Additional Configuration for cross accounts use cases (for administrators) - Amazon SageMaker
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Additional Configuration for cross accounts use cases (for administrators)

To enable cluster discovery across accounts, administrators need to provide the ARN of a cross-account IAM role to the execution role of SageMaker Studio Classic. SageMaker Studio Classic's execution role assumes that remote role to discover and connect to Amazon EMR clusters in the trusting account. The ARN of this role is loaded by the Studio Classic's Jupyter server at launch.

You can specify this information in two ways.

  • Write this remote role in a file named emr-discovery-iam-role-arns-DO_NOT_DELETE.json placed in the directory .cross-account-configuration-DO_NOT_DELETE in your home directory located in the Amazon EFS storage volume used by SageMaker Studio Classic.

  • Alternatively, you can automate this process by using Lifecycle Configuration (LCC) scripts. You can attach the LCC to your domain or a specific user profile. The LCC script that you use must be a JupyterServer configuration. For more information on how to create an LCC script, see Use Lifecycle Configurations with Studio Classic.

The following is an example LCC script. To modify the script, replace ASSUMABLE-ROLE and emr-account with your role name and remote account ID, respectively. The number of cross accounts is limited to five.

# This script creates the file that informs SageMaker Studio Classic that the role "arn:aws:iam::emr-account:role/ASSUMABLE-ROLE" in remote account "emr-account" must be assumed to list and describe Amazon EMR clusters in the remote account.

#!/bin/bash

set -eux

FILE_DIRECTORY="/home/sagemaker-user/.cross-account-configuration-DO_NOT_DELETE"
FILE_NAME="emr-discovery-iam-role-arns-DO_NOT_DELETE.json"
FILE="$FILE_DIRECTORY/$FILE_NAME"

mkdir -p $FILE_DIRECTORY

cat > "$FILE" <<- "EOF"
{
  emr-cross-account1: "arn:aws:iam::emr-cross-account1:role/ASSUMABLE-ROLE",
  emr-cross-account2: "arn:aws:iam::emr-cross-account2:role/ASSUMABLE-ROLE"
}
EOF

After the LCC runs and the files are written, the server reads the file /home/sagemaker-user/.cross-account-configuration-DO_NOT_DELETE/emr-discovery-iam-role-arns-DO_NOT_DELETE.json and stores the cross-account ARN.