Handle Amazon SageMaker JumpStart basis mannequin entry with non-public hubs

Amazon SageMaker JumpStart is a machine studying (ML) hub providing pre-trained fashions and pre-built options. It supplies entry to a whole bunch of basis fashions (FMs). A personal hub is a function in SageMaker JumpStart that enables a company to share their fashions and notebooks in order to centralize mannequin artifacts, facilitate discoverability, and improve the reuse inside the group. With new fashions launched each day, many enterprise admins need extra management over the FMs that may be found and utilized by customers inside their group (for instance, solely permitting fashions based mostly on pytorch framework to be found).

Now enterprise admins can effortlessly configure granular entry management over the FMs that SageMaker JumpStart supplies out of field in order that solely allowed fashions may be accessed by customers inside their organizations. On this publish, we focus on the steps required for an administrator to configure granular entry management of fashions in SageMaker JumpStart utilizing a personal hub, in addition to the steps for customers to entry and eat fashions from the non-public hub.

Resolution overview

Beginning right now, with SageMaker JumpStart and its non-public hub function, directors can create repositories for a subset of fashions tailor-made to totally different groups, use circumstances, or license necessities utilizing the Amazon SageMaker Python SDK. Admins may arrange a number of non-public hubs with totally different lists of fashions discoverable for various teams of customers. Customers are then solely capable of uncover and use fashions inside the non-public hubs they’ve entry to via Amazon SageMaker Studio and the SDK. This degree of management empowers enterprises to eat the most recent in open weight generative synthetic intelligence (AI) growth whereas imposing governance guardrails. Lastly, admins can share entry to personal hubs throughout a number of AWS accounts, enabling collaborative mannequin administration whereas sustaining centralized management. SageMaker JumpStart makes use of AWS Resource Access Manager (AWS RAM) to securely share non-public hubs with different accounts in the identical group. The brand new function is obtainable within the us-east-2 AWS Area as of writing, and will probably be out there to extra Areas quickly.

The next diagram exhibits an instance structure of SageMaker JumpStart with its private and non-private hub options. The diagram illustrates how SageMaker JumpStart supplies entry to totally different mannequin repositories, with some customers accessing the general public SageMaker JumpStart hub and others utilizing non-public curated hubs.

Within the following part, we display how admins can configure granular entry management of fashions in SageMaker JumpStart utilizing a personal hub. Then we present how customers can entry and eat allowlisted fashions within the non-public hub utilizing SageMaker Studio and the SageMaker Python SDK. Lastly, we have a look at how an admin consumer can share the non-public hub with customers in one other account.

Stipulations

To make use of the SageMaker Python SDK and run the code related to this publish, you want the next stipulations:

• An AWS account that comprises all of your AWS sources
• An AWS Identity and Access Management (IAM) function with entry to SageMaker Studio notebooks
• SageMaker JumpStart enabled in a SageMaker Studio area

Create a personal hub, curate fashions, and configure entry management (admins)

This part supplies a step-by-step information for directors to create a personal hub, curate fashions, and configure entry management to your group’s customers.

1. As a result of the function has been built-in within the newest SageMaker Python SDK, to make use of the mannequin granular entry management function with a personal hub, let’s first replace the SageMaker Python SDK:

   !pip3 set up sagemaker —force-reinstall —quiet

2. Subsequent, import the SageMaker and Boto3 libraries:

   import boto3
   from sagemaker import Session
   from sagemaker.jumpstart.hub.hub import Hub

3. Configure your non-public hub:

   HUB_NAME="CompanyHub"
   HUB_DISPLAY_NAME="Allowlisted Fashions"
   HUB_DESCRIPTION="These are allowlisted fashions taken from the JumpStart Public Hub."
   REGION="<your_region_name>" # for instance, "us-west-2"

   Within the previous code, HUB_NAME specifies the identify of your Hub. HUB_DISPLAY_NAME is the show identify to your hub that will probably be proven to customers in UI experiences. HUB_DESCRIPTION is the outline to your hub that will probably be proven to customers.

