Allow single sign-on entry of Amazon SageMaker Canvas utilizing AWS IAM Identification Middle: Half 2
Amazon SageMaker Canvas permits you to use machine studying (ML) to generate predictions with out having to write down any code. It does so by masking the end-to-end ML workflow: whether or not you’re searching for highly effective knowledge preparation and AutoML, managed endpoint deployment, simplified MLOps capabilities, or the flexibility to configure basis fashions for generative AI, SageMaker Canvas can assist you obtain your targets.
To allow agility in your customers whereas guaranteeing safe environments, you possibly can undertake single sign-on (SSO) utilizing AWS IAM Identity Center, which is the beneficial AWS service for managing person entry to AWS assets. With IAM Identification Middle, you possibly can create or join workforce customers and centrally handle their entry throughout all their AWS accounts and purposes.
Part 1 of this collection describes the required steps to configure SSO for SageMaker Canvas utilizing IAM Identification Middle for Amazon SageMaker Studio Classic.
On this put up, we stroll you thru the required steps to configure SSO for SageMaker Canvas utilizing IAM Identification Middle for the up to date Amazon SageMaker Studio. Your customers can seamlessly entry SageMaker Canvas with their credentials from IAM Identification Middle with out having to first undergo the AWS Management Console. We additionally exhibit how one can streamline person administration with IAM Identification Middle.
Answer overview
To configure SSO from IAM Identification Middle, you have to full the next steps:
- Allow IAM Identification Middle utilizing AWS Organizations
- Create a SageMaker Studio area that makes use of IAM Identification Middle for person authentication
- Create customers or teams in IAM Identification Middle
- Add customers or teams to the SageMaker Studio area
We may also present how one can rename the SageMaker Studio software to obviously establish it as SageMaker Canvas, and how one can entry it utilizing IAM Identification Middle.
Allow IAM Identification Middle
Observe these steps to attach SageMaker Canvas to IAM Identification Middle:
- On the IAM Identification Middle console, select Allow.
- Select Allow with AWS Organizations.
- Select Edit so as to add an occasion identify.
- Enter a reputation in your occasion (for this put up, canvas-app).
- Select Save adjustments.
Create the SageMaker Studio area
On this part, we create SageMaker Studio area and configure the authentication technique as IAM Identification Middle. Full the next steps:
- On the SageMaker console, select Domains.
- Select Create area.
- Select Arrange for organizations.
- Select Arrange.
- Enter a site identify of your selection (for this put up,
canvas-domain
). - Select Subsequent.
- Choose AWS Identification Middle.
- Select Create a brand new position.
- Choose the SageMaker Canvas permissions that you just wish to grant.
For extra particulars about permissions, see Users and ML Activities.
- Specify a number of Amazon Simple Storage Service (Amazon S3) bucket.
- Select Subsequent.
- Choose SageMaker Studio – New.
- Select Subsequent.
Subsequent, you possibly can present VPC particulars in your community configuration.
- For this put up, we choose Public web entry.
- Select your VPC, subnets, and safety teams.
- Select Subsequent.
- Hold default storage configuration and select Subsequent.
- Select Submit.
Watch for SageMaker area standing to alter to InService.
Rename the SageMaker Studio software
Earlier than we create a person, let’s rename the SageMaker Studio software identify. This may enable customers to shortly establish the SageMaker Canvas software after they log in by IAM Identification Middle, the place they could have entry to a number of purposes.
- On the IAM Identification Middle console, select Purposes.
- Select the SageMaker Studio software on the AWS managed tab.
- Select Edit particulars on the Actions menu.
- For Show identify, enter a reputation (for this put up,
Canvas
). - For Description, enter an outline.
- Select Save adjustments.
Create a person in IAM Identification Middle
Now you possibly can create customers, and optionally, teams, that might be given entry to SageMaker Canvas. For this put up, we create a single person to exhibit the method to offer entry. Nevertheless, teams are usually most popular for higher person administration, and to provision entry in organizations.
A person group is a group of customers. Teams allow you to specify permissions for a number of customers, which might make it extra easy to handle the permissions for these customers. For instance, you may have a person group known as enterprise analysts and provides that person group permission to SageMaker Canvas; all customers in that group can have SageMaker Canvas entry. If a brand new person joins your group and wishes entry to SageMaker Canvas, you possibly can add the person to the enterprise analyst group. If an individual adjustments jobs in your group, as an alternative of modifying that person’s permissions, you possibly can take away them from the outdated person teams and add them to the suitable new person teams.
Full the next steps to create a person in IAM Identification Middle to check the SageMaker Canvas software entry:
- On the IAM Identification Middle console, select Customers within the navigation pane.
- Select Add person.
- Present required particulars such because the person identify, electronic mail handle, first identify, and final identify.
