupCatalog', # Change111122223333
to the resource owner account ID ], principals=[ '444455556666
', # Change444455556666
to the resource consumer account ID ], permissionArns = ["arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerCatalogResourceSearch"] # AWSRAMPermissionSageMakerCatalogResourceSearch is the only policy allowed for SageMaker Catalog )
Principals are actors in a security system. In a resource-based policy, the allowed principals are IAM users, IAM roles, the root account, or another Amazon service.