The AI Book
    Facebook Twitter Instagram
    The AI BookThe AI Book
    • Home
    • Categories
      • AI Media Processing
      • AI Language processing (NLP)
      • AI Marketing
      • AI Business Applications
    • Guides
    • Contact
    Subscribe
    Facebook Twitter Instagram
    The AI Book
    AI Media Processing

    Define custom permissions in minutes with Amazon SageMaker Role Manager via the AWS CDK

    27 June 2023No Comments7 Mins Read

    [ad_1]

    Machine learning (ML) administrators play a critical role in maintaining the security and integrity of ML workloads. Their main goal is to ensure that users can work with maximum security, following the principle of least privilege. However, meeting the different needs of different user personas and creating appropriate permission policies can sometimes hamper agility. To address this challenge, AWS introduced Amazon SageMaker Role Manager in December 2022. SageMaker Role Manager is a powerful tool that you can use to quickly develop persona-based roles that can be easily customized to meet specific requirements.

    With SageMaker Role Manager, administrators can efficiently define persona-based roles tailored to specific groups of users. This approach ensures that individuals have access to only the resources and actions necessary to perform their tasks, reducing the risk of unauthorized actions or breaches. SageMaker Role Manager also allows fine-grained customization. ML administrators can customize roles to meet specific requirements by changing the permissions associated with each persona. This flexibility ensures that permissions are precisely tailored to the tasks and responsibilities of individual users, providing a robust security framework for unique use cases.

    SageMaker Role Manager is currently available on the Amazon SageMaker console in all commercial regions. Today, we’re launching the ability to define custom permissions in minutes with SageMaker Role Manager via the AWS Cloud Development Kit (AWS CDK). This addresses a critical hurdle to wider adoption, as ML administrators can now automate their tasks programmatically. With the power of the AWS CDK, ML administrators can streamline workflows, reduce manual effort, and ensure consistency in the permissions management of their ML infrastructure.

    Solution overview

    With the release of the SageMaker Role Manager CDK, we’re launching two new Infrastructure as Code (IaC) capabilities:

    You can create fine-grained AWS Identity and Access Management (IAM) roles for ML people, such as Data Scientist, ML Engineer, or Data Engineer. SageMaker Role Manager provides predefined personas and ML activities that combine to simplify your permission generation process, allowing your ML practitioners to fulfill their responsibilities with least privilege permissions. For secure access to your ML resources, SageMaker Role Manager lets you specify network and encryption permissions for Amazon Virtual Private Cloud (Amazon VPC) resources and AWS Key Management Service (AWS KMS) encryption keys. Additionally, you can customize permissions by attaching your user-managed policies.

    The SageMaker Role Manager CDK lets you define custom permissions for SageMaker users in minutes. It comes with a set of predefined policy templates for different personas and ML activities. Personas represent different types of users who need permissions to perform ML activities in SageMaker, such as data scientists or MLOps engineers. ML activities are a set of permissions to perform a common ML task, such as running Amazon SageMaker Studio applications or managing experiments, models, or pipelines. After you select a persona type and set of ML activities, the SageMaker Role Manager CDK automatically creates the required IAM role and policy that you can assign to SageMaker users. Similarly, you can also create IAM roles with fine-grained permissions for automated tasks such as running SageMaker Pipelines.

    prerequisites

    To start using the SageMaker Role Manager CDK, you must meet the following prerequisites:

    1. Set your ML admin role to create and manage personas, as well as IAM permissions for those users. For a sample administrative policy, see the Prerequisites section of the Define Custom Permissions in Minutes with Amazon SageMaker Role Manager blog post.
    2. Create a compute-only persona role (if you don’t have one) to navigate to jobs and endpoints. For instructions on setting up this role, see Using the Role Manager.
    3. Set up your AWS CDK development environment. For instructions, see Getting Started with the AWS CDK.

    Install and run the SageMaker Role Manager CDK

    Complete the following steps to install the SageMaker Role Manager CDK:

    1. Create your AWS CDK app and give it a name; for example, RoleManager.
    2. navigation RoleManager folder and run the following command to create an empty script AWS CDK project:
      cdk init app --language typescript

    3. Open it package.json and add the highlighted package as shown in the following code:
      "dependencies": 
          "aws-cdk-lib": "2.85.0",
          "@cdklabs/cdk-aws-sagemaker-role-manager": "0.0.15",
          "constructs": "^10.0.0",
          "source-map-support": "^0.5.21"
        