4. Arrange a Boto3 shopper for SageMaker:

   sm_client = boto3.shopper('sagemaker')
   session = Session(sagemaker_client=sm_client)
   session.get_caller_identity_arn()

5. Test if the next insurance policies have been already added to your admin IAM function; if not, you’ll be able to add them as inline insurance policies:

   {
       "Model": "2012-10-17",
       "Assertion": [
           {
               "Action": [
                   "s3:ListBucket",
                   "s3:GetObject",
                   "s3:GetObjectTagging"
               ],
               "Useful resource": [
                   "arn:aws:s3:::jumpstart-cache-prod-<REGION>",
                   "arn:aws:s3:::jumpstart-cache-prod-<REGION>/*"
               ],
               "Impact": "Permit"
           }
       ]
   }

   Exchange the <REGION> placeholder utilizing the configurations in Step 3.

   Along with organising IAM permissions to the admin function, you could scope down permissions to your customers to allow them to’t entry public contents.

6. Use the next coverage to disclaim entry to the general public hub to your customers. These may be added as inline insurance policies within the consumer’s IAM function:

   {
       "Model": "2012-10-17",
       "Assertion": [
           {
               "Action": "s3:*",
               "Effect": "Deny",
               "Resource": [
                   "arn:aws:s3:::jumpstart-cache-prod-<REGION>",
                   "arn:aws:s3:::jumpstart-cache-prod-<REGION>/*"
               ],
               "Situation": {
                   "StringNotLike": {"s3:prefix": ["*.ipynb", "*/eula.txt"]}
               }
           },
           {
               "Motion": "sagemaker:*",
               "Impact": "Deny",
               "Useful resource": [
                   "arn:aws:sagemaker:<REGION>:aws:hub/SageMakerPublicHub",
                   "arn:aws:sagemaker:<REGION>:aws:hub-content/SageMakerPublicHub/*/*"
               ]
           }
       ]
   }
   

   Exchange the <REGION> placeholder within the coverage utilizing the configurations in Step 3.

   After you’ve arrange the non-public hub configuration and permissions, you’re able to create the non-public hub.

7. Use the next code to create the non-public hub inside your AWS account within the Area you specified earlier:

   hub = Hub(hub_name=HUB_NAME, sagemaker_session=session)
   
   strive:
     hub.create(
         description=HUB_DESCRIPTION,
         display_name=HUB_DISPLAY_NAME
     )
     print(f"Efficiently created Hub with identify {HUB_NAME} in {REGION}")
   besides Exception as e:
     if "ResourceInUse" in str(e):
       print(f"A hub with the identify {HUB_NAME} already exists in your account.")
     else:
       elevate e
   

8. Use hub.describe() to confirm the configuration of your hub.After your non-public hub is ready up, you’ll be able to add a reference to fashions from the SageMaker JumpStart public hub to your non-public hub. No mannequin artifacts should be managed by the client. The SageMaker group will handle any model or safety updates.For a listing of obtainable fashions, consult with Built-in Algorithms with pre-trained Model Table.
9. To look programmatically, run the command

   filter_value = "framework == meta"
   response = hub.list_sagemaker_public_hub_models(filter=filter_value)
   fashions = response["hub_content_summaries"]
   whereas response["next_token"]:
       response = hub.list_sagemaker_public_hub_models(filter=filter_value,
                                                       next_token=response["next_token"])
       fashions.prolong(response["hub_content_summaries"])
   
   print(fashions)
   

   The filter argument is optionally available. For a listing of filters you’ll be able to apply, consult with SageMaker Python SDK.

10. Use the retrieved fashions from the previous command to create mannequin references to your non-public hub:

    for mannequin in fashions:
        print(f"Including {mannequin.get('hub_content_name')} to Hub")
        hub.create_model_reference(model_arn=mannequin.get("hub_content_arn"), 
                                   model_name=mannequin.get("hub_content_name"))

    The SageMaker JumpStart non-public hub presents different helpful options for managing and interacting with the curated fashions. Directors can verify the metadata of a particular mannequin utilizing the hub.describe_model(model_name=<model_name>) command. To record all out there fashions within the non-public hub, you should use a easy loop:

    response = hub.list_models()
    fashions = response["hub_content_summaries"]
    whereas response["next_token"]:
        response = hub.list_models(next_token=response["next_token"])
        fashions.prolong(response["hub_content_summaries"])
    
    for mannequin in fashions:
        print(mannequin.get('HubContentArn'))
    

    If you could take away a particular mannequin reference from the non-public hub, use the next command:

    hub.delete_model_reference("<model_name>")

    If you wish to delete the non-public hub out of your account and Area, you’ll have to delete all of the HubContents first, then delete the non-public hub. Use the next code:

    for mannequin in fashions:
        hub.delete_model_reference(model_name=mannequin.get('HubContentName')) 
    
    hub.delete()
    

Work together with allowlisted fashions (customers)

This part presents a step-by-step information for customers to work together with allowlisted fashions in SageMaker JumpStart. We display the way to record out there fashions, determine a mannequin from the general public hub, and deploy the mannequin to endpoints from SageMaker Studio in addition to the SageMaker Python SDK.

