Prerequisites Administrative permissions User permissions

Set up Partner AI Apps

The following topics describe the permissions needed to start using Amazon SageMaker Partner AI Apps. The permissions required are split into two parts, depending on the user permissions level:

Administrative permissions – Permissions for administrators setting up data scientist and machine learning (ML) developer environments.
- Amazon Web Services Marketplace
- Partner AI Apps management
- Amazon License Manager
User permissions – Permissions for data scientists and machine learning developers.
- User authorization
- Identity propagation
- SDK access

Prerequisites

Admins can complete the following prerequisites to set up Partner AI Apps.

(Optional) Onboard to a SageMaker AI domain. Partner AI Apps can be accessed directly from a SageMaker AI domain. For more information, see Amazon SageMaker AI domain overview.
- If using Partner AI Apps in a SageMaker AI domain in VPC-only mode, admins must create an endpoint with the following format to connect to the Partner AI Apps. For more information about using Studio in VPC-only mode, see Connect Amazon SageMaker Studio in a VPC to External Resources.
```
aws.sagemaker.region.partner-app
```
(Optional) If admins are interacting with the domain using the Amazon CLI, they must also complete the following prerequisites.
1. Update the Amazon CLI by following the steps in Installing the current Amazon CLI Version.
2. From the local machine, run aws configure and provide Amazon credentials. For information about Amazon credentials, see Understanding and getting your Amazon credentials.

Administrative permissions

The administrator must add the following permissions to enable Partner AI Apps in SageMaker AI.

Permission to complete Amazon Web Services Marketplace subscription for Partner AI Apps
Set up Partner AI App execution role

Amazon Web Services Marketplace subscription for Partner AI Apps

Admins must complete the following steps to add permissions for Amazon Web Services Marketplace. For information about using Amazon Web Services Marketplace, see Getting started as a buyer using Amazon Web Services Marketplace.

Grant permissions for Amazon Web Services Marketplace. Partner AI Apps administrators require these permissions to purchase subscriptions to Partner AI Apps from Amazon Web Services Marketplace. To get access to Amazon Web Services Marketplace, admins must attach the AWSMarketplaceManageSubscriptions managed policy to the IAM role that they're using to access the SageMaker AI console and purchase the app. For details about the AWSMarketplaceManageSubscriptions managed policy, see Amazon managed policies for Amazon Web Services Marketplace buyers. For information about attaching managed policies, see Adding and removing IAM identity permissions.

Grant permissions for SageMaker AI to run operations on the admins behalf using other Amazon Web Services services. Admins must grant SageMaker AI permissions to use these services and the resources that they act upon. The following policy definition demonstrates how to grant the required Partner AI Apps permissions. These permissions are needed in addition to the existing permissions for the admin role. For more information, see How to use SageMaker AI execution roles.

Set up Partner AI App execution role

Partner AI Apps require an execution role to interact with resources in the Amazon Web Services account. Admins can create this execution role using the Amazon CLI. The Partner AI App uses this role to complete actions related to Partner AI App functionality.


aws iam create-role --role-name PartnerAiAppExecutionRole --assume-role-policy-document '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "sagemaker.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}'

Create the Amazon License Manager service-linked role by following the steps in Create a service-linked role for License Manager.

Grant permissions for the Partner AI App to access License Manager using the Amazon CLI. These permissions are required to access the licenses for Partner AI App. This allows the Partner AI App to verify access to the Partner AI App license.


aws iam put-role-policy --role-name PartnerAiAppExecutionRole --policy-name LicenseManagerPolicy --policy-document '{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "license-manager:CheckoutLicense",
      "license-manager:CheckInLicense",
      "license-manager:ExtendLicenseConsumption",
      "license-manager:GetLicense",
      "license-manager:GetLicenseUsage"
    ],
    "Resource": "*"
  }
}'

If the Partner AI App requires access to an Amazon S3 bucket, then add Amazon S3 permissions to the execution role. For more information, see Required permissions for Amazon S3 API operations.

User permissions

After admins have completed the administrative permissions settings, they must make sure that users have the permissions needed to access the Partner AI Apps.

