Trusted identity propagation with Amazon SageMaker Studio

Amazon SageMaker Studio integrates with IAM Identity Center, and it supports user background sessions and trusted identity propagation. User background sessions allow a user to initiate a long-running job on SageMaker Studio, without that user having to remain signed in while the job runs. The job runs immediately and in the background, using the permissions of the user who initiated the job. The job can continue to run even if the user turns off their computer, their IAM Identity Center sign-in session expires, or the user signs out of the Amazon Web Services access portal. The default session duration for user background sessions is 7 days, but you can specify a maximum duration of 90 days. Trusted identity propagation allows fine-grained access to be provided to Amazon resources such as Amazon S3 buckets based on the user's identity or group membership.

The following diagram shows a trusted identity propagation configuration for SageMaker Studio, with access to data stored in an Amazon S3 bucket. User background sessions are enabled for IAM Identity Center, which allows the SageMaker Studio training job to run in the background. Access control for the training data is provided by Amazon S3 Access Grants.

Amazon managed application

The following Amazon managed client-facing application supports trusted identity propagation: