Cross-account discoverability
By exploring and accessing model package groups registered in other accounts, data scientists and data engineers can promote data consistency, streamline collaboration, and reduce duplication of effort. With Amazon SageMaker Model Registry, you can share model package groups across accounts. There are two categories of permissions associated with the sharing of resources:
Discoverability: Discoverability is the ability of the resource consumer account to see the model package groups shared by one or more resource owner accounts. Discoverability is only possible if the resource owner attaches the necessary resource policies to the shared model package groups. The resource consumer can view all shared model package groups in the AWS RAM UI and AWS CLI.
Accessibility: Accessibility is the ability of the resource consumer account to use the shared model package groups. For example, the resource consumer can register or deploy a model package from a different account if they have the necessary permissions.
Topics
Accessibility
If the resource consumer has access permissions to use a shared model package group, they can register or deploy a version of the model package group. For details about how the resource consumer can register a shared model package group, see Register a Model Version from a Different Account. For details about how the resource consumer can deploy a shared model package group, see Deploy a Model Version from a Different Account.
Discoverability
The resource owner can set up model package group discoverability by creating resource shares and attaching resource policies to the entities. For detailed steps about how to create a general resource share in AWS RAM, see Create a resource share in the AWS RAM documentation.
Complete the following instructions to set up model package group discoverability using the AWS RAM console or Model Registry Resource Policy APIs.
View shared model package groups
After the resource owner completes the previous steps to create a resource share and the consumer accepts the invitation for the share, the consumer can view the shared model package groups using the AWS CLI or in the AWS RAM console.
AWS CLI
To view the model package groups shared, use the following command in the model consumer account:
aws sagemaker list-model-package-groups --cross-account-filter-option CrossAccount
AWS RAM console
In the AWS RAM console, the resource owner and consumer can view shared model package groups. The resource owner can view the model package groups shared with the consumer by following the steps in Viewing resource shares you created in AWS RAM. The resource consumer can view the model package groups shared by the owner by following the steps in Viewing resource shares shared with you.
Dissociate principals from a resource share and remove a resource share
The resource owner can dissociate principals from the resource share for a set of permissions or delete the entire resource share using the AWS CLI or the AWS RAM console. For details about how to dissociate principals from a resource share, see Update a Resource Share in the AWS RAM documentation. For details about how to delete a resource share, see Deleting a resource share in the AWS RAM documentation.
AWS CLI
To dissociate principals from a resource share, use the command dissociate-resource-share as follows:
aws ram disassociate-resource-share --resource-share-arn
<resource-share-arn>
--principals<principal>
To delete a resource share, use the command delete-resource-share as follows:
aws ram delete-resource-share --resource-share-arn
<resource-share-arn>
AWS RAM console
For more details about how to dissociate principals from a resource share, see Update a Resource Share in the AWS RAM documentation. For more details about how to delete a resource share, see Deleting a resource share in the AWS RAM documentation.
Promote the permission and resource share
If you use customized (customer managed) permissions, you need to promote the permission and the associated resource share in order for the model package group to be discoverable. Complete the following steps to promote the permission and resource share.
To promote your customized permission to be accessible by AWS RAM, use the following command:
aws ram promote-permission-created-from-policy —permission-arn
<permission-arn>
Promote the resource share using the following command:
aws ram promote-resource-share-created-from-policy --resource-share-arn
<resource-share-arn>
If you see the OperationNotPermittedException
error while performing
the previous steps, the entity is not discoverable but is accessible. For
example, if the resource owner attaches a resource policy with an assume role principal
such as “Principal”: {“AWS”: “arn:aws:iam::3333333333:role/Role-1”}
, or if the
resource policy allows “Action”: “*”
, the associated model package group is not
promotable nor discoverable.