Additional Configuration for cross accounts use cases (for administrators)
To enable cluster discovery across accounts, administrators need to provide the ARN of a cross-account IAM role to the execution role of SageMaker Studio Classic. SageMaker Studio Classic's execution role assumes that remote role to discover and connect to Amazon EMR clusters in the trusting account. The ARN of this role is loaded by the Studio Classic's Jupyter server at launch.
You can specify this information in two ways.
-
Write this remote role in a file named
emr-discovery-iam-role-arns-DO_NOT_DELETE.json
placed in the directory.cross-account-configuration-DO_NOT_DELETE
in your home directory located in the Amazon EFS storage volume used by SageMaker Studio Classic. -
Alternatively, you can automate this process by using Lifecycle Configuration (LCC) scripts. You can attach the LCC to your domain or a specific user profile. The LCC script that you use must be a JupyterServer configuration. For more information on how to create an LCC script, see Use Lifecycle Configurations with Studio Classic.
The following is an example LCC script. To modify the script, replace
ASSUMABLE-ROLE
and emr-account
with your role name and
remote account ID, respectively. The number of cross accounts is limited to five.
# This script creates the file that informs SageMaker Studio Classic that the role "arn:aws:iam::emr-account:role/ASSUMABLE-ROLE" in remote account "emr-account" must be assumed to list and describe Amazon EMR clusters in the remote account. #!/bin/bash set -eux FILE_DIRECTORY="/home/sagemaker-user/.cross-account-configuration-DO_NOT_DELETE" FILE_NAME="emr-discovery-iam-role-arns-DO_NOT_DELETE.json" FILE="$FILE_DIRECTORY/$FILE_NAME" mkdir -p $FILE_DIRECTORY cat > "$FILE" <<- "EOF" {
emr-cross-account1
: "arn:aws:iam::emr-cross-account1
:role/ASSUMABLE-ROLE",emr-cross-account2
: "arn:aws:iam::emr-cross-account2
:role/ASSUMABLE-ROLE" } EOF
After the LCC runs and the files are written, the server reads the file
/home/sagemaker-user/.cross-account-configuration-DO_NOT_DELETE/emr-discovery-iam-role-arns-DO_NOT_DELETE.json
and stores the cross-account ARN.