Getting Started / Hands-on / ...
Add Permissions to Your Amazon SageMaker Studio Account for ML Workflows
GETTING STARTED GUIDE
Overview
In this tutorial, learn how to configure your Amazon SageMaker Studio account with permissions required to access SageMaker APIs and features for automating ML workflows.
What you will learn
In this guide, you will:
- Attach the following three AWS IAM policies to your Amazon SageMaker Studio account to enable access to SageMaker APIs and features for automating ML workflows: AmazonSageMakerFullAccess, AWSCloudFormationFullAccess, and AmazonSageMakerPipelinesIntegrations
Prerequisites
Before starting this guide, you will need:
- An AWS account: If you don't already have an account, follow the Setting Up Your Environment getting started guide for a quick overview.
- An Amazon SageMaker Studio domain and user: If you don't already have a SageMaker Studio domain, see Onboard to Amazon SageMaker Domain in the Amazon SageMaker developer guide.
AWS experience
Intermediate
Time to complete
5 minutes
Cost to complete
There is no extra cost from running this tutorial.
Requires
You must be logged into an AWS account and you must have an Amazon SageMaker Studio account.
Services used
Amazon SageMaker Studio, AWS IAM
Last updated
Jun 15, 2022
Implementation
Step 1: Copy your SageMaker Studio user role id
In the SageMaker Studio Control Panel page, under the Users section, select your SageMaker Studio user name.
In the User Details page, under the Details pane, Execution role, highlight and copy only the text after arn:aws:iam::<your-account-id>:role/.
Step 2: Attach AWS IAM policies
In this step, you attach three AWS IAM policies to your SageMaker Studio account to allow the account access to SageMaker APIs and features for automating ML workflows.
Enter IAM in the search bar in the SageMaker console, and then choose IAM to open the AWS IAM console.
In the IAM console, on the Identity and Access Management (IAM) pane, under Access management, choose Roles. Under the Roles pane, in the search bar, paste the Execution role text that you copied in Step 1. Under Role name search results, choose the role displayed.
In the Summary page, under the Permissions tab, Permissions polices, Add permissions, choose Attach policies.
In the Attach policy page, under Other permissions policies, enter AmazonSageMakerFullAccess, and press Enter. This policy is required to allow your SageMaker Studio account to access SageMaker APIs and features. Under Policy name, select AmazonSageMakerFullAccess, and then choose Attach policies. On the role Summary page, the newly added policy is displayed under the Permissions policies list.
Repeat Step 2 to add the AWSCloudFormationFullAccess and AmazonSageMakerPipelinesIntegrations policies.
Step 3: Allow access to AWS Lambda
In this step, you edit the trust policy to allow access to AWS Lambda.
In the AWS IAM console, on the role Summary page, select the Trust relationships tab, and then choose Edit trust policy.
Copy and paste the following code into the Edit trust policy editor in the location shown in the screenshot. Make sure that the indentation of the JSON code is exactly as shown in the screenshot. Do not delete the code already in the editor, instead add the following code by inserting it at the location shown in the screenshot. Choose Update policy.
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
Conclusion
Congratulations! You have finished the Add permissions to your Amazon SageMaker Studio account for ML Workflows tutorial.
In this tutorial, you attached three AWS IAM policies to your SageMaker Studio account to provide your account access to SageMaker APIs and features for building ML workflows.
If you came to this page by choosing a link on another tutorial, you can now go back to that tutorial and continue where you left off.