Cross-account discoverability - Amazon SageMaker
AccessibilityDiscoverabilityView shared model package groupsDissociate principals from a resource share and remove a resource sharePromote the permission and resource share

Cross-account discoverability

By exploring and accessing model package groups registered in other accounts, data scientists and data engineers can promote data consistency, streamline collaboration, and reduce duplication of effort. With Amazon SageMaker Model Registry, you can share model package groups across accounts. There are two categories of permissions associated with the sharing of resources:

  • Discoverability: Discoverability is the ability of the resource consumer account to see the model package groups shared by one or more resource owner accounts. Discoverability is only possible if the resource owner attaches the necessary resource policies to the shared model package groups. The resource consumer can view all shared model package groups in the AWS RAM UI and AWS CLI.

  • Accessibility: Accessibility is the ability of the resource consumer account to use the shared model package groups. For example, the resource consumer can register or deploy a model package from a different account if they have the necessary permissions.

Accessibility

If the resource consumer has access permissions to use a shared model package group, they can register or deploy a version of the model package group. For details about how the resource consumer can register a shared model package group, see Register a Model Version from a Different Account. For details about how the resource consumer can deploy a shared model package group, see Deploy a Model Version from a Different Account.

Discoverability

The resource owner can set up model package group discoverability by creating resource shares and attaching resource policies to the entities. For detailed steps about how to create a general resource share in AWS RAM, see Create a resource share in the AWS RAM documentation.

Complete the following instructions to set up model package group discoverability using the AWS RAM console or Model Registry Resource Policy APIs.

AWS CLI

  1. Create a resource share in the model owner account.

    1. The model owner attaches a resource policy to the model package group using the SageMaker Resource Policy API put-model-package-group-policy, as demonstrated in the following command.

      aws sagemaker put-model-package-group-policy
--model-package-group-name <model-package-group-name>
--resource-policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":
\"ExampleResourcePolicy\",\"Effect\":\"Allow\",\"Principal\":<principal>,
\"Action\":[\"sagemaker:DescribeModelPackage\",
\"sagemaker:ListModelPackages\",\"sagemaker:DescribeModelPackageGroup\"],
\"Resource\":[\"<model-package-group-arn>,\"
\"arn:aws:sagemaker:<region>:<owner-account-id>:model-package/
<model-package-group-name>/*\"]}]}"
      Note

      Different combinations of actions can be attached to the resource policy. For custom policies, the permission created should be promoted by the model package group owner, and only entities with promoted permissions attached are discoverable. Unpromotable resource shares cannot be made discoverable or managed through AWS RAM.

    2. To check that AWS RAM created the resource share ARN, use the following command:

      aws ram get-resource-share-associations --association-type resource --resource-arn <model-package-group-arn>

      The response contains the resource-share-arn for the entity.

    3. To check if the attached policy permission is a managed or custom policy, use the following command:

      aws ram list-resource-share-permissions --resource-share-arn <resource-share-arn>

      The featureSet field can take values CREATED_FROM_POLICY or STANDARD, which are defined as follows:

      • STANDARD: The permission already exists.

      • CREATED_FROM_POLICY: The permission needs to be promoted in order for the entity to be discoverable. For more information, see Promote the permission and resource share.

  2. Accept the resource share invitation in the model consumer account.

    1. The model package group consumer accepts the invitation for resource share. To see all resource invitations, run the following command:

      aws ram get-resource-share-invitations

      Identify the requests that have status PENDING and include the account ID of the owner account.

