How can I deploy an Amazon SageMaker model to a different AWS account?

Last updated: 2020-07-14

I'm training an Amazon SageMaker model on one AWS account. How can I deploy this model to an endpoint in a different AWS account?

Resolution

Account A (sandbox account)

1.    Create an AWS Key Management Service (AWS KMS) customer master key (CMK). On the Define key usage permissions page, in the Other AWS accounts section, choose Add another AWS account. Then, enter the AWS account number for account B (the account where you want to deploy the model).

You will use this CMK for the Amazon SageMaker training job. If you don't specify a CMK for the training job, Amazon SageMaker defaults to an Amazon Simple Storage Service (Amazon S3) server-side encryption key. A default Amazon S3 server-side encryption key can't be shared with or used by another AWS account.

2.    Create the training job, if you haven't already. In the Estimator class, add the CMK that you created in the previous step. Example:

linear = sagemaker.estimator.Estimator(
    …
    output_kms_key='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
    … 
    )

Account B (deployment account)

1.    Create two AWS Identity and Access Management (IAM) policies similar to the following. These are inline policies, which means that they're embedded in an IAM identity (a user, group, or role).

Inline policy 1: Allows a role to access the Amazon S3 resource in account A that contains the model artifact. Replace awsdoc-example-bucket with the name of the S3 bucket where the training job output is stored.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::awsdoc-example-bucket/sagemaker/linear-learner/output/model.tar.gz"
        }
    ]
}

Inline policy 2: Allows a role, which you will create later, to use the CMK in account A. For Resource, specify the account ID for account A and the CMK ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUseOfTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:AccountA:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
            ]
        }
    ]
}

2.    Create an IAM role for Amazon SageMaker. This role has the AmazonSageMakerFullAccess policy attached.

3.    Attach the two inline policies that you created in step 1 to the role that you created in step 2. The role should have three policies: AmazonSageMakerFullAccess, and the two inline policies.

Account A (sandbox account)

Create an S3 bucket policy for the bucket where the training job output is stored. This bucket policy allows the role that you created in the previous section to access the model artifact. Replace these values in the following example:

AccountB: AWS account ID for the deployment account
AmazonSageMaker: the name of the role that you created in the deployment account
awsdoc-example-bucket: the S3 bucket where the training job output is stored

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::AccountB:root"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::awsdoc-example-bucket/sagemaker/linear-learner/output/model.tar.gz"
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::AccountB:role/AmazonSageMaker"
                }
            }
        }
    ]
}

Account B (deployment account)

Create the deployment model:

1.    Open the Amazon SageMaker console.

2.    On the navigation pane, under Inference, choose Models.

3.    Choose Create model, and then enter the following:
IAM role
: Choose Custom IAM role ARN. For YourAccountID, enter the ID for account B. For YourRole, enter the name of the IAM role that you created in account B.
Location of inference code image: Provide the registry path where the inference code image is stored in Amazon Elastic Container Registry (Amazon ECR).
Location of model artifacts: Provide the URL where model artifacts are stored in Amazon S3.

4.    At the bottom of the page, choose Create model. For more information about creating a model, see Create a pipeline model.

Create the endpoint configuration:

1.    Open the Amazon SageMaker console.

2.    On the navigation pane, under Inference, choose Endpoint configurations.

3.    Choose Create endpoint configuration. Then, under Production variants, add the model that you created in the previous section.

4.    Choose Create endpoint configuration.

Create the endpoint:

1.    Open the Amazon SageMaker console.

2.    On the navigation pane, under Inference, choose Endpoints.

3.    Choose Create endpoint, and then select the endpoint configuration that you created in the previous section.

4.    Choose Create endpoint.

You are now ready to deploy the model from account A to account B.


Did this article help?


Do you need billing or technical support?