Additional configuration for cross-account access - Amazon SageMaker
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Additional configuration for cross-account access

Note

Studio does not currently support accessing Amazon EMR clusters created in a different Amazon account than the account in which Studio is deployed. Cross account access is available in Studio Classic only.

To enable cross-accounts cluster discovery, administrators need to provide the ARN of a cross-account IAM role to the execution role for Studio Classic. Studio Classic's execution role assumes that remote role to discover and connect to Amazon EMR clusters in the trusting account. The ARN of the role is loaded by the Jupyter server at launch.

You can specify this information in two ways.

  • Write this remote role in a file named emr-discovery-iam-role-arns-DO_NOT_DELETE.json placed in the directory .cross-account-configuration-DO_NOT_DELETE in your home directory located in the Amazon EFS storage volume used by Studio Classic.

  • Automate this process by using Lifecycle Configuration (LCC) scripts. You can attach the LCC to your domain or a specific user profile. The LCC script that you use must be a JupyterServer configuration. For more information on how to create an LCC script, see Use Lifecycle Configurations with Studio Classic.

The following is an example LCC script. To modify the script, replace ASSUMABLE-ROLE and emr-account with your role name and remote account ID, respectively. The number of cross-accounts is limited to five.

# This script creates the file that informs Studio Classic that the role "arn:aws:iam::emr-account:role/ASSUMABLE-ROLE" in remote account "emr-account" must be assumed to list and describe Amazon EMR clusters in the remote account.

#!/bin/bash

set -eux

FILE_DIRECTORY="/home/sagemaker-user/.cross-account-configuration-DO_NOT_DELETE"
FILE_NAME="emr-discovery-iam-role-arns-DO_NOT_DELETE.json"
FILE="$FILE_DIRECTORY/$FILE_NAME"

mkdir -p $FILE_DIRECTORY

cat > "$FILE" <<- "EOF"
{
  emr-cross-account1: "arn:aws:iam::emr-cross-account1:role/ASSUMABLE-ROLE",
  emr-cross-account2: "arn:aws:iam::emr-cross-account2:role/ASSUMABLE-ROLE"
}
EOF

After the LCC runs and the files are written, the server reads the file /home/sagemaker-user/.cross-account-configuration-DO_NOT_DELETE/emr-discovery-iam-role-arns-DO_NOT_DELETE.json and stores the cross-account ARN.