Trusted identity propagation architecture and compatibility
Trusted identity propagation integrates Amazon IAM Identity Center with Amazon SageMaker Studio and other connected Amazon services to propagate users' identity context across services. The following page summarizes the trusted identity propagation architecture and compatibility with SageMaker AI. For a comprehensive overview of how trusted identity propagation works across Amazon, see Trusted identity propagation overview.
The key components of the trusted identity propagation architecture include:
-
Trusted identity propagation: A methodology of propagating user's identity context between applications and services
-
Identity context: Information about a user
-
Identity-enhanced IAM role session: Identity-enhanced role sessions have an added identity context that carries a user identifier to the Amazon service that it calls
-
Connected Amazon services: Other Amazon services that can recognize the identity context that is propagated through trusted identity propagation
Trusted identity propagation allows connected Amazon services to make access decisions based on a user's identity. Within Studio itself, IAM roles are used as carriers of the identity context rather than for making access control decisions. The identity context is propagated to connected Amazon services where it can be used for both access control and audit purposes. See trusted identity propagation considerations for more information.
When you enable trusted identity propagation with Studio and authenticate through IAM Identity Center, SageMaker AI:
-
Captures the user's identity context from the IAM Identity Center
-
Creates an identity-enhanced IAM role session that include the user's identity context
-
Passes identity-enhanced IAM role session to compatible Amazon services when the user accesses resources
-
Enables downstream Amazon services to make access decisions and log activities based on the user identity
Compatible SageMaker AI features
Trusted identity propagation works with the following Studio features:
-
Studio private spaces
Note
-
When Studio launches with trusted identity propagation enabled, it uses your identity context in addition to your execution role permissions. However, the following processes during instance setup will only use the execution role permissions, without the identity context: Lifecycle Configuration, Bring-Your-Own-Image, CloudWatch agent for user log forwarding
-
Remote access is not currently supported with trusted identity propagation.
Compatible Amazon services
Trusted identity propagation for Amazon SageMaker Studio integrates with compatible Amazon services, where trusted identity propagation is enabled. See use cases for a comprehensive list with examples on how to enable trusted identity propagation. The trusted identity propagation compatible services include the following.
When trusted identity propagation is enabled with SageMaker AI, each other Amazon service with trusted identity propagation is enabled is connected. Once they are connected they recognize and use the user's identity context for access control and auditing.
Studio supports trusted identity propagation where IAM Identity Center is supported and Studio with IAM Identity Center authentication is supported. Studio supports trusted identity propagation in the following Amazon Web Services Regions:
-
af-south-1
-
ap-east-1
-
ap-northeast-1
-
ap-northeast-2
-
ap-northeast-3
-
ap-south-1
-
ap-southeast-1
-
ap-southeast-2
-
ap-southeast-3
-
ca-central-1
-
eu-central-1
-
eu-central-2
-
eu-north-1
-
eu-south-1
-
eu-west-1
-
eu-west-2
-
eu-west-3
-
il-central-1
-
me-south-1
-
sa-east-1
-
us-east-1
-
us-east-2
-
us-west-1
-
us-west-2