- Select Subsequent.
- Select Add person.
You see successful message that the person has been added efficiently.
Add customers to the SageMaker Studio area
You might want to add this person to the SageMaker area you created. In the event you’re utilizing teams, then you definately add the group, not only a single person.
- On the SageMaker console, select Domains within the navigation pane.
- Select the area you created.
- Select Assign customers and teams.
- On the Customers tab, choose the person you created.
- Select Assign customers and teams.
Entry the SageMaker Canvas software from IAM Identification Middle
The person will obtain an electronic mail with a hyperlink to arrange a password and directions to hook up with the AWS entry portal. The hyperlink might be legitimate for as much as 7 days.
When the person receives the e-mail, they have to full the next steps to achieve entry to SageMaker Canvas:
- Select Settle for invitation from the e-mail.
- Set a brand new password to entry SageMaker Canvas within the specified account and area.
After authentication has been carried out, the person has three choices to log in to SageMaker Canvas:
- Choice 1 – Entry from SageMaker Studio by the IAM Identification Middle portal
- Choice 2 – Entry from SageMaker Canvas by the IAM Identification Middle portal, bypassing SageMaker Studio
- Choice 3 – Use the IAM Identification Middle portal hyperlink in IAM Identification Middle to entry SageMaker Canvas
We undergo every of those choices on this part.
Choice 1
Within the first choice, the person first accesses SageMaker Studio to entry SageMaker Canvas. This selection is suitable for customers that ought to have the ability to entry all related purposes from SageMaker Studio, together with SageMaker Canvas.
- Navigate to the AWS entry portal URL out of your electronic mail.
- Log in with the credentials you set for the person.
You will note the applying identify you configured earlier.
- Select the SageMaker Canvas software.
You’re redirected to SageMaker Studio.
- Select Run Canvas.
- Select Open Canvas.
You’re redirected to SageMaker Canvas.
Choice 2
On this choice, the person nonetheless goes by the IAM Identification Middle portal, however bypasses SageMaker Studio to go straight into SageMaker Canvas. This selection ought to be used when entry SageMaker Studio shouldn’t be wanted, because the person’s SageMaker login will all the time take them on to SageMaker Canvas.
- On the SageMaker console, select Domains within the navigation pane.
- Be aware down the SageMaker area ID.
- Open AWS CloudShell or another CLI and run the next command, offering your area ID. This command updates the default touchdown software for the SageMaker area from SageMaker Studio to SageMaker Canvas:
You will note the next response if the command runs efficiently.
- Navigate to the AWS entry portal URL out of your electronic mail.
- Log in with the credentials you set for the person.
- Select the SageMaker Canvas software.
This time you’re redirected to SageMaker Canvas, bypassing SageMaker Studio.
Choice 3
If the default touchdown software for the SageMaker area has been up to date from SageMaker Studio to SageMaker Canvas in Choice 2, a person may also use the IAM Identification Middle portal hyperlink to entry SageMaker Canvas. To take action, select the AWS entry portal URL proven within the id supply on the IAM Identification Middle console. You need to use this URL as a browser bookmark, or built-in along with your customized software for direct SageMaker Canvas entry.
Clear up
To keep away from incurring future session charges, sign off of SageMaker Canvas.
Conclusion
On this put up, we mentioned how customers can securely entry SageMaker Canvas utilizing SSO. To do that, we configured IAM Identification Middle and linked it to the SageMaker area the place SageMaker Canvas is used. Customers are actually one click on away from utilizing SageMaker Canvas and fixing new challenges with no-code ML. This method helps the safe setting necessities of cloud engineering and safety groups, whereas permitting for the agility and independence of improvement groups.
To be taught extra about SageMaker Canvas, try Announcing Amazon SageMaker Canvas – a Visual, No Code Machine Learning Capability for Business Analysts. SageMaker Canvas additionally allows collaboration with knowledge science groups. To be taught extra, see Build, Share, Deploy: how business analysts and data scientists achieve faster time-to-market using no-code ML and Amazon SageMaker Canvas. For IT directors, we recommend testing Setting up and managing Amazon SageMaker Canvas (for IT administrators).
In regards to the Authors
Dhiraj Thakur is a Options Architect with Amazon Net Providers. He works with AWS prospects and companions to offer steerage on enterprise cloud adoption, migration, and technique. He’s captivated with expertise and enjoys constructing and experimenting within the analytics and AI/ML area.
Dan Sinnreich is a Senior Product Supervisor at AWS, serving to democratize ML with low-code/no-code improvements. Earlier to AWS, Dan constructed and commercialized SaaS platforms and time collection threat fashions utilized by institutional traders to handle threat and optimize funding portfolios. Exterior of labor, he might be discovered taking part in hockey, scuba diving, and studying science fiction.