    4. Run the following command to install the new one cdk-aws-sagemaker-role-manager package:
    5. Go to lib folder and edit role_manager_stack.ts with the following code:
      import * as cdk from 'aws-cdk-lib';
      import  Construct  from 'constructs';
      import * as iam from 'aws-cdk-lib/aws-iam';
      import  Activity  from '@cdklabs/cdk-aws-sagemaker-role-manager';
      
      export class RoleManagerStack extends cdk.Stack 
        constructor(scope: Construct, id: string, props?: cdk.StackProps) 
          super(scope, id, props);
      
          const activity = Activity.manageJobs(this, 'id1', 
              rolesToPass: [iam.Role.fromRoleName(this, 'passRoleId', 'passRoleName')],
          );
          
          activity.createRole(this, 'newRoleId', 'newRoleName', newRoleDescription');
          
        
      

    6. replace passRoleId, passRoleName, newRoleId, newRoleNameand newRoleDescription Create roles based on your needs.
    7. Navigate to the home folder of your AWS CDK application and run the following command to validate the generated AWS CloudFormation template:
    8. Finally, run the following command to launch the CloudFormation stack in your AWS account:

    You should see AWS CDK deployment output similar to the following screenshot.

    More SageMaker Role Manager CDK examples are available in the following GitHub repo.

    ML persona and activity CDK reference

    Administrators can define ML activities using the ML Activity static function of the ML Activity class. For a list of the latest versions, see the ML Activity Reference.

    The ML persona class supports the following methods:

    • CustomizeVPC (subnets, security groups) – Customizes all activity VPCs that support Personas VPC customization.
    • Customize KMS (data keys, volume keys) – Customizes KMS keys for all activities that support KMS key customization for persons.
    • createRole ( scope , id , role_name_suffix , role_description ) – Creates a role with permissions for the person’s activities, ID, name within the UI-like UI SageMaker-$roleNameSuffix and optionally with a description of the completed role.
    • grantPermissionsTo ( identity ) – Grants a person’s activity permit on identity. The identity passed can be a role or an AWS resource associated with the role (for example, a lambda function with a lambda function role that describes which resources the lambda function can access).
    • grantPermissionsTo() – Updates the passed identity role to have the permissions specified in the ML activity.

    The ML Activity class supports the same feature set as ML Persons; However, the difference is that the ML activity is limited to a single activity when you use this interface to create IAM roles.

    conclusion

    SageMaker Role Manager allows you to create custom roles based on personas, pre-built ML activities, and custom policies, greatly reducing the time required. Now, with this latest AWS CDK support, the ability to define roles has been expanded even further to support infrastructure as code. This enables ML practitioners to work programmatically within SageMaker, improving efficiency and enabling seamless integration into their workflows.

    We’d love to hear from you about how this new feature helps you. Try the new AWS CDK support for SageMaker Role Manager and send us your feedback!

    For more information on using SageMaker Role Manager, see the SageMaker Role Manager Developer’s Guide.


    About the authors

    Akash Bhatia is a principal solution architect with experience spanning multiple industries including manufacturing, automotive, retail, and aerospace and technology. Currently working in the Amazon Web Services Enterprise Segments, Akash works closely with a diverse range of clients, including Fortune 100 companies and start-ups, to support their cloud migration journey. In addition to his technical expertise, Akash has led product and program management and has successfully overseen multiple large-scale initiatives throughout his career.

    Ram VitaliRam Vitali is the Chief Architect of ML Solutions on AWS. He has more than 20 years of experience in architecting and building distributed, hybrid and cloud applications. He is passionate about building secure and scalable AI/ML and Big Data solutions to help enterprise customers on their cloud adoption and optimization journey to improve their business outcomes. In his free time, he likes to ride a motorcycle, play tennis and take pictures.

    Ozan Eken is a senior product manager at Amazon Web Services. He has over 15 years of experience in consulting and product management. He is passionate about building management products and admin capabilities in machine learning for enterprise customers. Outside of work, he enjoys exploring outdoor activities and watching football.

    [ad_2]

    Source link

    Previous ArticleFour steps to creating your own intelligent virtual assistant
    Next Article How to Add Structured Data to Shopify Ecommerce Sites
    The AI Book

    Related Posts

    AI Media Processing

    A new set of Arctic images will help artificial intelligence research MIT News

    25 July 2023
    AI Media Processing

    Analyzing rodent infestations using the geospatial capabilities of Amazon SageMaker

    24 July 2023
    AI Media Processing

    Using knowledge of social context for responsible use of artificial intelligence – Google Research Blog

    23 July 2023
    Add A Comment

    Leave A Reply Cancel Reply

    • Privacy Policy
    • Terms and Conditions
    • About Us
    • Contact Form
    © 2025 The AI Book.

    Type above and press Enter to search. Press Esc to cancel.