Set up remote access - Amazon SageMaker AI
Step 1: Configure security and permissionsStep 2: Enable remote access for your space
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set up remote access

Before users can connect their local Visual Studio Code to Studio spaces, the administrator must configure permissions. This section provides instructions for administrators on how to set up their Amazon SageMaker AI domain with remote access.

Different connection methods require different IAM permissions. Configure the appropriate permissions based on how your users will connect. Use the following workflow along with the permissions aligned with the connection method.

  1. Choose one of the following connection method permissions that align with your users’ Connection methods

  2. Create a custom IAM policy based on the connection method permission

Topics

Step 1: Configure security and permissions

For users connecting via deep links from the SageMaker UI, use the following permission and attach it to your SageMaker AI space execution role or domain execution role. If the space execution role is not configured, the domain execution role is used by default.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RestrictStartSessionOnSpacesToUserProfile",
            "Effect": "Allow",
            "Action": [
                "sagemaker:StartSession"
            ],
            "Resource": "arn:*:sagemaker:*:*:space/${sagemaker:DomainId}/*",
            "Condition": {
                "ArnLike": {
                    "sagemaker:ResourceTag/sagemaker:user-profile-arn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
                }
            }
        }
    ]
}

Method 2: Amazon Toolkit permissions

For users connecting through the Amazon Toolkit for Visual Studio Code extension, attach the following policy to one of the following:

  • For IAM authentication, attach this policy to the IAM user or role

  • For IdC authentication, attach this policy to the Permission sets managed by the IdC

Important

The following policy using * as the resource constraint is only recommended for quick testing purposes. For production environments, you should scope down these permissions to specific space ARNs to enforce the principle of least privilege. See Advanced access control for examples of more granular permission policies using resource ARNs, tags, and network-based constraints.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListSpaces",
                "sagemaker:DescribeSpace",
                "sagemaker:UpdateSpace",
                "sagemaker:ListApps",
                "sagemaker:CreateApp",
                "sagemaker:DeleteApp",
                "sagemaker:DescribeApp",
                "sagemaker:StartSession",
                "sagemaker:DescribeDomain",
                "sagemaker:AddTags"
            ],
            "Resource": "*"
        }
    ]
}

Method 3: SSH terminal permissions

For SSH terminal connections, the StartSession API is called by the SSH proxy command script below, using the local Amazon credentials. See Configure the Amazon CLI for information and instructions on setting up the users’ local Amazon credentials. To use these permissions:

  1. Attach this policy to the IAM user or role associated with the local Amazon credentials.

  2. If using a named credential profile, modify the proxy command in your SSH config:

    ProxyCommand '/home/user/sagemaker_connect.sh' '%h' YOUR_CREDENTIAL_PROFILE_NAME
    Note

    The policy needs to be attached to the IAM identity (user/role) used in your local Amazon credentials configuration, not to the Amazon SageMaker AI domain execution role.

    Important

    The following policy using * as the resource constraint is only recommended for quick testing purposes. For production environments, you should scope down these permissions to specific space ARNs to enforce the principle of least privilege. See Advanced access control for examples of more granular permission policies using resource ARNs, tags, and network-based constraints.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sagemaker:StartSession",
            "Resource": "*"
        }
    ]
}

After setup, users can run ssh my_studio_space_abc to start up the space. For more information, see Method 3: Connect from the terminal via SSH CLI.

Step 2: Enable remote access for your space

After you set up the permissions, you must toggle on Remote Access and start your space in Studio before the user can connect using their local VS Code. This setup only needs to be done once.

Note

If your users are connecting using Method 2: Amazon Toolkit permissions, you do not necessarily need this step. Amazon Toolkit for Visual Studio users can enable remote access from the Toolkit.

Activate remote access for your Studio space

  1. Launch Amazon SageMaker Studio.

  2. Open the Studio UI.

  3. Navigate to your space.

  4. In the space details, toggle on Remote Access.

  5. Choose Run space.