{"id":1940,"date":"2022-03-09T19:56:50","date_gmt":"2022-03-09T19:56:50","guid":{"rendered":"https:\/\/salarydistribution.com\/machine-learning\/2022\/03\/09\/enable-amazon-sagemaker-jumpstart-for-custom-iam-execution-roles\/"},"modified":"2022-03-09T19:56:50","modified_gmt":"2022-03-09T19:56:50","slug":"enable-amazon-sagemaker-jumpstart-for-custom-iam-execution-roles","status":"publish","type":"post","link":"https:\/\/salarydistribution.com\/machine-learning\/2022\/03\/09\/enable-amazon-sagemaker-jumpstart-for-custom-iam-execution-roles\/","title":{"rendered":"Enable Amazon SageMaker JumpStart for custom IAM execution roles"},"content":{"rendered":"<div id=\"\">\n<p>With an <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/gs-studio-onboard.html\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker Domain<\/a>, you can onboard users with an <a href=\"http:\/\/aws.amazon.com\/iam\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Identity and Access Management<\/a> (IAM) execution role different than the Domain execution role. In such case, the onboarded Domain user can\u2019t create projects using templates and <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/studio-jumpstart.html\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker JumpStart<\/a> solutions. This post outlines an automated approach to enable JumpStart for Domain users with a custom execution role. We walk you through two different use cases for enabling JumpStart and how to solve these cases programmatically. The automated solution can help you scale your process to enable JumpStart for Domain users with custom roles, increasing productivity of your data science team and <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/studio.html\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker Studio<\/a> administrators.<\/p>\n<p>JumpStart is a feature within Studio that helps you quickly and easily get started with machine learning (ML). With more and more customers increasingly using ML and adopting <a href=\"https:\/\/aws.amazon.com\/pm\/sagemaker\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon SageMaker<\/a>, JumpStart is making it easier for data science and ML teams to access and fine-tune more than 150 popular open-source models, such as natural language processing, object detection, and image classification models.<\/p>\n<h2>Solution overview<\/h2>\n<p>JumpStart requires a SageMaker Domain with project templates enabled for the account and Studio users, as shown in the following screenshot.<br \/><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image001.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-33573\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image001.png\" alt=\"\" width=\"1827\" height=\"719\"><\/a><\/p>\n<p>If enabled, this setting allows users (configured to use the Domain execution role) to create projects using templates and JumpStart solutions. In the scenario where the user\u2019s execution role is different than the Domain execution role, JumpStart remains disabled for that user even when it\u2019s enabled on the Domain. We address this custom role scenario and the automated solution in the following sections.<\/p>\n<p>In this solution, we address the issue for the following two cases:<\/p>\n<ul>\n<li><strong>Use case 1 <\/strong>\u2013 Enabling JumpStart in an automated manner for existing Domain users with custom roles regardless of apps assigned<\/li>\n<li><strong>Use case 2 <\/strong>\u2013 Providing a reference script that you can use to programmatically enable JumpStart while onboarding a new Domain user with a custom role<\/li>\n<\/ul>\n<h2>Domain user onboarding<\/h2>\n<p>After you create a Domain, you can onboard users to launch apps (such as Studio, RStudio, or Canvas). You must assign a default execution role to a Domain user during the creation process, as shown in the following screenshot.<br \/><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image003.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-33574\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image003.png\" alt=\"\" width=\"1428\" height=\"566\"><\/a><\/p>\n<p>You can choose a role different than the Domain execution role for a user. However, this may disable JumpStart for such users even when it\u2019s enabled on the Domain. This behavior is due to the fact that SageMaker makes no assumption on a custom role and its permission boundary. The required permissions and policies have to be assigned explicitly to access templates and JumpStart solutions published by SageMaker in <a href=\"https:\/\/docs.aws.amazon.com\/servicecatalog\/latest\/adminguide\/introduction.html\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Service Catalog<\/a>.