Set Up SageMaker Canvas for Your Users - Amazon SageMaker
Add the SageMaker Canvas application to OktaSet up ID federation in IAMConfigure SageMaker Canvas in OktaAdd optional policies on access control in IAM
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set Up SageMaker Canvas for Your Users

To set up Amazon SageMaker Canvas, do the following:

  • Create an Amazon SageMaker domain.

  • Create user profiles for the domain

  • Set up Okta Single Sign On (Okta SSO) for your users.

  • Activate link sharing for models.

Use Okta Single-Sign On (Okta SSO) to grant your users access to Amazon SageMaker Canvas. SageMaker Canvas supports SAML 2.0 SSO methods. The following sections guide you through procedures to set up Okta SSO.

To set up a domain, see Custom setup to Amazon SageMaker and follow the instructions for setting up your domain using IAM authentication. You can use the following information to help you complete the procedure in the section:

  • You can ignore the step about creating projects.

  • You don't need to provide access to additional Amazon S3 buckets. Your users can use the default bucket that we provide when we create a role.

  • To grant your users access to share their notebooks with data scientists, turn on Notebook Sharing Configuration.

  • Use Amazon SageMaker Studio Classic version 3.19.0 or later. For information about updating Amazon SageMaker Studio Classic, see Shut down and Update SageMaker Studio Classic.

Use the following procedure to set up Okta. For all of the following procedures, you specify the same IAM role for IAM-role .

Add the SageMaker Canvas application to Okta

Set up the sign-on method for Okta.

  1. Sign in to the Okta Admin dashboard.

  2. Choose Add application. Search for Amazon Account Federation.

  3. Choose Add.

  4. Optional: Change the name to Amazon SageMaker Canvas.

  5. Choose Next.

  6. Choose SAML 2.0 as the Sign-On method.

  7. Choose Identity Provider Metadata to open the metadata XML file. Save the file locally.

  8. Choose Done.

Set up ID federation in IAM

Amazon Identity and Access Management (IAM) is the Amazon service that you use to gain access to your Amazon account. You gain access to Amazon through an IAM account.

  1. Sign in to the Amazon console.

  2. Choose Amazon Identity and Access Management (IAM).

  3. Choose Identity Providers.

  4. Choose Create Provider.

  5. For Configure Provider, specify the following:

    • Provider Type – From the dropdown list, choose SAML.

    • Provider Name – Specify Okta.

    • Metadata Document – Upload the XML document that you've saved locally from step 7 of Add the SageMaker Canvas application to Okta.

  6. Find your identity provider under Identity Providers. Copy its Provider ARN value.

  7. For Roles, choose the IAM role that you're using for Okta SSO access.

  8. Under Trust Relationship for the IAM role, choose Edit Trust Relationship.

  9. Modify the IAM trust relationship policy by specifying the Provider ARN value that you've copied and add the following policy:

    
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:saml-provider/Okta"
      },
      "Action": [
        "sts:AssumeRoleWithSAML",
        "sts:SetSourceIdentity",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

  10. For Permissions, add the following policy:

    
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AmazonSageMakerPresignedUrlPolicy",
           "Effect": "Allow",
           "Action": [
                "sagemaker:CreatePresignedDomainUrl",
                "sagemaker:CreatePresignedDomainUrlWithPrincipalTag"
           ],
           "Resource": "*"
      }
  ]
}

Configure SageMaker Canvas in Okta

Configure Amazon SageMaker Canvas in Okta using the following procedure.

To configure Amazon SageMaker Canvas to use Okta, follow the steps in this section. You must specify unique user names for each SageMakerStudioProfileName field. For example, you can use user.login as a value. If the username is different from the SageMaker Canvas profile name, choose a different uniquely identifying attribute. For example, you can use an employee's ID number for the profile name.

For an example of values that you can set for Attributes, see the code following the procedure.

  1. Under Directory, choose Groups.

  2. Add a group with the following pattern: sagemaker#canvas#IAM-role#Amazon-account-id.

  3. In Okta, open the Amazon Account Federation application integration configuration.

  4. Select Sign On for the Amazon Account Federation application.

  5. Choose Edit and specify the following:

    • SAML 2.0

    • Default Relay State – https://Region.console.aws.amazon.com/sagemaker/home?region=Region#/studio/canvas/open/StudioId. You can find the Studio Classic ID in the console: https://console.amazonaws.cn/sagemaker/

  6. Choose Attributes.

  7. In the SageMakerStudioProfileName fields, specify unique values for each username. The usernames must match the usernames that you've created in the Amazon console.

    
Attribute 1:
Name: https://aws.amazon.com/SAML/Attributes/PrincipalTag:SageMakerStudioUserProfileName 
Value: ${user.login}

Attribute 2:
Name: https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys
Value: {"SageMakerStudioUserProfileName"}

  8. Select Environment Type. Choose Regular Amazon.

    • If your environment type isn't listed, you can set your ACS URL in the ACS URL field. If your environment type is listed, you don't need to enter your ACS URL

  9. For Identity Provider ARN, specify the ARN you used in step 6 of the preceding procedure.

  10. Specify a Session Duration.

  11. Choose Join all roles.

  12. Turn on Use Group Mapping by specifying the following fields:

    • App Filterokta

    • Group Filter^aws\#\S+\#(?IAM-role[\w\-]+)\#(?accountid\d+)$

    • Role Value Patternarn:aws:iam::$accountid:saml-provider/Okta,arn:aws:iam::$accountid:role/IAM-role

  13. Choose Save/Next.

  14. Under Assignments, assign the application to the group that you've created.

Add optional policies on access control in IAM

In IAM, you can apply the following policy to the administrator user who creates the user profiles.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateSageMakerStudioUserProfilePolicy",
            "Effect": "Allow",
            "Action": "sagemaker:CreateUserProfile",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:TagKeys": [
                        "studiouserid"
                    ]
                }
            }
        }
    ]
}

If you choose to add the preceding policy to the admin user, you must use the following permissions from Set up ID federation in IAM.


{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "AmazonSageMakerPresignedUrlPolicy",
           "Effect": "Allow",
           "Action": [
                "sagemaker:CreatePresignedDomainUrl",
                "sagemaker:CreatePresignedDomainUrlWithPrincipalTag"
           ],
           "Resource": "*",
           "Condition": {
                  "StringEquals": {
                      "sagemaker:ResourceTag/studiouserid": "${aws:PrincipalTag/SageMakerStudioUserProfileName}"
                 }
            }
      }
  ]
}