Person expertise in SageMaker Studio

Full the next steps to work together with allowlisted fashions utilizing SageMaker Studio:

1.  On the SageMaker Studio console, select JumpStart within the navigation pane or within the Prebuilt and automatic options part.
2. Select certainly one of mannequin hubs you’ve entry to. If the consumer has entry to a number of hubs, you’ll see a listing of hubs, as proven within the following screenshot.
   If the consumer has entry to just one hub, you’ll go straight to the mannequin record.
   You possibly can view the mannequin particulars and supported actions like prepare, deploy, and consider.
3. To deploy a mannequin, select Deploy.
4. Modify your mannequin configurations like situations and deployment parameters, and select Deploy.

Person expertise utilizing the SageMaker Python SDK

To work together along with your fashions utilizing the SageMaker Python SDK, full the next steps:

1. Similar to the admin course of, step one is to pressure reinstall the SageMaker Python SDK:

   !pip3 set up sagemaker —force-reinstall —quiet

2. Import the SageMaker and Boto3 libraries:

   import boto3
   from sagemaker import Session
   from sagemaker.jumpstart.hub.hub import Hub
   from sagemaker.jumpstart.mannequin import JumpStartModel
   from sagemaker.jumpstart.estimator import JumpStartEstimator

3. To entry the fashions in your non-public hub, you want the Area and the identify of the hub in your account. Fill out the HUB_NAME and REGION fields with the data supplied by your administrator:

   HUB_NAME="CompanyHub" 
   REGION="<your_region_name>" # for instance, "us-west-2"
   sm_client = boto3.shopper('sagemaker') 
   sm_runtime_client = boto3.shopper('sagemaker-runtime') 
   session = Session(sagemaker_client=sm_client, 
                       sagemaker_runtime_client=sm_runtime_client)
   hub = Hub(hub_name=HUB_NAME, sagemaker_session=session)

4. Listing the fashions out there in your non-public hub utilizing the next command:

   response = hub.list_models()
   fashions = response["hub_content_summaries"]
   whereas response["next_token"]:
       response = hub.list_models(next_token=response["next_token"])
       fashions.prolong(response["hub_content_summaries"])
   
   print(fashions)

5. To get extra details about a specific mannequin, use the describe_model technique:

   model_name = "huggingface-llm-phi-2"
   response = hub.describe_model(model_name=model_name) 
   print(response)

6. You possibly can deploy fashions in a hub with the Python SDK through the use of JumpStartModel. To deploy a mannequin from the hub to an endpoint and invoke the endpoint with the default payloads, run the next code. To pick out which mannequin out of your hub you wish to use, go in a model_id and model. In case you go in * for the model, it should take the most recent model out there for that model_id within the hub. In case you’re utilizing a mannequin gated behind a EULA settlement, go in accept_eula=True.

   model_id, model = "huggingface-llm-phi-2", "1.0.0"
   mannequin = JumpStartModel(model_id, model, hub_name=HUB_NAME, 
                               area=REGION, sagemaker_session=session)
   predictor = mannequin.deploy(accept_eula=False)

7. To invoke your deployed mannequin with the default payloads, use the next code:

   example_payloads = mannequin.retrieve_all_examples()
   for payload in example_payloads:
       response = predictor.predict(payload.physique)
       print("nInputn", payload.physique, "nnOutputn", 
                   response[0]["generated_text"], "nn===============")

8. To delete the mannequin endpoints that you just created, use the next code:

   predictor.delete_model()
   predictor.delete_endpoint()

Cross-account sharing of personal hubs

SageMaker JumpStart non-public hubs help cross-account sharing, permitting you to increase the advantages of your curated mannequin repository past your personal AWS account. This function allows collaboration throughout totally different groups or departments inside your group, even after they function in separate AWS accounts. By utilizing AWS RAM, you’ll be able to securely share your non-public hubs whereas sustaining management over entry.

