Amazon SageMaker Studio is a web-based integrated development environment (IDE) for machine learning (ML) that lets you build, train, debug, deploy, and monitor your ML models. For provisioning Studio in your AWS account and Region, you first need to create an Amazon SageMaker domain—a construct that encapsulates your ML environment. More concretely, a SageMaker domain consists of an associated Amazon Elastic File System (Amazon EFS) volume, a list of authorized users, and a variety of security, application, policy, and Amazon Virtual Private Cloud (Amazon VPC) configurations.
When creating your SageMaker domain, you can choose to use either AWS IAM Identity Center (successor to AWS Single Sign-On) or AWS Identity and Access Management (IAM) for user authentication methods. Both authentication methods have their own set of use cases; in this post, we focus on SageMaker domains with IAM Identity Center, or single sign-on (SSO) mode, as the authentication method.
With SSO mode, you set up an SSO user and group in IAM Identity Center and then grant access to either the SSO group or user from the Studio console. Currently, all SSO users in a domain inherit the domain’s execution role. This may not work for all organizations. For instance, administrators may want to set up IAM permissions for a Studio SSO user based on their Active Directory (AD) group membership. Furthermore, because administrators are required to manually grant SSO users access to Studio, the process may not scale when onboarding hundreds of users.
In this post, we provide prescriptive guidance for the solution to provision SSO users to Studio with least privilege permissions based on AD group membership. This guidance enables you to quickly scale for onboarding hundreds of users to Studio and achieve your security and compliance posture.
The following diagram illustrates the solution architecture.
The workflow to provision AD users in Studio includes the following steps:
Alternatively, you can adopt a naming standard for IAM role ARNs based on the AD group name and derive the IAM role ARN without needing to store the mapping in an external database.
Note that, as of writing, Step 4b (associate the SSO group to the Studio domain) needs to be performed manually by an admin using the SageMaker console at the SageMaker domain level.
The solution uses a Lambda function to create the Studio user profiles. We provide the following sample Lambda function that you can copy and modify to meet your needs for automating the creation of the Studio user profile. This function performs the following actions:
import os import json import boto3 DOMAIN_ID = os.environ.get(‘DOMAIN_ID’, ‘d-xxxx’) def lambda_handler(event, context): print({“Event”: event}) client = boto3.client(‘identitystore’) sm_client = boto3.client(‘sagemaker’) event_detail = event[‘detail’] group_response = client.describe_group( IdentityStoreId=event_detail[‘requestParameters’][‘identityStoreId’], GroupId=event_detail[‘requestParameters’][‘groupId’], ) group_name = group_response[‘DisplayName’] user_response = client.describe_user( IdentityStoreId=event_detail[‘requestParameters’][‘identityStoreId’], UserId=event_detail[‘requestParameters’][‘member’][‘memberId’] ) user_name = user_response[‘UserName’] print(f”Event details: {user_name} has been added to {group_name}”) mapping_dict = { “ad-group-1”: “
Note that by default, the Lambda execution role doesn’t have access to create user profiles or list SSO users. After you create the Lambda function, access the function’s execution role on IAM and attach the following policy as an inline policy after scoping down as needed based on your organization requirements.
{ “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “identitystore:DescribeGroup”, “identitystore:DescribeUser” ], “Effect”: “Allow”, “Resource”: “*” }, { “Action”: “sagemaker:CreateUserProfile”, “Effect”: “Allow”, “Resource”: “*” }, { “Action”: “iam:PassRole”, “Effect”: “Allow”, “Resource”: [ “
EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources. In this solution, we create a rule-based trigger: EventBridge listens to events and matches against the provided pattern and triggers a Lambda function if the pattern match is successful. As explained in the solution overview, we listen to the AddMemberToGroup event. To set it up, complete the following steps:
After you’ve set the Lambda function and the EventBridge rule, you can test out this solution. To do so, open your IdP and add a user to one of the AD groups with the Studio execution role mapped. Once you add the user, you can verify the Lambda function logs to inspect the event and also see the Studio user provisioned automatically. Additionally, you can use the DescribeUserProfile API call to verify that the user is created with appropriate permissions.
To support multiple Studio accounts with the preceding architecture, we recommend the following changes:
When a user is removed from their AD group, you should remove their access from the Studio domain as well. With SSO, when a user is removed, the user is disabled in IAM Identity Center automatically if the AD to IAM Identity Center sync is in place, and their Studio application access is immediately revoked.
However, the user profile on Studio still persists. You can add a similar workflow with CloudTrail and a Lambda function to remove the user profile from Studio. The EventBridge trigger should now listen for the DeleteGroupMembership event. In the Lambda function, complete the following steps:
With this solution in place, ML platform administrators can maintain group memberships in one central location and automate the Studio user profile management through EventBridge and Lambda functions.
The following code shows a sample CloudTrail event:
“AddMemberToGroup”: { “eventVersion”: “1.08”, “userIdentity”: { “type”: “Unknown”, “accountId”: “
The following code shows a sample Studio user profile API request:
create-user-profile \ –domain-id d-xxxxxx \ –user-profile-name ssouserid –single-sign-on-user-identifier ‘userName’ \ –single-sign-on-user-value ‘ssouserid‘ \ –user-settings ExecutionRole=arn:aws:iam::
In this post, we discussed how administrators can scale Studio onboarding for hundreds of users based on their AD group membership. We demonstrated an end-to-end solution architecture that organizations can adopt to automate and scale their onboarding process to meet their agility, security, and compliance needs. If you’re looking for a scalable solution to automate your user onboarding, try this solution, and leave you feedback below! For more information about onboarding to Studio, see Onboard to Amazon SageMaker Domain.
Ram Vittal is an ML Specialist Solutions Architect at AWS. He has over 20 years of experience architecting and building distributed, hybrid, and cloud applications. He is passionate about building secure and scalable AI/ML and big data solutions to help enterprise customers with their cloud adoption and optimization journey to improve their business outcomes. In his spare time, he rides his motorcycle and walks with his 2-year-old sheep-a-doodle!
Durga Sury is an ML Solutions Architect in the Amazon SageMaker Service SA team. She is passionate about making machine learning accessible to everyone. In her 4 years at AWS, she has helped set up AI/ML platforms for enterprise customers. When she isn’t working, she loves motorcycle rides, mystery novels, and hiking with her 5-year-old husky.