Granting SageMaker Studio Permissions Required to Use Projects
The Amazon SageMaker Studio (or Studio Classic) administrator and Studio (or Studio Classic) users that you add to your domain can view project templates provided by SageMaker AI and create projects with those templates. By default, the administrator can view the SageMaker AI templates in the Service Catalog console. The administrator can see what another user creates if the user has permission to use SageMaker Projects. The administrator can also view the Amazon CloudFormation template that the SageMaker AI project templates define in the Service Catalog console. For information about using the Service Catalog console, see What Is Service Catalog in the Service Catalog User Guide.
Studio (and Studio Classic) users of the domain who are configured to use the same execution role as the domain by default have permission to create projects using SageMaker AI project templates.
Important
Do not manually create your roles. Always create roles through Studio Settings using the steps described in the following procedure.
For users who use any role other than the domain's execution role to view and use SageMaker AI-provided project templates, you need to grant Projects permissions to the individual user profiles by turning on Enable Amazon SageMaker AI project templates and Amazon SageMaker JumpStart for Studio users when you add them to your domain. For more information about this step, see Add user profiles.
Since SageMaker Projects is backed by Service Catalog, you must add each role that requires access to SageMaker Projects to the Amazon SageMaker AI Solutions and ML Ops products Portfolio in the service catalog. You can do this in the Groups, roles, and users tab, as shown in the following image. If each user profile in Studio Classic has a different role, you should add each of those roles to the service catalog. You can also do this while creating a user profile in Studio Classic.
The following procedures show how to grant Projects permissions after you onboard to Studio or Studio Classic. For more information about onboarding to Studio or Studio Classic, see Amazon SageMaker AI domain overview.
To confirm that your SageMaker AI Domain has active project template permissions:
Open the SageMaker AI console
. -
On the left navigation pane, choose Admin configurations.
-
Under Admin configurations, choose domains.
Select your domain.
Choose the Domain Settings tab.
-
Under SageMaker Projects and JumpStart, make sure the following options are turned on:
-
Enable Amazon SageMaker AI project templates and Amazon SageMaker JumpStart for this account
-
Enable Amazon SageMaker AI project templates and Amazon SageMaker JumpStart for Studio users
-
To view a list of your roles:
Open the SageMaker AI console
. -
On the left navigation pane, choose Admin configurations.
-
Under Admin configurations, choose domains.
Select your domain.
Choose the Domain Settings tab.
A list of your roles appears in the
Apps
card under the Studio tab.Important
As of July 25, we require additional roles to use project templates. Here is the complete list of roles you should see under
Projects
:AmazonSageMakerServiceCatalogProductsLaunchRole
AmazonSageMakerServiceCatalogProductsUseRole
AmazonSageMakerServiceCatalogProductsApiGatewayRole
AmazonSageMakerServiceCatalogProductsCloudformationRole
AmazonSageMakerServiceCatalogProductsCodeBuildRole
AmazonSageMakerServiceCatalogProductsCodePipelineRole
AmazonSageMakerServiceCatalogProductsEventsRole
AmazonSageMakerServiceCatalogProductsFirehoseRole
AmazonSageMakerServiceCatalogProductsGlueRole
AmazonSageMakerServiceCatalogProductsLambdaRole
AmazonSageMakerServiceCatalogProductsExecutionRole
For descriptions of these roles, see Amazon Managed Policies for SageMaker Projects and JumpStart.