Amazon SageMaker JumpStart solutions now support custom IAM role settings
Amazon SageMaker JumpStart solutions are a feature within Amazon SageMaker Studio that allow a simple-click experience to set up your own machine learning (ML) workflows. When you launch a solution, various of AWS resources are set up in your account to demonstrate how the business problem can be solved using the pre-built architecture. The solutions use AWS CloudFormation templates for quick deployment, which means the resources are fully customizable. As of today, there are up to 18 end-to-end solutions that cover different aspects of real-world business problems, such as demand forecasting, product defect detection, and document understanding.
Starting today, we’re excited to announce that JumpStart solutions now supports custom AWS Identity and Access Management (IAM) roles be passed into services. This new feature enables you to take advantage of the rich security features offered by SageMaker and IAM.
In this post, we show you how to configure your SageMaker solution’s advanced parameters, and how this can benefit you when you use the pre-built solutions to start your ML journey.
New IAM advanced parameters
In order to allow JumpStart create the AWS resources for you, the IAM roles attached with Amazon managed policies are auto-created in your account. For the services created by JumpStart to be able to interact with each other, an IAM role needs to be passed into each service so they have the necessary permissions to call other services.
With the new Advanced Parameters option, you can select Default Roles, Find Roles, or Input Roles when you launch a solution. This means each service uses their own IAM role with dedicated IAM policy attached, and is fully customizable. This allows you to follow the least-privilege permissions principle, so that only the permissions required to perform a task are granted.
The policies attached to the default roles contain the least amount of permissions needed for the solution. In addition to the default roles, you can also select from a drop-down list, or input your own roles with the custom permissions you want to grant. This can greatly benefit you if you want to expand on the existing solution and perform even more tasks with these pre-built AWS services.
How to configure IAM advanced parameters
Before you use this feature, make sure you have the latest SageMaker domain enabled. You can create a new SageMaker domain if you haven’t done so, or update your SageMaker domain to create the default roles required for JumpStart solution. Then complete the following steps:
- On the SageMaker console, choose Control Panel in the navigation pane.
- Choose the gear icon to edit your domain settings.
- In the General Settings section, choose Next.
- In the SageMaker Projects and JumpStart section, select Enable Amazon SageMaker project templates and Amazon SageMaker JumpStart for this account and Enable Amazon SageMaker project templates and Amazon SageMaker JumpStart for Studio users.
- Choose Next.
Done! Now you should be able to see the roles enabled on the SageMaker console.Now you can use JumpStart solutions with this new feature enabled.
- On the Studio console, choose JumpStart in the navigation pane.
- Choose Solutions.In the Launch Solution section, you can see a new drop-down menu called Advanced Parameters. Each solution requires different resources. Based on the services that the solution interacts with, there’s a dynamic list of roles you can pass in when launching the solution.
- Select your preferred method to specify roles.
If you select Default Role, the roles are pre-populated for you. You can then proceed to launch the solution with one click. Under the hood, AWS CloudFormation uses a built-in template to provision all appropriate AWS resources, and the default roles are used by each service.If you select Find Role, you can select an existing IAM role in your account from the drop-down menu for each required service. In order to let the services work as they are designed, we recommend choosing a role that has the minimum permissions required. For more information about the permissions required for each service, refer to AWS Managed Policies for SageMaker projects and JumpStart.
You can have more flexibility by selecting Input Role, which allows you to enter a role name directly. This works best if you know which role you want to use, so you don’t need to choose it from the Find Role list.
- After you specify the role you want to use for each service, launch the solution by choosing Launch.
The roles are passed into each service and grant each service permission to interact with other services. The CloudFormation template deploys these services in your account. You can then explore the ML solution for the business problem. Keep in mind that for each service, they now have the precise permissions you have granted them when you configured the advanced parameters. This gives you a fully controlled and secured environment when using JumpStart solutions.
Today, we announced support for configuring IAM roles when you launch a JumpStart solution. We also showed you how to configure the Advanced Parameters options before launching a solution.
Try out any JumpStart solution on Studio with this new feature enabled. If you have any questions and feedback regarding JumpStart solutions, please speak to your AWS support contact or post a message in the Amazon SageMaker discussion forums.
About the authors
Manan Shah is a Software Development Manager at Amazon Web Services. He is a ML enthusiast and focuses on building no-code/low-code AI/ML products. I thrive empowering other talented, technical people to build great software.