Prerequisites - Amazon SageMaker
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites

Migration of the default experience from Studio Classic to Studio is managed by the administrator of the existing domain. If you do not have permissions to set Studio as the default experience for the existing domain, contact your administrator. To migrate your default experience, you must have administrator permissions or at least have permissions to update the existing domain, Amazon Identity and Access Management (IAM), and Amazon Simple Storage Service (Amazon S3).

Complete the following prerequisites before migrating an existing domain from Studio Classic to Studio.

  • The Amazon Identity and Access Management role used to complete migration must have a policy attached with at least the following permissions. For information about creating an IAM policy, see Creating IAM policies.

    Note

    The release of Studio includes updates to the Amazon managed policies. For more information, see SageMaker Updates to Amazon Managed Policies.

    • Phase 1 required permissions:

      • iam:CreateServiceLinkedRole

      • iam:PassRole

      • sagemaker:DescribeDomain

      • sagemaker:UpdateDomain

      • sagemaker:CreateDomain

      • sagemaker:CreateUserProfile

      • sagemaker:ListApps

      • sagemaker:AddTags

      • sagemaker:DeleteApp

      • sagemaker:DeleteSpace

      • sagemaker:UpdateSpace

      • sagemaker:DeleteUserProfile

      • sagemaker:DeleteDomain

      • s3:PutBucketCORS

    • Phase 2 required permissions:

      No additional permissions needed. If the existing domain has lifecycle configurations and custom images, the admin will already have the required permissions.

    • Phase 3 using custom Amazon Elastic File System required permissions:

      • efs:CreateFileSystem

      • efs:CreateMountTarget

      • efs:DescribeFileSystems

      • efs:DescribeMountTargets

      • efs:DescribeMountTargetSecurityGroups

      • efs:ModifyMountTargetSecurityGroups

      • ec2:DescribeSubnets

      • ec2:DescribeSecurityGroups

      • ec2:DescribeNetworkInterfaceAttribute

      • ec2:DescribeNetworkInterfaces

      • ec2:AuthorizeSecurityGroupEgress

      • ec2:AuthorizeSecurityGroupIngress

      • ec2:CreateNetworkInterface

      • ec2:CreateNetworkInterfacePermission

      • ec2:RevokeSecurityGroupIngress

      • ec2:RevokeSecurityGroupEgress

      • ec2:DeleteSecurityGroup

      • datasync:CreateLocationEfs

      • datasync:CreateTask

      • datasync:StartTaskExecution

      • datasync:DeleteTask

      • datasync:DeleteLocation

      • sagemaker:ListUserProfiles

      • sagemaker:DescribeUserProfile

      • sagemaker:UpdateDomain

      • sagemaker:UpdateUserProfile

    • Phase 3 using Amazon Simple Storage Service required permissions:

      • iam:CreateRole

      • iam:GetRole

      • iam:AttachRolePolicy

      • iam:DetachRolePolicy

      • iam:DeleteRole

      • efs:DescribeFileSystems

      • efs:DescribeMountTargets

      • efs:DescribeMountTargetSecurityGroups

      • ec2:DescribeSubnets

      • ec2:CreateSecurityGroup

      • ec2:DescribeSecurityGroups

      • ec2:DescribeNetworkInterfaces

      • ec2:CreateNetworkInterface

      • ec2:CreateNetworkInterfacePermission

      • ec2:DetachNetworkInterfaces

      • ec2:DeleteNetworkInterface

      • ec2:DeleteNetworkInterfacePermission

      • ec2:CreateTags

      • ec2:AuthorizeSecurityGroupEgress

      • ec2:AuthorizeSecurityGroupIngress

      • ec2:RevokeSecurityGroupIngress

      • ec2:RevokeSecurityGroupEgress

      • ec2:DeleteSecurityGroup

      • datasync:CreateLocationEfs

      • datasync:CreateLocationS3

      • datasync:CreateTask

      • datasync:StartTaskExecution

      • datasync:DescribeTaskExecution

      • datasync:DeleteTask

      • datasync:DeleteLocation

      • sagemaker:CreateStudioLifecycleConfig

      • sagemaker:UpdateDomain

      • s3:ListBucket

      • s3:GetObject

  • Access to Amazon services from a terminal environment on either:

    • Your local machine using the Amazon CLI version 2.13+. Use the following command to verify the Amazon CLI version.

      aws --version

    • Amazon CloudShell. For more information, see What is Amazon CloudShell?

  • From your local machine or Amazon CloudShell, run the following command and provide your Amazon credentials. For information about Amazon credentials, see Understanding and getting your Amazon credentials.

    aws configure

  • Verify that the lightweight JSON processor, jq, is installed in the terminal environment. jq is required to parse Amazon CLI responses.

    jq --version

    If jq is not installed, install it using one of the following commands:

    • sudo apt-get install -y jq
    • sudo yum install -y jq