Share your feature group catalog - Amazon SageMaker
Share the feature group catalog using the Amazon SDK for Python (Boto3)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Share your feature group catalog

The feature group catalog, DefaultFeatureGroupCatalog, contains all feature group entities owned by the resource owner account. The catalog can be shared by the resource owner account to grant discoverability to a single or multiple resource consumer accounts. This is done by creating a resource share in Amazon Resource Access Manager (Amazon RAM). A feature group is the main resource in Amazon SageMaker Feature Store and is composed of feature definitions and records that are managed by Feature Store. For more information about feature groups, see Feature Store concepts.

Discoverability means that the resource consumer accounts can search for the discoverable resources. The discoverable resources are viewed as if they were in their own account (excluding tags). When allowing the feature group catalog to be discoverable, the resource consumer accounts by default are not granted access permissions (read-only, read-write, or admin). Access permissions are granted at a resource level and not at the account level. For information about granting access permissions, see Enabling cross account access.

In order to enable cross account discoverability you will need to specify the SageMaker Resource Catalog and the feature group catalog while using the Amazon RAM Create a resources share instructions in the Amazon RAM developer guide. In the following we give the specifications for using the Amazon RAM console instructions.

  1. Specify resource share details:

    • Resource type: Choose SageMaker Resource Catalogs.

    • ARN: Choose the feature group catalog ARN with the format: arn:aws:sagemaker:us-east-1:111122223333:sagemaker-catalog/DefaultFeatureGroupCatalog

      us-east-1 is the region of the resource and 111122223333 is the resource owner account ID.

    • Resource ID: Choose DefaultFeatureGroupCatalog.

  2. Associate managed permissions:

    • Managed permission: Choose AWSRAMPermissionSageMakerCatalogResourceSearch.

  3. Grant access to principals:

    • Choose the principal types (Amazon Web Services account, Organization, or Organizational unit) and enter the appropriate ID.

      If you are an organization, you may want to take advantage of Amazon Organizations. With Organizations you can share resources with individual Amazon Web Services accounts, all accounts in your organization, or with an Organization Unit (OU). This simplifies applying permissions, without having to apply permissions to each account. For more information about sharing your resources and granting permissions within Amazon, see Enable resource sharing within Amazon Organizations in the Amazon Resource Access Manager Developer Guide.

  4. Review and create:

    • Review then choose Create resource share.

It may take a few minutes for the resource share and principal, or resource consumer account, associations to complete. Once the resource share and principal associations are set, the specified resource consumer accounts receive an invitation to join the resource share. The resource consumer accounts can view and accept the invitations by opening the Shared with me: Resource shares page in the Amazon RAM console. For more information on accepting and viewing resources in Amazon RAM, see Access Amazon resources shared with you. Invitations are not sent in these cases:

  • If you are part of an organization in Amazon Organizations and sharing in your organization is enabled. In this case principals in the organization automatically get access to the shared resources without invitations.

  • If you share with the Amazon Web Services account that owns the resource, then the principals in that account automatically get access to the shared resources without invitations.

For more information about accepting and using a resource share, see Search discoverable resources.

Share the feature group catalog using the Amazon SDK for Python (Boto3)

You can use the Amazon SDK for Python (Boto3) for Amazon RAM APIs to create a resource share. The following code is an example of a resource owner account ID 111122223333 within the region us-east-1. The resource owner is creating a resource share named test-cross-account-catalog. They are sharing the feature group catalog with the resource consumer account ID 444455556666. To use the Python SDK for Amazon RAM APIs, attach the AWSRAMPermissionSageMakerCatalogResourceSearch policy with the execution role. See Amazon RAM APIs for more details.

#Call list resource catalogs as a prerequisite for RAM share
sagemaker_client.list_resource_catalogs()

# Share DefaultFeatureGroupCatalog with other account
ram_client = boto3.client("ram")
response = ram_client.create_resource_share(
    name='test-cross-account-catalog', # Change to your custom resource share name
    resourceArns=[
        'arn:aws:sagemaker:us-east-1:111122223333:sagemaker-catalog/' + 'DefaultFeatureGroupCatalog', # Change 111122223333 to the resource owner account ID
    ],
    principals=[
        '444455556666', # Change 444455556666 to the resource consumer account ID
    ],
    permissionArns = ["arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerCatalogResourceSearch"] # AWSRAMPermissionSageMakerCatalogResourceSearch is the only policy allowed for SageMaker Catalog
)

Principals are actors in a security system. In a resource-based policy, the allowed principals are IAM users, IAM roles, the root account, or another Amazon service.