Set up Staging Construct Examples - Amazon SageMaker AI

Set up Staging Construct Examples

To set up stage constructs for your Amazon SageMaker Model Registry, the administrator will need to grant the relevant permissions to the intended roles. The following provides examples on how to set up stage constructs for various roles.

Note

Users within a Amazon SageMaker AI domain will be able to view all stages defined within the domain, but can only use the ones they have permissions for.

Stages are defined by the ModelLifeCycle parameter and have the following structure. The administrator sets up the permissions for which stage and stageStatus can be accessed by which roles. The users assuming a role can use the relevant stage and stageStatus and include their own stageDescription.

ModelLifeCycle {
    stage: String # Required (e.g., Development/QA/Production)
    stageStatus: String # Required (e.g., PendingApproval/Approved/Rejected)  
    stageDescription: String # Optional
}

The following table contains Model Registry pre-defined stage construct templates. You can define your own stage constructs based on your use cases. The relevant permissions will need to be set up before users can use them.

Stage Stage status

Proposal

PendingApproval

Development

InProgress

QA

OnHold

PreProduction

Approved

Production

Rejected

Archived

Retired

The ModelLifeCycle parameter can be invoked by the following APIs:

Policy for a data scientist role

The following is an example IAM policy using model lifecycle condition keys. You can modify them based on your own requirements. In this example, the role’s permissions are limited to set or define the model lifecycle stage to:

  • Create or update a model with the stage "Development" and status "Approved".

  • Update a model package with the stage quality assurance, "QA", and status "PendingApproval".

{
    "Action" : [
        "sagemaker:UpdateModelPackage",
        "sagemaker:CreateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "StringEquals": {
            "sagemaker:ModelLifeCycle:stage" : "Development"
            "sagemaker:ModelLifeCycle:stageStatus" : "Approved"       
        }
    }
},
{
    "Action" : [
        "sagemaker:UpdateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "StringEquals": {
            "sagemaker:ModelLifeCycle:stage" : "Staging"
            "sagemaker:ModelLifeCycle:stageStatus" : "PendingApproval"       
        }
    }
}
Policy for a quality assurance specialist

The following is an example IAM policy using model lifecycle condition keys. You can modify them based on your own requirements. In this example, the role’s permissions are limited to set or define the model lifecycle stage to:

  • Update a model package with:

    • The stage "QA" and status "Approved" or "Rejected".

    • The stage "Production" and status "PendingApproval".

{
    "Action": [
        "sagemaker:UpdateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "StringEquals": {
            "sagemaker:ModelLifeCycle:stage": "Staging",
            "sagemaker:ModelLifeCycle:stageStatus": "Approved"
        }
    }
}, {
    "Action": [
        "sagemaker:UpdateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "StringEquals": {
            "sagemaker:ModelLifeCycle:stage": "Staging",
            "sagemaker:ModelLifeCycle:stageStatus": "Rejected"
        }
    }
}, {
    "Action": [
        "sagemaker:UpdateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "StringEquals": {
            "sagemaker:ModelLifeCycle:stage": "Production",
            "sagemaker:ModelLifeCycle:stageStatus": "PendingApproval"
        }
    }
}
Policy for lead engineer role

The following is an example IAM policy using model lifecycle condition keys. You can modify them based on your own requirements. In this example, the role’s permissions are limited to set or define the model lifecycle stage to:

  • Update a model package with:

    • The stage "Production" and status "Approved" or "Rejected".

    • The stage "Development" and status "PendingApproval".

{
    "Action" : [
        "sagemaker:UpdateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "ForAnyvalue:StringEquals" : {
            "sagemaker:ModelLifeCycle:stage" : "Production",
            "sagemaker:ModelLifeCycle:stageStatus" : "Approved"
        }
    }
},
{
    "Action" : [
        "sagemaker:UpdateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "StringEquals:" {
            "sagemaker:ModelLifeCycle:stage" : "Production"
            "sagemaker:ModelLifeCycle:stageStatus" : "Rejected"
        }
    }
},
{
    "Action" : [
        "sagemaker:UpdateModelPackage"
    ],
    "Resource": [
        "*"
    ],
    "Condition": {
        "StringEquals": {
            "sagemaker:ModelLifeCycle:stage" : "Development"
            "sagemaker:ModelLifeCycle:stageStatus" : "PendingApproval"
        }
    }
}

To get Amazon EventBridge notifications on any model status update, see the example in Get event notifications for ModelLifeCycle. For an example EventBridge payload you may receive, see Model package state change.