Granting SageMaker Studio Permissions Required to Use Projects - Amazon SageMaker

Granting SageMaker Studio Permissions Required to Use Projects

The Amazon SageMaker Studio (or Studio Classic) administrator and Studio (or Studio Classic) users that you add to your domain can view project templates provided by SageMaker and create projects with those templates. By default, the administrator can view the SageMaker templates in the Service Catalog console. The administrator can see what another user creates if the user has permission to use SageMaker projects. The administrator can also view the AWS CloudFormation template that the SageMaker project templates define in the Service Catalog console. For information about using the Service Catalog console, see What Is Service Catalog in the Service Catalog User Guide.

Studio (and Studio Classic) users of the domain who are configured to use the same execution role as the domain by default have permission to create projects using SageMaker project templates.

Important

Do not manually create your roles. Always create roles through Studio Settings using the steps described in the following procedure.

For users who use any role other than the domain's execution role to view and use SageMaker-provided project templates, you need to grant Projects permissions to the individual user profiles by turning on Enable Amazon SageMaker project templates and Amazon SageMaker JumpStart for Studio users when you add them to your domain. For more information about this step, see Add user profiles.

Since SageMaker Projects is backed by Service Catalog, you must add each role that requires access to SageMaker Projects to the Amazon SageMaker Solutions and ML Ops products Portfolio in the service catalog. You can do this in the Groups, roles, and users tab, as shown in the following image. If each user profile in Studio Classic has a different role, you should add each of those roles to the service catalog. You can also do this while creating a user profile in Studio Classic.

The following procedures show how to grant Projects permissions after you onboard to Studio or Studio Classic. For more information about onboarding to Studio or Studio Classic, see Amazon SageMaker domain overview.

To confirm that your SageMaker Domain has active project template permissions:
  1. Open the SageMaker console.

  2. On the left navigation pane, choose Admin configurations.

  3. Under Admin configurations, choose domains.

  4. Select your domain.

  5. Choose the Domain Settings tab.

  6. Under SageMaker Projects and JumpStart, make sure the following options are turned on:

    • Enable Amazon SageMaker project templates and Amazon SageMaker JumpStart for this account

    • Enable Amazon SageMaker project templates and Amazon SageMaker JumpStart for Studio users

To view a list of your roles:
  1. Open the SageMaker console.

  2. On the left navigation pane, choose Admin configurations.

  3. Under Admin configurations, choose domains.

  4. Select your domain.

  5. Choose the Domain Settings tab.

  6. A list of your roles appears in the Apps card under the Studio tab.

    Important

    As of July 25, we require additional roles to use project templates. Here is the complete list of roles you should see under Projects:

    AmazonSageMakerServiceCatalogProductsLaunchRole AmazonSageMakerServiceCatalogProductsUseRole AmazonSageMakerServiceCatalogProductsApiGatewayRole AmazonSageMakerServiceCatalogProductsCloudformationRole AmazonSageMakerServiceCatalogProductsCodeBuildRole AmazonSageMakerServiceCatalogProductsCodePipelineRole AmazonSageMakerServiceCatalogProductsEventsRole AmazonSageMakerServiceCatalogProductsFirehoseRole AmazonSageMakerServiceCatalogProductsGlueRole AmazonSageMakerServiceCatalogProductsLambdaRole AmazonSageMakerServiceCatalogProductsExecutionRole

    For descriptions of these roles, see AWS Managed Policies for SageMaker projects and JumpStart.