Provide users with access to custom images - Amazon SageMaker AI
Step 1: Create the DockerfileStep 2: Build the imageStep 3: Push the image to the Amazon Elastic Container Registry repositoryStep 4: Attach image to the Amazon SageMaker AI domain of your users

Provide users with access to custom images

This documentation provides step-by-step instructions to provide your users with access to custom images within their JupyterLab environments. You can use the information on this page to create custom environments for your user’s workflows. The process involves utilizing:

  • Docker

  • AWS Command Line Interface

  • Amazon Elastic Container Registry

  • Amazon SageMaker AI AWS Management Console

After following the guidance on this page, JupyterLab users on the Amazon SageMaker AI domain will have access to the custom image and environment from their Jupyter spaces to empower their machine learning workflows.

Important

This page assumes that you have the AWS Command Line Interface and Docker installed on your local machine.

To have your users successfully run their image within JupyterLab, you must do the following:

To have your users successfully run the image

  1. Create the Dockerfile

  2. Build the image from the Dockerfile

  3. Upload the image to Amazon Elastic Container Registry

  4. Attach the image to you Amazon SageMaker AI domain

  5. Have your users access the image from your JupyterLab space

Step 1: Create the Dockerfile

Create a Dockerfile to define the steps needed to create the environment needed to run the application in your users' containers.

Important

Your Dockerfile must meet the specifications provided in Dockerfile specifications.

For Dockerfile templates, see Health check and URL for applications.

Step 2: Build the image

In the same directory as your Dockerfile, build your image using the following command:


docker build -t username/imagename:tag your-account-id.dkr.ecr.AWS Region.amazonaws.com/your-repository-name:tag
Important

Your image must be tagged in the following format: 123456789012.dkr.ecr.your-region.amazonaws.com/your-repository-name:tag

You won’t be able to push it to an Amazon Elastic Container Registry repository otherwise.

Step 3: Push the image to the Amazon Elastic Container Registry repository

After you’ve built your image, log in to your Amazon ECR repository using the following command:


aws ecr get-login-password --region AWS Region | docker login --username AWS --password-stdin 123456789012.dkr.ecr.AWS Region.amazonaws.com

After you’ve logged in, push your Dockerfile using the following command:


docker push 123456789012.dkr.ecr.AWS Region.amazonaws.com/your-repository-name:tag

Step 4: Attach image to the Amazon SageMaker AI domain of your users

Important

Custom IAM policies that allow Studio users to create spaces must also grant permissions to list images (sagemaker: ListImage) to view custom images. To add the permission, see Add or remove identity permissions in the AWS Identity and Access Management User Guide.

AWS managed policies for Amazon SageMaker AI that give permissions to create SageMaker AI resources already include permissions to list images while creating those resources.

After you’ve pushed the image, you must access it from your Amazon SageMaker AI domain. Use the following procedure to attach the image to a SageMaker AI domain:

Attach the image using the SageMaker AI console

  1. Open the SageMaker AI console.

  2. Under Admin configurations, choose domains.

  3. From the list of domains, select a domain.

  4. Open the Environment tab.

  5. For Custom images for personal Studio apps, choose Attach image.

  6. Specify the image source.

  7. Choose Next.

  8. Choose Submit.

Attach the image using the AWS CLI

Use the following procedure to attach the image to a SageMaker domain through the AWS CLI :

  1. Create a SageMaker AI image. The AmazonSageMakerFullAccess policy must be attached to your role as you use the following AWS CLI commands.

    aws sagemaker create-image \
    --image-name custom-image \
    --role-arn arn:aws:iam::account-id:role/service-role/execution-role

  2. Create a SageMaker AI image version from the image. Pass the unique tag value that you chose when you pushed the image to Amazon ECR.

    aws sagemaker create-image-version \
    --image-name custom-image \
    --base-image repository-uri:tag

  3. Create a configuration file called app-image-config-input.json. The application image configuration is used as configuration for running a SageMaker AI image as a Code Editor application. You may also specify your ContainerConfig arguments here. 

    {
    "AppImageConfigName": "app-image-config",
    "CodeEditorAppImageConfig":
    {
        "ContainerConfig":
        {}
    }
}

  4. Create the AppImageConfig using the application image configuration file that you created.

    aws sagemaker create-app-image-config \
    --cli-input-json file://app-image-config-input.json

  5. Create a configuration file, named updateDomain.json. Be sure to specify your domain ID.

    {
    "DomainId": "domain-id",
    "DefaultUserSettings": {
        "JupyterLabAppSettings": {
            "CustomImages": [
                {
                    "ImageName": "custom-image",
                    "AppImageConfigName": "app-image-config"
                }
            ]
        }
    }
}

  6. Call the UpdateDomain command with the configuration file as input.

    Note

    You must delete all of the applications in your domain before updating the domain with the new image. Note that you only need to delete applications; you do not need to delete user profiles or shared spaces. For instructions on deleting applications, choose one of the following options.

    aws sagemaker update-domain --cli-input-json file://updateDomain.json

Your users can now select the image that you’ve attached to their Domain from their JupyterLab space.