<\/p>\n<p>You can enable SageMaker Projects and JumpStart manually for every user by selecting the user profile on the SageMaker Domain control panel. However, this process can be time-consuming if a user already has some apps assigned. The<strong> Edit <\/strong>button at bottom right is only enabled when no apps are assigned to that user (see the following screenshot). You have to delete the assigned apps first in order to edit a user profile.<br \/><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image005.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-33575 size-full\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image005.png\" alt=\"\" width=\"1419\" height=\"604\"><\/a><\/p>\n<p>The cause of the disabled JumpStart feature is evident during Step 2 of editing a user profile, where a message states \u201cIf there are individual users using custom execution roles in your organization, you need to enable them on the user profile page.\u201d<br \/><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image007.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-33576\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/ML-7713-image007.png\" alt=\"\" width=\"1708\" height=\"701\"><\/a><\/p>\n<p>In the following sections, we walk you through two automated solutions that cover use cases for both existing and new Domain users.<\/p>\n<h2>Prerequisites<\/h2>\n<p>The steps described as part of this solution have the following prerequisites:<\/p>\n<ul>\n<li>You have created a SageMaker Domain<\/li>\n<li>The SageMaker Domain authentication method is IAM<\/li>\n<li>Custom roles assigned to the SageMaker Domain users have the <code>AmazonSageMakerFullAccess<\/code> policy attached<\/li>\n<\/ul>\n<p>In order for <a href=\"https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/sagemaker-projects-studio-updates.html\" target=\"_blank\" rel=\"noopener noreferrer\">JumpStart Solutions<\/a> to be enabled for users, the AWS Service Catalog portfolio Amazon SageMaker Solutions and ML Ops products must be imported into the account, and this portfolio must be associated with the role that runs SageMaker. The role association is necessary so that Studio can invoke AWS Service Catalog APIs associated with the Solutions portfolio.<\/p>\n<p>As a general best practice, we recommend testing the process in a non-production environment followed by validation tests to make sure everything is configured and operating as per your expectations before making changes to the production environment.<\/p>\n<h2>Use case 1: Enable JumpStart for all existing Domain users with a custom role<\/h2>\n<p>Let\u2019s first consider the use case for existing users and enable JumpStart for those users in an automated way.<\/p>\n<p>To achieve this, we have created an <a href=\"http:\/\/aws.amazon.com\/cloudformation\" target=\"_blank\" rel=\"noopener noreferrer\">AWS CloudFormation<\/a> <a href=\"https:\/\/console.aws.amazon.com\/cloudformation\/home?region=us-east-1#\/stacks\/new?stackName=sm-enable-jumpstart-custom-roles&amp;templateURL=https:\/\/aws-blogs-artifacts-public.s3.amazonaws.com\/artifacts\/ML-7713\/sm-enable-jumpstart-custom-roles.yml\" target=\"_blank\" rel=\"noopener noreferrer\">template<\/a> that you can run in the same Region where the SageMaker Domain exists.<\/p>\n<p>The CloudFormation stack contained in the attached <code>jumpstart_solutions_resources.template.yaml<\/code> file has the following components:<\/p>\n<ul>\n<li><strong>AmazonSageMakerServiceCatalogProductsLaunchRole and AmazonSageMakerServiceCatalogProductsUseRole <\/strong>\u2013 Creates these two IAM roles, if they don\u2019t already exist.<\/li>\n<li><strong>1PProductUseRolePolicy<\/strong> \u2013 Creates this policy used by <code>AmazonSageMakerServiceCatalogProductsUseRole<\/code>, if this role doesn\u2019t already exist.<\/li>\n<li><strong>setup_solutions_tests_portfolio<\/strong> \u2013 An <a href=\"http:\/\/aws.amazon.com\/lambda\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Lambda<\/a> function that performs the AWS Service Catalog portfolio import and role association by calling Boto3 APIs. This function is called once during <a href=\"https:\/\/docs.aws.amazon.com\/AWSCloudFormation\/latest\/UserGuide\/stacks.html\" target=\"_blank\" rel=\"noopener noreferrer\">CloudFormation stack creation<\/a>.<\/li>\n<li><strong>LambdaIAMRole role<\/strong> \u2013 Used by the function <code>setup_solutions_tests_portfolio<\/code> for calling AWS Service Catalog and SageMaker APIs.<\/li>\n<li><strong>SetupPortfolioInvoker<\/strong> \u2013 Invokes the function <code>setup_solutions_tests_portfolio<\/code>.<\/li>\n<\/ul>\n<p>After the Lambda function runs as part of the CloudFormation deployment, it retrofits all the existing SageMaker Domain users to enable JumpStart and Projects for them. For more information on creating and monitoring a CloudFormation stack, refer to <a href=\"https:\/\/docs.aws.amazon.com\/AWSCloudFormation\/latest\/UserGuide\/cfn-whatis-howdoesitwork.html\" target=\"_blank\" rel=\"noopener noreferrer\">How does AWS CloudFormation work<\/a>.