    2. Accept the resource share invitation from the model owner using the following command:

      aws ram accept-resource-share-invitation --resource-share-invitation-arn <resource-share-invitation-arn>
AWS RAM console

  1. Log into the AWS RAM console.

  2. Complete the following steps to create a resource share from the model package group owner account.

    1. Complete the following steps to specify resource share details.

      1. In the Name field, add a unique name for your resource.

      2. In the Resources card, choose the dropdown menu and select SageMaker Model Package Groups.

      3. Select the check box of the ARN of the model package group resource share.

      4. In the Select resources card, select the check box of your model package group resource share.

      5. In the Tags card, add key-value pairs for tags to add to your resource share.

      6. Choose Next.

    2. Complete the following steps to associate managed permissions to the resource share.

      1. If you use a managed permission, choose a managed permission in the Managed permissions dropdown menu.

      2. If you use a custom permission, choose Customer Managed Permission. In this case, the model package group is not immediately discoverable. You have to promote the permission and the resource policy after you create the resource share. For information about how to promote permissions and resource shares, see Promote the permission and resource share. For more information about how to attach custom permissions, see Creating and using customer managed permissions in AWS RAM.

      3. Choose Next.

    3. Complete the following steps to grant access to principals.

      1. Choose Allow sharing with anyone to allow sharing with accounts outside of your organization, or choose Allow sharing only within your organization.

      2. In the Select principal type dropdown menu, add the principal types and ID for the principals you want to add.

      3. Add and select the chosen principals for the share.

      4. Choose Next.

    4. Review the displayed share configuration and then choose Create resource share.

  3. Accept the resource share invitation from the consumer account. Once the model owner creates the resource share and principal associations, the specified resource consumer accounts receive an invitation to join the resource share. The resource consumer accounts can view and accept the invitations in the Shared with me: Resource shares page in the AWS RAM console. For more information about accepting and viewing resources in AWS RAM, see Access AWS resources shared with you.

View shared model package groups

After the resource owner completes the previous steps to create a resource share and the consumer accepts the invitation for the share, the consumer can view the shared model package groups using the AWS CLI or in the AWS RAM console.

AWS CLI

To view the model package groups shared, use the following command in the model consumer account:

aws sagemaker list-model-package-groups --cross-account-filter-option CrossAccount

AWS RAM console

In the AWS RAM console, the resource owner and consumer can view shared model package groups. The resource owner can view the model package groups shared with the consumer by following the steps in Viewing resource shares you created in AWS RAM. The resource consumer can view the model package groups shared by the owner by following the steps in Viewing resource shares shared with you.

Dissociate principals from a resource share and remove a resource share

The resource owner can dissociate principals from the resource share for a set of permissions or delete the entire resource share using the AWS CLI or the AWS RAM console. For details about how to dissociate principals from a resource share, see Update a Resource Share in the AWS RAM documentation. For details about how to delete a resource share, see Deleting a resource share in the AWS RAM documentation.

AWS CLI

To dissociate principals from a resource share, use the command dissociate-resource-share as follows:

aws ram disassociate-resource-share --resource-share-arn <resource-share-arn> --principals <principal>

To delete a resource share, use the command delete-resource-share as follows:

aws ram delete-resource-share --resource-share-arn <resource-share-arn>

AWS RAM console

For more details about how to dissociate principals from a resource share, see Update a Resource Share in the AWS RAM documentation. For more details about how to delete a resource share, see Deleting a resource share in the AWS RAM documentation.

Promote the permission and resource share

If you use customized (customer managed) permissions, you need to promote the permission and the associated resource share in order for the model package group to be discoverable. Complete the following steps to promote the permission and resource share.

  1. To promote your customized permission to be accessible by AWS RAM, use the following command:

    aws ram promote-permission-created-from-policy —permission-arn <permission-arn>

  2. Promote the resource share using the following command:

    aws ram promote-resource-share-created-from-policy --resource-share-arn <resource-share-arn>

If you see the OperationNotPermittedException error while performing the previous steps, the entity is not discoverable but is accessible. For example, if the resource owner attaches a resource policy with an assume role principal such as “Principal”: {“AWS”: “arn:aws:iam::3333333333:role/Role-1”}, or if the resource policy allows “Action”: “*” , the associated model package group is not promotable nor discoverable.