Grant permissions for SageMaker AI to run operations on your behalf using other Amazon Web Services services. Admins must grant SageMaker AI permissions to use these services and the resources that they act upon. Admins grant SageMaker AI these permissions using an IAM execution role. For more information about IAM roles, see IAM roles. The following policy definition demonstrates how to grant the required Partner AI Apps permissions. This policy can be added to the execution role of the user profile. For more information, see How to use SageMaker AI execution roles.
JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:DescribePartnerApp", "sagemaker:ListPartnerApps", "sagemaker:CreatePartnerAppPresignedUrl" ], "Resource": "arn:aws:sagemaker:*:*:partner-app/app-*" } ] }
(Optional) If launching Partner AI Apps from Studio, add the sts:TagSession trust policy to the role used to launch Studio or the Partner AI Apps directly as follows. This makes sure that the identity can be propagated properly.
```
{
    "Effect": "Allow",
    "Principal": {
        "Service": "sagemaker.amazonaws.com"
    },
    "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
             ]
}
```
(Optional) If using the SDK of a Partner AI App to access functionality in SageMaker AI, add the following CallPartnerAppApi permission to the role used to run the SDK code. If running the SDK code from Studio, add the permission to the Studio execution role. If running the code from anywhere other than Studio, add the permission to the IAM role used with the notebook. This gives the user access the Partner AI App functionality from the Partner AI App’s SDK.
JSON
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "sagemaker:CallPartnerAppApi" ], "Resource": [ "arn:aws:sagemaker:region:account:partner-app/app" ] } ] }

Manage user authorization and authentication

To provide access to Partner AI Apps to members of their team, admins must make sure that the identity of their users is propagated to the Partner AI Apps. This propagation makes sure users can properly access the Partner AI Apps' UI and perform authorized Partner AI App actions.

Partner AI Apps support the following identity sources:

Amazon IAM Identity Center
External identity providers (IdPs)
IAM Session-based identity

The following sections gives information about the identity sources that Partner AI Apps support, as well as important details related to that identity source.

If a user is authenticated into Studio using IAM Identity Center and launches an application from Studio, the IAM Identity Center UserName is automatically propagated as the user identity for a Partner AI App. This is not the case if the user launches the Partner AI App directly using the CreatePartnerAppPresignedUrl API.

If using SAML for Amazon Web Services account federation, admins have two options to carry over the IdP identity as the user identity for a Partner AI App. For information about setting up Amazon Web Services account federation, see How to Configure SAML 2.0 for Amazon Web Services account Federation.

Principal Tag – Admins can configure the IdP-specific IAM Identity Center application to pass identity information from the landing session using the Amazon session PrincipalTag with the following Name attribute. When using SAML, the landing role session uses an IAM role. To use the PrincipalTag, admins must add the sts:TagSession permission to this landing role, as well as the Studio execution role. For more information about PrincipalTag, see Configure SAML assertions for the authentication response.
```
https://aws.amazon.com/SAML/Attributes/PrincipalTag:SageMakerPartnerAppUser
```
Landing session name – Admins can propagate the landing session name as the identity for the Partner AI App. To do this, they must set the EnableIamSessionBasedIdentity opt-in flag for each Partner AI App. For more information, see EnableIamSessionBasedIdentity.

Important

We do not recommend using this method for production accounts. For production accounts, use an identity provider for increased security.

SageMaker AI supports the following options for identity propagation when using an IAM session-based identity. All of the options, except using a session tag with Amazon STS, require setting the EnableIamSessionBasedIdentity opt-in flag for each application. For more information, see EnableIamSessionBasedIdentity.

When propagating identities, SageMaker AI verifies whether an Amazon STS Session tag is being used. If one is not used, then SageMaker AI propagates the IAM username or Amazon STS session name.