<\/p>\n<h2>Use case 2: Enable JumpStart for a single Domain user with a custom role<\/h2>\n<p>Many customers prefer to scale the Domain user onboarding process by automating it programmatically. In this section, we provide a Python script reference that you can use as part of the onboarding process to enable JumpStart for a new user with a custom role. This Python script performs the required association for the given user role. The automated process calling this script must have permission to use AWS Service Catalog and SageMaker APIs. See the following code:<\/p>\n<div class=\"hide-language\">\n<pre><code class=\"lang-python\">sagemaker_client = boto3.client(\"sagemaker\")\nsc_client = boto3.client(\"servicecatalog\")\n\n# function to return 'Amazon SageMaker' portfolio id\ndef get_solutions_portfolio_id(sc_client):\n    portfolio_shares = sc_client.list_accepted_portfolio_shares()\n    for portfolio in portfolio_shares['PortfolioDetails']:\n            if portfolio['ProviderName'] == 'Amazon SageMaker':\n                    return(portfolio['Id'])\n\nportfolio_id = get_solutions_portfolio_id(sc_client)\n# import Solutions Service Catalog Portfolio \nsagemaker_client.enable_sagemaker_servicecatalog_portfolio()\n    \t\nsc_client.associate_principal_with_portfolio(\n                    PortfolioId=portfolio_id,\n                    PrincipalARN=, # custom role ARN\n                    PrincipalType='IAM'\n                    )\n<\/code><\/pre>\n<\/p><\/div>\n<p>You can either call the script independently or embed it as a step within an automated process to create a user profile for onboarding to Studio. For more information on using Boto3, refer to <a href=\"https:\/\/boto3.amazonaws.com\/v1\/documentation\/api\/latest\/reference\/core\/boto3.html\" target=\"_blank\" rel=\"noopener noreferrer\">Boto3 reference<\/a>.<\/p>\n<h2>Clean up<\/h2>\n<p>After all the custom roles are enabled to use JumpStart, we can clean up the resources no longer needed. You can delete the Lambda function <code>setup_solutions_tests_portfolio<\/code> and the IAM role <code>LambdaIAMRole<\/code> created by the CloudFormation template. The other two IAM roles, <code>AmazonSageMakerServiceCatalogProductsLaunchRole<\/code> and <code>AmazonSageMakerServiceCatalogProductsUseRole<\/code>, and the associated policy 1PProductUseRolePolicy (if created) must not be deleted because they need to exist for accessing JumpStart.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this post, we shared the steps to enable JumpStart for a custom role for existing users as well as new users programmatically. As always, make sure to validate the steps mentioned in this solution in a non-production environment before deploying to production.<\/p>\n<p>Try it out and let us know if you have any questions in the comments section!<\/p>\n<h2>Additional resources<\/h2>\n<p>For more information, see the following:<\/p>\n<hr>\n<h3>About the Authors<\/h3>\n<p><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/Nikhil-Jha.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-33581 alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/Nikhil-Jha.png\" alt=\"\" width=\"100\" height=\"133\"><\/a><strong>Nikhil Jha<\/strong> is a Senior Technical Account Manager at Amazon Web Services. His focus areas include AI\/ML, and analytics. In his spare time, he enjoys playing badminton with his daughter and exploring the outdoors.<\/p>\n<p><a href=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/evakravi.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-33580 alignleft\" src=\"https:\/\/d2908q01vomqb2.cloudfront.net\/f1f836cb4ea6efb2a0b1b99f41ad8b103eff4b59\/2022\/02\/28\/evakravi.png\" alt=\"\" width=\"100\" height=\"133\"><\/a><strong>Evan Kravitz<\/strong> is a software engineer at Amazon Web Services, working on SageMaker JumpStart. He enjoys cooking and going on runs in New York City.<\/p>\n<p>       <!-- '\"` -->\n      <\/div>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/aws.amazon.com\/blogs\/machine-learning\/enable-amazon-sagemaker-jumpstart-for-custom-iam-execution-roles\/<\/p>\n","protected":false},"author":0,"featured_media":1941,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/1940"}],"collection":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/comments?post=1940"}],"version-history":[{"count":0,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/posts\/1940\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media\/1941"}],"wp:attachment":[{"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/media?parent=1940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/categories?post=1940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/salarydistribution.com\/machine-learning\/wp-json\/wp\/v2\/tags?post=1940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}