Setting up trusted identity propagation for Studio - Amazon SageMaker AI
PrerequisitesEnable trusted identity propagation in your Amazon SageMaker AI domainConfigure your SageMaker AI execution role
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up trusted identity propagation for Studio

Setting up trusted identity propagation for Amazon SageMaker Studio requires your Amazon SageMaker AI domain to have IAM Identity Center authentication method configured. This section guides you through the prerequisites and steps needed to enable and configure trusted identity propagation for your Studio users.

Prerequisites

Before setting up trusted identity propagation for SageMaker AI, set up your IAM Identity Center using the following instructions.

Note

Ensure that your IAM Identity Center and domain are in the same region.

Enable trusted identity propagation in your Amazon SageMaker AI domain

Important

You can only enable trusted identity propagation for domains with Amazon IAM Identity Center authentication method configured. Your IAM Identity Center and Amazon SageMaker AI domain must be in the same Amazon Web Services Region.

Use one of the following options to learn how to enable trusted identity propagation for a new or existing domain.

For a new domain using the SageMaker AI console:

  1. Open the Amazon SageMaker AI console.

  2. Navigate to Domains.

  3. Create a custom domain. The domain must have the Amazon IAM Identity Center authentication method configured.

  4. In the Trusted identity propagation section, choose to Enable the trusted identity propagation for all users on this domain.

  5. Complete the custom creation process.

For an existing domain using the SageMaker AI console:

  1. Open the Amazon SageMaker AI console.

  2. Navigate to Domains.

  3. Select your existing domain. The domain must have the Amazon IAM Identity Center authentication method configured.

  4. In the Domain settings tab, choose Edit in the Authentication and permissions section.

  5. Choose to Enable the trusted identity propagation for all users on this domain.

  6. Complete the domain configuration.

For an existing domain using the Amazon CLI:

aws sagemaker update-domain \
    --region $REGION \
    --domain-id $DOMAIN_ID \
    --domain-settings "TrustedIdentityPropagationSettings={Status=ENABLED}"

  • DOMAIN_ID is the Amazon SageMaker AI domain ID. See View domains for more information.

  • REGION is the Amazon Web Services Region of your Amazon SageMaker AI domain. You can find this at the top right of any Amazon console page.

Configure your SageMaker AI execution role

To enable trusted identity propagation for your Studio users, all trusted identity propagation roles need the set the following context permissions. Update the trust policy for all roles to include the sts:AssumeRole and sts:SetContext actions. Use the following policy when you update your role trust policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "sagemaker.amazonaws.com"
                ]
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext"
            ]
        }
    ]
}