Cross-account sharing for private model hubs with Amazon Resource Access Manager - Amazon SageMaker
Managed permissions for curated private hubsSet up cross-account hub sharingGet responses to your resource share invitation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross-account sharing for private model hubs with Amazon Resource Access Manager

After creating a private model hub, you can share the hub to the necessary accounts using Amazon Resource Access Manager (Amazon RAM). For more information on creating a private hub, see .

For in-depth information on managed permissions related to private hubs within Amazon RAM, see Managed permissions for curated private hubs.

For steps on how to create a resource share within Amazon RAM, see Set up cross-account hub sharing.

Managed permissions for curated private hubs

The available access permissions are read, read and use, and full access permissions. The permission name, description, and list of specific APIs available for each permission are listed in the following:

  • Read permission (AmazonRAMPermissionSageMakerHubRead): The read privilege allows resource consumer accounts to read contents in the shared hubs and view details and metadata.

    • DescribeHub: Retrieves details about a hub and its configuration

    • DescribeHubContent: Retrieves details about a model available in a specific hub

    • ListHubContent: Lists all models available in a hub

    • ListHubContentVersions: Lists the version of all models available in a hub

  • Read and use permission (AmazonRAMPermissionSageMakerHubReadAndUse): The read and use privilege allows resource consumer accounts to read contents in the shared hubs and deploy available models for inference.

    • DescribeHub: Retrieves details about a hub and its configuration

    • DescribeHubContent: Retrieves details about a model available in a specific hub

    • ListHubContent: Lists all models available in a hub

    • ListHubContentVersions: Lists the version of all models available in a hub

    • DeployHubModel: Allows access to deploy available hub models for inference

  • Full access permission (AmazonRAMPermissionSageMakerHubFullAccessPolicy): The full access privilege allows resource consumer accounts to read contents in the shared hubs, add and remove hub content, and deploy available models for inference.

    • DescribeHub: Retrieves details about a hub and its configuration

    • DescribeHubContent: Retrieves details about a model available in a specific hub

    • ListHubContent: Lists all models available in a hub

    • ListHubContentVersions: Lists the version of all models available in a hub

    • ImportHubContent: Imports hub content

    • DeleteHubContent: Deletes hub content

    • CreateHubContentReference: Creates a hub content reference that shares a model from the SageMaker Public models hub to a private hub

    • DeleteHubContentReference: Delete a hub content reference that shares a model from the SageMaker Public models hub to a private hub

    • DeployHubModel: Allows access to deploy available hub models for inference

Set up cross-account hub sharing

SageMaker uses Amazon Resource Access Manager (Amazon RAM) to help you securely share your private hubs across accounts. Use the following instructions along with the Sharing your Amazon resources instructions in the Amazon RAM User Guide.

Create a resource share

  1. Select Create resource share through the Amazon RAM console.

  2. When specifying resource share details, choose the SageMaker Hubs resource type and select one more more private hubs that you want to share. When you share a hub with any other account, all of its contents are also shared implicitly.

  3. Associate permissions with your resources share. For more information about managed permissions, see Managed permissions for curated private hubs

  4. Use Amazon account IDs to specify the accounts to which you want to grant access to your shared resources.

  5. Review your resource share configuration and select Create resource share. It may take a few minutes for the resource share and principal associations to complete.

For more information, see Sharing your Amazon resources in the Amazon Resource Access Manager User Guide.

Get responses to your resource share invitation

Once the resource share and principal associations are set, the specified Amazon accounts receive an invitation to join the resource share. The Amazon accounts must accept the invite to gain access to any shared resources.

For more information on accepting a resource share invite through Amazon RAM, see Using shared Amazon resources in the Amazon Resource Access Manager User Guide.