Amazon STS Session tag – Admins can set a SageMakerPartnerAppUser session tag for the launcher IAM session. When admins launch a Partner AI App using the SageMaker AI console or the Amazon CLI, the SageMakerPartnerAppUser session tag is automatically passed as the user identity for the Partner AI App. The following example shows how to set the SageMakerPartnerAppUser session tag using the Amazon CLI. The value of the key is added as a principal tag.
```
aws sts assume-role \
    --role-arn arn:aws:iam::account:role/iam-role-used-to-launch-partner-ai-app \
    --role-session-name session_name \
    --tags Key=SageMakerPartnerAppUser,Value=user-name
```
When giving users access to a Partner AI App using CreatePartnerAppPresignedUrl, we recommend verifying the value for the SageMakerPartnerAppUser key. This helps to prevent unintended access to Partner AI App resources. The following trust policy verifies that the session tag exactly matches the associated IAM user. Admins can use any principal tag for this purpose. It should be configured on the role that is launching Studio or the Partner AI App.
JSON
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RoleTrustPolicyRequireUsernameForSessionName", "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Principal": { "AWS": "arn:aws:iam::account:root" }, "Condition": { "StringLike": { "aws:RequestTag/SageMakerPartnerAppUser": "${aws:username}" } } } ] }
Authenticated IAM user – The username of the user is automatically propagated as the Partner AI App user.
Amazon STS session name – If no SageMakerPartnerAppUser session tag is configured when using Amazon STS, SageMaker AI returns an error when users launch a Partner AI App. To avoid this error, admins must set the EnableIamSessionBasedIdentity opt-in flag for each Partner AI App. For more information, see EnableIamSessionBasedIdentity.

When the EnableIamSessionBasedIdentity opt-in flag is enabled, use the IAM role trust policy to make sure that the IAM session name is or contains the IAM username. This makes sure that users don't gain access by impersonating other users. The following trust policy verifies that the session name exactly matches the associated IAM user. Admins can use any principal tag for this purpose. It should be configured on the role that is launching Studio or the Partner AI App.
JSON
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RoleTrustPolicyRequireUsernameForSessionName", "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::account:root" }, "Condition": { "StringEquals": { "sts:RoleSessionName": "${aws:username}" } } } ] }
Admins must also add the sts:TagSession trust policy to the role that is launching Studio or the Partner AI App. This makes sure that the identity can be propagated properly.
```
{
    "Effect": "Allow",
    "Principal": {
        "Service": "sagemaker.amazonaws.com"
    },
    "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
             ]
}
```

After setting the credentials, admins can give their users access to Studio or the Partner AI App from the Amazon CLI using either the CreatePresignedDomainUrl or CreatePartnerAppPresignedUrl API calls, respectively.

Users can also then launch Studio from the SageMaker AI console, and launch Partner AI Apps from Studio.

`EnableIamSessionBasedIdentity`

EnableIamSessionBasedIdentity is an opt-in flag. When the EnableIamSessionBasedIdentity flag is set, SageMaker AI passes IAM session information as the Partner AI App user identity. For more information about Amazon STS sessions, see Use temporary credentials with Amazon resources.

Access control

To control access to Partner AI Apps, use an IAM policy attached to the user profile’s execution role. To launch a Partner AI App directly from Studio or using the Amazon CLI, the user profile’s execution role must have a policy that gives permissions for the CreatePartnerAppPresignedUrl API. Remove this permission from the user profile’s execution role to make sure they can't launch Partner AI Apps.

Root admin users

The Comet and Fiddler Partner AI Apps require at least one root admin user. Root admin users have permissions to add both normal and admin users and manage resources. The usernames provided as root admin users must be consistent with the usernames from the identity source.

While root admin users are persisted in SageMaker AI, normal admin users are not and exist only within the Partner AI App until the Partner AI App is terminated.

Admins can update root admin users using the UpdatePartnerApp API call. When root admin users are updated, the updated list of root admin users is passed to the Partner AI App. The Partner AI App makes sure that all usernames in the list are granted root admin privileges. If a root admin user is removed from the list, the user still retains normal admin permissions until either:

The user is removed from the application.
Another admin user revokes admin permissions for the user.

Note

Fiddler doesn't support updating admin users. Only Comet supports updates to root admin users.

To delete a root admin user, you must first update the list of root admin users using the UpdatePartnerApp API. Then, remove or revoke the admin permissions through the Partner AI App's UI.

If you remove a root admin user from the Partner AI App's UI without updating the list of root admin users with the UpdatePartnerApp API, the change is temporary. When SageMaker AI sends the next Partner AI App update request, SageMaker AI sends the root admin list that still includes the user to the Partner AI App. This overrides the deletion completed from the Partner AI App UI.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Partner AI Apps

Partner AI App provisioning