Create private model hubs in Amazon SageMaker JumpStart - Amazon SageMaker
PrerequisitesCreate a private model hubAdd models to a private hubDelete models from a private hubRemove access to the SageMaker Public models hubDelete a private hubTroubleshootingSupported Amazon Regions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create private model hubs in Amazon SageMaker JumpStart

Create one or more private curated model hubs that users within your organization can access.

The following steps walk you through how to create a private hub using the SageMaker Python SDK.

Prerequisites

To create a private hub in Studio, you must have the following prerequisites:

  • An Amazon account with administrator access

  • An Amazon Identity and Access Management (IAM) role with access to Amazon SageMaker Studio

  • An Amazon SageMaker domain with JumpStart enabled

For more information on getting started with Studio, see Amazon SageMaker Studio.

Create a private model hub

Use the following steps to create a private hub. You must intstall the SageMaker Python SDK and configure the necessary IAM permissions before creating a model hub.

Create a private hub

  1. Install the SageMaker Python SDK and import the necessary Python packages.

    # Install the SageMaker Python SDK
!pip3 install sagemaker --force-reinstall --quiet

# Import the necessary Python packages
import boto3
from sagemaker import Session
from sagemaker.jumpstart.hub.hub import Hub

  2. Initialize a SageMaker Session.

    sm_client = boto3.client('sagemaker')
session = Session(sagemaker_client=sm_client)
session.get_caller_identity_arn()

  3. Configure the details of your private hub such as the internal hub name, UI display name, and UI hub description.

    Note

    If you do not specify an Amazon S3 bucket name when creating your hub, the SageMaker hub service creates a new bucket on your behalf. The new bucket has the following naming structure: sagemaker-hubs-REGION-ACCOUNT_ID.

    HUB_NAME="Example-Hub"
HUB_DISPLAY_NAME="Example Hub UI Name"
HUB_DESCRIPTION="A description of the example private curated hub."
REGION="us-west-2"

  4. Check that your Admin IAM role has the necessary Amazon S3 permissions to create a private hub. If your role does not have the necessary permissions, navigate to the Roles page in the IAM console. Choose the Admin role and then choose Add permissions in the Permissions policies pane to create an inline policy with the following permissions using the JSON editor:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectTagging"
            ],
            "Resource": [
                "arn:aws:s3:::jumpstart-cache-prod-REGION",
                "arn:aws:s3:::jumpstart-cache-prod-REGION/*"
            ],
            "Effect": "Allow"
        }
    ]
}

  5. Create a private model hub using your configurations from Step 3 using hub.create(). 

    hub = Hub(hub_name=HUB_NAME, sagemaker_session=session)

try:
# Create the private hub
  hub.create(
      description=HUB_DESCRIPTION,
      display_name=HUB_DISPLAY_NAME
  )
  print(f"Successfully created Hub with name {HUB_NAME} in {REGION}")
# Check that no other hubs with this internal name exist
except Exception as e:
  if "ResourceInUse" in str(e):
    print(f"A hub with the name {HUB_NAME} already exists in your account.")
  else:
    raise e

  6. Verify the configuration of your new private hub with the following describe command:

    hub.describe()

Add models to a private hub

After creating a private hub, you can then add allow-listed models. For the full list of available JumpStart models, see the Built-in Algorithms with pre-trained Model Table in the SageMaker Python SDK reference.

  1. You can filter through the available models programmatically using the hub.list_sagemaker_public_hub_models() method. You can optionally filter by categories such as framework ("framework == pytorch"), tasks such as image classification ("task == ic"), and more. For more information about filters, see notebook_utils.py. The filter parameter in the hub.list_sagemaker_public_hub_models() method is optional. 

    filter_value = "framework == meta"
response = hub.list_sagemaker_public_hub_models(filter=filter_value)
models = response["hub_content_summaries"]
while response["next_token"]:
    response = hub.list_sagemaker_public_hub_models(filter=filter_value, next_token=response["next_token"])
    models.extend(response["hub_content_summaries"])

print(models)

  2. You can then add the filtered models by specifying the model ARN in the hub.create_model_reference() method.

    for model in models:
    print(f"Adding {model.get('hub_content_name')} to Hub")
    hub.create_model_reference(model_arn=model.get("hub_content_arn"), model_name=model.get("hub_content_name"))

Delete models from a private hub

You can delete models from a private hub by specifying the model ARN in the hub.delete_model_reference() method.

hub.delete_model_reference(model-name)

Remove access to the SageMaker Public models hub

In addition to adding a private curated hub to JumpStart in Studio, you can also remove access to the SageMaker Public models hub for your users. The SageMaker Public models hub has access to all available JumpStart foundation models.

If you remove access to the SageMaker Public models hub and a user has access to only one private hub, then the user is taken directly into that private hub when they choose JumpStart in the left navigation pane in Studio. If a user has access to multiple private hubs, then the user is taken to a Hubs menu page when they choose JumpStart in the left navigation pane in Studio.

Remove access to the SageMaker Public models hub for your users with the following inline policy: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": [
                "arn:aws:s3:::jumpstart-cache-prod-REGION",
                "arn:aws:s3:::jumpstart-cache-prod-REGION/*"
            ],
            "Condition": {
                "StringNotLike": {"s3:prefix": ["*.ipynb", "*/eula.txt"]}
            }
        },
        {
            "Action": "sagemaker:*",
            "Effect": "Deny",
            "Resource": [
                "arn:aws:sagemaker:REGION:aws:hub/SageMakerPublicHub",
                "arn:aws:sagemaker:REGION:aws:hub-content/SageMakerPublicHub/*/*"
            ]
        }
    ]
}

Delete a private hub

You can delete a private hub from your admin account. Before deleting a private hub, you must first remove any content in that hub. Delete hub contents and hubs with the following commands: 

# List the model references in the private hub
response = hub.list_models()
models = response["hub_content_summaries"]
while response["next_token"]:
    response = hub.list_models(next_token=response["next_token"])
    models.extend(response["hub_content_summaries"])

# Delete all model references in the hub
for model in models:
    hub.delete_model_reference(model_name=model.get('HubContentName'))

# Delete the private hub
hub.delete()

Troubleshooting

Troubleshoot IAM permissions issues that might arise when creating a private model hub.

ValidationException when calling the CreateModel operation: Could not access model data

This exception arises when you do not have the appropriate Amazon S3 permissions configured for your Admin role. For more information on the Amazon S3 permissions needed to create a private hub, see Step 3 in .

Access Denied or Forbidden when calling create()

You are denied access when creating a private hub if you do not have the appropriate permissions to access the Amazon S3 bucket associated with the SageMaker Public models hub. For more information on the Amazon S3 permissions needed to create a private hub, see Step 3 in .

Supported Amazon Regions

Curated private hubs are currently generally available in the following Amazon commercial Regions:

  • us-east-1

  • us-east-2

  • us-west-2

  • eu-west-1

  • eu-central-1

  • ap-northeast-1

  • ap-northeast-2

  • ap-south-1

  • ap-southeast-1

  • ap-southeast-2

  • il-central-1 (SDK only)

The default maximum number of hubs allowed in a single Region is 50.