AWS Machine Learning Blog
Launch Amazon SageMaker Studio from external applications using presigned URLs
Amazon SageMaker Studio provides a single, web-based visual interface where you can perform all ML development steps, improving data science team productivity by up to 10 times. Studio gives you complete access, control, and visibility into each step required to build, train, and deploy models. You can quickly upload data, create new notebooks, train and tune models, move back and forth between steps to adjust experiments, compare results, and deploy models to production all in one place, making you much more productive. You can perform all machine learning (ML) development activities including notebooks, experiment management, automatic model creation, debugging, and model and data drift detection within Studio.
In this post, we discuss how to launch Studio from external applications using presigned URLs.
Use case
In many organizations, data scientists and ML developers use Studio and notebook instances as a quick and easy way to directly log in into their development environment. You also might not want your data scientists to access the AWS Management Console because it’s primarily used by IT and DevOps administrators to monitor and manage AWS resources.
There are two ways to launch Studio:
- Via the SageMaker console
- Using a presigned URL
Using a presigned URL bypasses the console login, and allows you to open Studio with just one click.
Understanding the CreatePresignedDomainUrl API
You can create a presigned URL for granting access to your Studio domain to users in your organization using the SageMaker CreatePresignedDomainUrl
action. When requesting a presigned URL, the following parameters are available for you to configure:
Let’s examine the parameters:
- DomainId – This is a Studio domain ID (for example,
d-1234567890abcdef0
). Studio automatically generates this ID at the time of creation. You can retrieve the ID from the Studio Summary section of the Studio Control Panel. - ExpiresInSeconds – The number of seconds until the presigned URL expires. This value defaults to 300, and can be as low as 5 seconds.
- SessionExpirationDurationInSeconds – The session expiration duration in seconds. This value defaults to 43200 (12 hours). This is how long the user can continue working when they open Studio.
- UserProfileName – The name of the Studio user profile to sign in as (for example, John Doe). Added user names can be found on the Studio Control Panel.
Solution overview
In the solution, we use an AWS Lambda function fronted by an Amazon API Gateway to make a request to Studio and receive an HTTP 302 redirect to the presigned URL keeping ExpiresInSeconds
parameter to 5 seconds (the minimum). The small value of ExpiresInSeconds
together with redirection to the presigned URL limits the URL to immediate use by the application and improves security. Because SageMaker is a public zone service, you can further improve security by using an interface VPC endpoint to connect to Studio from within your Amazon Virtual Private Cloud (Amazon VPC) instead of connecting over the internet. When you use an interface VPC endpoint (interface endpoint), communication between your VPC and Studio is conducted entirely and securely within the AWS network.
The following diagram illustrates our solution architecture.
Prerequisites
You must have a Studio domain created. If you don’t have one, create one before proceeding with this walkthrough. Make sure to add a user profile for testing. Note the Studio ID and user name from the Studio Control Panel.
Now you’re ready to deploy the solution.
Create an IAM policy for Lambda
On the AWS Identity and Access Management (IAM) console, you create an IAM policy using following JSON policy document, called SageMakerPresignedUrl
. This policy allows the Lambda function to create presigned domain URLs for Studio.
You can control access to SageMaker resources by using tags.
Create an IAM service role for Lambda
Next, you create an IAM role called LambdaSagemaker
. This service role creates presigned domain URLs for Studio.
Attach the following policies to the role:
AWSLambdaBasicExecutionRole
SageMakerPresignedUrl
When you add an API to your function via the Lambda console, the API Gateway console, or in an AWS Serverless Application Model (AWS SAM) template, the function’s resource-based policy that limits the function’s access to the API is updated automatically.
Create and deploy a Lambda function to create a presigned URL
To create and deploy your Lambda function, complete the following steps:
- Create a Python Lambda function named
sm-presigned
. - For Runtime, choose Python 3.8.
- For Execution role, select Use an existing role.
- Choose the role you created (
LambdaSageMaker
).
- Use the code editor to replace the default Lambda handler code with the following Python code. Replace
SageMaker-region
with the AWS Region in which you created the SageMaker domain (for example,us-west-2
). Replace the sampleDomainId
andUserProfileName
values with the Studio ID and user name values noted in the prerequisites section.
This sample code shows how to use a Lambda function to call the create_presigned_domain_url
action to obtain a presigned URL. The function then redirects the response to the presigned URL using the AuthorizedUrl
element.
- Note the Boto3 version.
- Save the changes and deploy the function.
Support for the ExpiresInSeconds
parameter of the Create_presigned_domain_url
action of the SageMaker client comes with Boto3 version 1.17.0. If the default Boto3 version in Lambda is less than that, create and add a Lambda layer to add the appropriate Boto3 deployment package to the sm-presigned
function.
Create and deploy a REST API in API Gateway
In this step, we create a REST API with the GET method call for Lambda proxy integration.
- On the API Gateway console, create and configure a REST API with the following settings:
- For API name, enter
sm-presigned-api
. - For Description, enter
API to trigger the sm-presigned Lambda function
. - For Endpoint type, choose Edge optimized.
- For API name, enter
Next, you set up the GET API method with Lambda proxy integration.
- On the Actions menu, choose Create method.
- Choose GET from the drop-down menu, and select the check mark icon.
- Leave Integration type set to Lambda Function.
- Select Use Lambda Proxy integration.
- On the Lambda Region drop-down menu, choose the Region where you created the
sm-presigned
function (for example,us-west-2
). - For Lambda Function, choose
sm-presigned
from the drop-down menu. - Leave Use Default Timeout selected.
- Choose Save.
- Choose OK when prompted with Add Permission to Lambda Function.
- Deploy and test the API using the stage name
Dev
. - Note the API’s invoke URL for the next step.
We use this serverless solution to test functionality. For added security, we recommend controlling and managing access to your API using the API Gateway authentication and authorization method. Only users who need to access create_presigned_domain_url
should be given access to the API. You can then use mapping templates to pass user identity context information (using the $context variable) to the backend Lambda function. Use the mapped variable to create and pass UserProfileName
in the function so that only the external users with a configured profile in Studio can invoke the create_presigned_domain_url
method.
Create a sample webpage to launch Studio
You can use the API invoke URL created in the previous step to be redirected to Studio. The following is the sample code to invoke the URL:
Choose Go to Amazon SageMaker Studio to launch Studio.
You can now access Studio from external applications.
You can deploy the application using the AWS SAM template available on GitHub.
Conclusion
In this post, we showed you how you can securely launch a SageMaker Studio domain through a presigned URL by choosing a custom expiration time that can be as low as 5 seconds. We created an application using a serverless architecture to handle Studio launch requests from external applications. You can use a similar architecture to connect to the Jupyter server from a notebook instance, so users don’t have to go through the console to work on the notebook. To learn more, see the CreatePresignedNotebookInstanceUrl documentation.
About the Authors
Prabhat Sharma is Specialist Solutions Architect for containers working on solving problems in the area of app dev, devops and ML. Away from professional life he loves to spend time with his family and friends.
Akshara Shah is a Solutions Architect at AWS. She provides strategic technical guidance to help customers design and build cloud solutions. She is currently focused on Machine Learning and Artificial Intelligence technologies.