To share your non-public hub throughout accounts, full the next steps:

1. On the AWS RAM console, select Create useful resource share.
2. When specifying useful resource share particulars, select the SageMaker hub useful resource kind and choose a number of non-public hubs that you just wish to share. While you share a hub with every other account, all of its contents are additionally shared implicitly.
3. Affiliate permissions along with your useful resource share.
4. Use AWS account IDs to specify the accounts to which you wish to grant entry to your shared sources.
5. Overview your useful resource share configuration and select Create useful resource share.

It could take a couple of minutes for the useful resource share and principal associations to finish.

Admins that wish to carry out the previous steps programmatically can enter the next command to provoke the sharing:

# create a useful resource share utilizing the non-public hub
aws ram create-resource-share 
    --name test-share 
    --resource-arns arn:aws:sagemaker:<area>:<resource_owner_account_id>:hub/<hub_name> 
    --principals <consumer_account_id>  
    --region <area>

Exchange the <resource_owner_account_id>, <consumer_account_id>, <hub_name>, and <area> placeholders with the suitable values for the useful resource proprietor account ID, client account ID, identify of the hub, and Area to make use of.

After you arrange the useful resource share, the desired AWS account will obtain an invite to affix. They need to settle for this invitation via AWS RAM to realize entry to the shared non-public hub. This course of makes positive entry is granted solely with specific consent from each the hub proprietor and the recipient account. For extra info, consult with Using shared AWS resources.

You may also carry out this step programmatically:

# record useful resource shares
aws ram get-resource-share-invitations 
    --region <area>

# settle for useful resource share
# utilizing the arn from the earlier response 
aws ram accept-resource-share-invitation  
  --resource-share-invitation-arn <arn_from_ previous_request> 
  --region <area>

For detailed directions on creating useful resource shares and accepting invites, consult with Creating a resource share in AWS RAM. By extending your non-public hub throughout accounts, you’ll be able to foster collaboration and keep constant mannequin governance throughout your whole group.

Conclusion

SageMaker JumpStart permits enterprises to undertake FMs whereas sustaining granular management over mannequin entry and utilization. By making a curated repository of accepted fashions in non-public hubs, organizations can align their AI initiatives with company insurance policies and regulatory necessities. The non-public hub decouples mannequin curation from mannequin consumption, enabling directors to handle the mannequin stock whereas information scientists deal with creating AI options.

This publish defined the non-public hub function in SageMaker JumpStart and supplied steps to arrange and use a personal hub, with minimal further configuration required. Directors can choose fashions from the general public SageMaker JumpStart hub, add them to the non-public hub, and handle consumer entry via IAM insurance policies. Customers can then deploy these preapproved fashions, fine-tune them on customized datasets, and combine them into their purposes utilizing acquainted SageMaker interfaces. The non-public hub makes use of the SageMaker underlying infrastructure, permitting it to scale with enterprise-level ML calls for.

For extra details about SageMaker JumpStart, consult with SageMaker JumpStart. To get began utilizing SageMaker JumpStart, entry it via SageMaker Studio.

Concerning the Authors

Raju Rangan is a Senior Options Architect at AWS. He works with government-sponsored entities, serving to them construct AI/ML options utilizing AWS. When not tinkering with cloud options, you’ll catch him hanging out with household or smashing birdies in a energetic recreation of badminton with mates.

Sherry Ding is a senior AI/ML specialist options architect at AWS. She has intensive expertise in machine studying with a PhD in pc science. She primarily works with public sector clients on numerous AI/ML-related enterprise challenges, serving to them speed up their machine studying journey on the AWS Cloud. When not serving to clients, she enjoys out of doors actions.

June Received is a product supervisor with Amazon SageMaker JumpStart. He focuses on making basis fashions simply discoverable and usable to assist clients construct generative AI purposes. His expertise at Amazon additionally consists of cell purchasing purposes and final mile supply.

Bhaskar Pratap is a Senior Software program Engineer with the Amazon SageMaker group. He’s obsessed with designing and constructing elegant programs that deliver machine studying to individuals’s fingertips. Moreover, he has intensive expertise with constructing scalable cloud storage providers.