Setting up SageMaker Assets (administrator guide) - Amazon SageMaker
Viewing and modifying your users' permissions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up SageMaker Assets (administrator guide)

Important

SageMaker Assets is only available in Amazon SageMaker Studio. If you're using Amazon SageMaker Studio Classic, you must migrate to Studio. For more information about Studio and Studio Classic, see Use machine learning environments offered by Amazon SageMaker. For information about migrating, see Migrating from Amazon SageMaker Studio Classic.

As business needs change, your users need to collaborate effectively to solve business problems as they arise. To solve them, users must share data and models with each other.

SageMaker Assets integrates Amazon SageMaker Studio with Amazon DataZone, a data management service. SageMaker Assets is a platform that helps your users share models and data with each other. You can use the following information to set up the integration between SageMaker Assets and Amazon DataZone.

You create an Amazon DataZone domain for your business line or organization. The domain is the core feature of Amazon DataZone. All of your users' data and models exist within the domain.

Within the Amazon DataZone domain, a subset of your users work on specific projects. A project typically corresponds to a particular business problem. Within the project, members can create datasets and models. By default, project members only have access to the data and models within the project. They can provide access to their data and models to other users within the organization.

Within the project, you create environments. For SageMaker Assets specifically, an environment is a collection of configured resources used to launch Amazon SageMaker Studio. For more information about the terminology used in Amazon DataZone, see Terminology and concepts.

Use the steps in the following list and the documentation it references to set up Amazon DataZone.

  1. Create an Amazon DataZone domain that corresponds to your users' organization or business line. For information about creating an Amazon DataZone domain, see Create domains.

  2. Enable the SageMaker blueprint within Amazon DataZone. For information about enabling the SageMaker blueprint, see Enable built-in blueprints in the Amazon account that owns the Amazon DataZone domain.

  3. Create a project within the domain that corresponds to the business problem that users in your domain are solving. For information about creating a project, see Create a new project.

  4. Create an environment profile that you can use as a template to create SageMaker environments for your users. For information about creating an environment profile, see Create an environment profile.

  5. Create a SageMaker environment. Within the project, your users use the SageMaker environment to launch Amazon SageMaker Studio. Within Studio, they can create assets and use SageMaker Assets to share them. For information about creating an environment, see Create a new environment.

  6. Add SageMaker as one of the trusted services within Amazon DataZone. To add SageMaker as one of the services, see Add SageMaker as a trusted service in the Amazon account that owns the Amazon DataZone domain.

Important

Amazon SageMaker Studio uses an Amazon SageMaker domain that Amazon DataZone creates as part of your SageMaker environment. An Amazon SageMaker domain is different from an Amazon DataZone domain. It consists of the resources needed to run Studio. You can access Studio from the Amazon SageMaker domain, but we recommend accessing it from the project you've created. For information about accessing Studio, see Access or share assets (user guide).

Note

The SageMaker environment uses the latest version of the SageMaker Distribution Image. SageMaker Distribution Images have popular libraries packages for machine learning. For more information, see SageMaker Distribution Images.

After you've created the environment, you can create Amazon Glue and Amazon Redshift tables and databases. For more information, see Query data in Athena or Amazon Redshift.

Viewing and modifying your users' permissions

After you create a SageMaker environment, you can change your users' permissions to suit the needs of your organization. The SageMaker blueprint specifies permissions for all of your users. They can perform actions with all of the SageMaker services, but the permissions are scoped down to resources created within the Amazon DataZone domain.

Important

The environment that you create uses an IAM role that has limited permissions and a permissions boundary. To change your users' permissions, you can modify or replace the permissions boundary. For example, you can change the permissions boundary if your users need access to a resource such as an Amazon S3 bucket that has been created within the environment.

You can view the permissions in the ARN of the IAM role used to create the SageMaker domain.

Use the following procedure to view or edit the permissions of the IAM role of your users.

To view or edit the permissions of your users

  1. Open the Amazon SageMaker console.

  2. Choose Domains.

  3. Choose the name of the domain that has the same name as your Amazon DataZone domain.

  4. Choose Domain settings.

  5. Under Execution role, copy the ARN of the execution role.

  6. Open the IAM console.

  7. Choose Roles.

  8. Paste the ARN and delete everything except the role name after the last forward slash.

  9. Choose the role to view the permissions.

  10. Under Permissions, modify the policies to suit the needs of your organization.

  11. (Optional) Select Permissions boundary, and choose Set permissions boundary.

  12. Select a policy to set as the permissions boundary.