How does one make AWS SageMaker available to people outside their organization?

Question

I am setting up SageMaker for a group outside my organization, and wondering how I provide access to SageMaker Studio (and any dependent AWS resources SageMaker would use) to these users. The idea is to have then use SageMaker studio to do train and test models.

Ideally, it would be great if I simply send them a link where they sign in, and are then granted access to SageMaker hosted from my AWS account.

I believe to grant temporary access I need to attach a role to a group of users, and also attach a policy to this group, them finally associate this role with SageMaker. But how do I then create a link to SageMaker so these users can sign in?

The other option would be to set this up using cross-account access, since those I want to give access to also have their own AWS account. But again, how does one generate a link to direct these users to the SageMaker on my AWS account?

There appears to be 2 options, as per SageMaker Onboarding:

1. AWS SSO authentication

• access to Studio via unique sign-in URL that directly opens Studio
• sign in with their SSO credentials
• organizations manages members in AWS SSO instead of Studio
• can assign multiple members access to Studio at the same time

2. IAM authentication

• sign in through the SageMaker console
• must add and manage members manually one at time using the Studio Control Panel

I don't understand the 2nd approach, since wouldn't this mean users would have to sign-in as root to the console anyway and then have full access. I could edit the policy attached to IAM users, but this begs another question:

...does SageMaker come pre-baked with policies that include its dependent AWS services? For example, SageMaker will use S3 for storage and EC2 for processing; do I need to set these individually in the policy, or can I simply use a SageMaker policy, which will include all those dependencies by default?

Answer 1

First of all, you can generate "disposable" (called pre-signed) URLs which can be used for accessing SageMaker Studio User Profiles without any AWS credentials. These URls can be valid for max 5 minutes and can be generated with a single AWS API call.

One approach to provide Studio access to your users is to set up a service which can authenticate your Studio users and then calls the CreatePresignedDomainUrl SageMaker API method to sends back the generated pre-signed URL to the user.

Alternatively, you can use AWS SSO as well, which can do most of the heavy lifting for you, especially if you'd like to integrate with a single sign-on service. AWS SSO integrates with SageMaker Studio and you can assign Studio user profiles to your onboarded users. Your users then can go through your single sign-on service and can launch the Studio without logging into the AWS Console.

An another approach is to use IAM Federation where you basically provide access to the AWS API and/or to the Console to your users which authenticated by an (external) identity provider. Federated users can assume specific roles to operate with the AWS API or the Management Console. For accessing SageMaker Studio, users just need to have the CreatePresignedDomainUrl access policy which allows them to create the pre-signed URL by themselves. If you want to isolate your SageMaker user profiles and ensure each federated user can access just those user profiles which are assigned to them, please see the following blog post for more information.

And finally, please note that, once the user has logged in to Studio, the Execution Role configured for the specific user profile will determine what the Studio user can access and is able to do (e.g. spinning up SageMaker training jobs, deploying models, accessing S3, etc). Thus, you don't need to set up these policies for your IAM users or roles used by the federated users.