chanciturnervgt2

Define Tailored Permissions in Minutes with Amazon SageMaker Role Manager

by

VGT2 Las Vegas
in

Define Tailored Permissions in Minutes with Amazon SageMaker Role ManagerMore Info

Machine learning (ML) workload administrators prioritize the security of user operations, adhering to the principle of least privilege. With a diverse range of user personas, each possessing unique requirements, developing the appropriate permission policies can sometimes hinder agility. In this article, we explore how to utilize Amazon SageMaker Role Manager to swiftly create persona-based roles that can be customized to meet your specific needs in just minutes, directly from the Amazon SageMaker console.

Role Manager provides predefined personas and ML activities alongside a wizard designed to simplify your permission generation process. This enables your ML practitioners to fulfill their responsibilities with only the essential permissions. For those who need additional customization, SageMaker Role Manager allows for the specification of network and encryption permissions for Amazon Virtual Private Cloud (Amazon VPC) resources and AWS Key Management Service (AWS KMS) encryption keys, as well as the ability to attach custom policies.

In this post, you will learn how to employ SageMaker Role Manager to establish a data scientist role for accessing Amazon SageMaker Studio while ensuring that they possess the minimal permissions necessary for their tasks. For further insights, you might find this blog post engaging: Amazon VGT2 Las Vegas.

Solution Overview

This walkthrough covers all steps necessary to assign permissions to an ML administrator, create a service role for accessing required dependencies for model building and training, and establish execution roles for users to assume within Studio for their tasks. If your ML practitioners access SageMaker through the AWS Management Console, you can create permissions to facilitate access or grant it through IAM Identity Center (the successor to AWS Single Sign-On).

Personas

A persona is an entity that needs to carry out a specific set of ML activities and utilizes a role to obtain permissions. SageMaker Role Manager offers a selection of predefined persona templates for common scenarios, or you can develop your own custom persona.

Several personas are currently supported, including:

  • Data Scientist: This persona engages in ML activities within a SageMaker environment. They are authorized to process Amazon Simple Storage Service (Amazon S3) data, conduct experiments, and develop models.
  • MLOps: This persona is responsible for operational activities within a SageMaker environment. They can manage models, endpoints, and pipelines, as well as audit resources.
  • SageMaker Compute Role: This persona is employed by SageMaker compute resources such as jobs and endpoints, allowing access to Amazon S3 resources, Amazon Elastic Container Registry (Amazon ECR) repositories, Amazon CloudWatch, and other services for ML computation.
  • Custom Role Settings: This persona has no pre-selected configurations or default options, providing complete customization beginning with empty settings.

For a detailed list of personas and additional information, refer to the persona reference in the SageMaker Role Manager Developer Guide.

ML Activities

ML activities consist of predefined permission sets tailored for common ML tasks. Personas are composed of multiple ML activities to grant permissions effectively.

For instance, the data scientist persona utilizes the following ML activities:

  • Run Studio Applications: Permissions to function within a Studio environment, essential for domain and user-profile execution roles.
  • Manage Experiments: Permissions to oversee experiments and trials.
  • Manage ML Jobs: Permissions to audit, query lineage, and visualize experiments.
  • Manage Models: Permissions to manage SageMaker jobs throughout their lifecycle.
  • Manage Pipelines: Permissions to control SageMaker pipelines and their executions.
  • S3 Bucket Access: Permissions to execute operations on designated buckets.

Numerous additional ML activities are available beyond those mentioned here. To view the complete list along with template policy details, consult the ML Activity reference of the SageMaker Role Manager Developer Guide. This is an excellent resource: Amazon Warehouse Associate Interview Questions.

The following figure illustrates the entire scope of this post, where you first create a service execution role to enable users to PassRole for access to underlying services, and then create a user execution role to grant permissions for your ML practitioners to undertake their required ML activities.

Prerequisites

Before you begin, ensure that you have an ML administrator role with the necessary permissions to create and manage personas, along with AWS Identity and Access Management (IAM) permissions for those users. An example IAM policy for an ML administrator may resemble the following code. Note that this policy restricts Studio domain creation to VPC only. While this is a best practice for managing network access, you should delete the LockDownStudioDomainCreateToVPC statement if your implementation does not utilize a VPC-based Studio domain.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LockDownStudioDomainCreateToVPC",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateDomain"
            ],
            "Resource": [
                "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:domain/*"
            ],
            "Condition": {
                "StringEquals": {
                    "sagemaker:AppNetworkAccessType": "VpcOnly"
                }
            }
        },
        {
            "Sid": "StudioUserProfilePerm",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateUserProfile"
            ],
            "Resource": [
                "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:user-profile/*"
            ]
        },
        {
            "Sid": "AllowFileSystemPermissions",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:CreateFileSystem"
            ],
            "Resource": "arn:aws:elasticfilesystem:<REGION>:<ACCOUNT-ID>:file-system/*"
        },
        {
            "Sid": "KMSPermissionsForSageMaker",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKeyWithoutPlainText"
            ],
            "Resource": [
                "arn:aws:kms:<REGION>:<ACCOUNT-ID>:key/<KMS-KEY-ID>"
            ]
        },
        {
            "Sid": "AmazonSageMakerPresignedUrlPolicy",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreatePresignedDomainUrl"
            ],
            "Resource": [
                "arn:aws:sagemaker:<REGION>:<ACCOUNT-ID>:user-profile/*"
            ]
        },
        {
            "Sid": "AllowRolePerm",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "iam:GetRole"
            ],
            "Resource": [
                "arn:aws:iam::<ACCOUNT-ID>:role/*"
            ]
        },
        {
            "Sid": "ListExecutionRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles"
            ],
            "Resource": [
                "arn:aws:iam::<ACCOUNT-ID>:role/*"
            ]
        },
        {
            "Sid": "SageMakerApiListDomain",
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListDomains"
            ],
            "Resource": "*"
        }
    ]
}

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *