从其他帐户部署模型版本 - Amazon SageMaker
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

从其他帐户部署模型版本

启用Amazon帐户通过添加跨账户资源策略来部署在其他帐户中创建的模型版本。例如,组织中的一个团队可能负责培训模型,而另一个团队负责部署和更新模型。创建资源策略时,您可以将策略应用于要授予访问权限的资源。有关跨账户资源策略的更多信息,请参阅Amazon,请参阅跨账户策略评估逻辑中的Amazon Identity and Access Management用户指南.

要在 SageMaker 中启用跨账户模型部署,您必须为包含要部署的模型版本的模型组、模型组推理映像所在的 Amazon ECR 存储库以及模型版本所在的 Amazon S3 存储桶提供跨账户资源策略存储。以下示例为这三个资源创建跨账户策略,并将这些策略应用于资源。

import json # cross account id to grant access to cross_account_id = "123456789012" # 1. Create policy for access to the ECR repository ecr_repository_policy = { 'Version': '2012-10-17', 'Statement': [{ 'Sid': 'AddPerm', 'Effect': 'Allow', 'Principal': { 'AWS': f'arn:aws:iam::{cross_account_id}:root' }, 'Action': ['ecr:*'] }] } # Convert the ECR policy from JSON dict to string ecr_repository_policy = json.dumps(ecr_repository_policy) # Set the new ECR policy ecr = boto3.client('ecr') respose = ecr.set_repository_policy( registryId = account, repositoryName = 'decision-trees-sample', policyText = ecr_repository_policy ) # 2. Create policy for access to the S3 bucket bucket_policy = { 'Version': '2012-10-17', 'Statement': [{ 'Sid': 'AddPerm', 'Effect': 'Allow', 'Principal': { 'AWS': f'arn:aws:iam::{cross_account_id}:root' }, 'Action': 's3:*', 'Resource': f'arn:aws:s3:::{bucket}/*' }] } # Convert the policy from JSON dict to string bucket_policy = json.dumps(bucket_policy) # Set the new policy s3 = boto3.client('s3') respose = s3.put_bucket_policy( Bucket = bucket, Policy = bucket_policy) # 3. Create policy for access to the ModelPackageGroup model_pacakge_group_policy = { 'Version': '2012-10-17', 'Statement': [{ 'Sid': 'AddPermModelPackageGroup', 'Effect': 'Allow', 'Principal': { 'AWS': f'arn:aws:iam::{cross_account_id}:root' }, 'Action': ['sagemaker:DescribeModelPackageGroup'], 'Resource': f'arn:aws:sagemaker:{region}:{account}:model-package-group/{model_package_group_name}' },{ 'Sid': 'AddPermModelPackageVersion', 'Effect': 'Allow', 'Principal': { 'AWS': f'arn:aws:iam::{cross_account_id}:root' }, 'Action': ["sagemaker:DescribeModelPackage", "sagemaker:ListModelPackages", "sagemaker:UpdateModelPackage", "sagemaker:CreateModel"], 'Resource': f'arn:aws:sagemaker:{region}:{account}:model-package/{model_package_group_name}/*' }] } # Convert the policy from JSON dict to string model_pacakge_group_policy = json.dumps(model_pacakge_group_policy) # Set the new policy respose = sm_client.put_model_package_group_policy( ModelPackageGroupName = model_package_group_name, ResourcePolicy = model_pacakge_group_policy) print('ModelPackageGroupArn : {}'.format(create_model_pacakge_group_response['ModelPackageGroupArn'])) print("First Versioned ModelPackageArn: " + model_package_arn) print("Second Versioned ModelPackageArn: " + model_package_arn2) print("Success! You are all set to proceed for cross account deployment.")

该示例假定您之前定义了以下变量:

  • account-经过身份验证的呼叫者的帐户。

  • bucket-用于存储模型版本的 S3 存储桶。

  • sm_client-一个 SageMaker Bto3 客户端。

  • model_package_group_name-要授予访问权限的模型组。

要能够部署在不同账户中创建的模型,用户必须具有对 SageMaker 操作的访问权限的角色,例如具有AmazonSageMakerFullAccess托管策略。有关 SageMaker 托管策略的信息,请参阅AmazonAmazon SageMaker 的托管策略.