HomeBig Data
Big Data

Utilizing Amazon SageMaker Unified Studio Id heart (IDC) and IAM-based domains collectively

admin
By admin
0
27
Utilizing Amazon SageMaker Unified Studio Id heart (IDC) and IAM-based domains collectively


Amazon SageMaker Unified Studio now gives two area configurations: Amazon SageMaker Unified Studio Id Middle(IDC)-based domains with complete governance options, and Amazon SageMaker Unified Studio IAM-based domains with enhanced developer productiveness instruments.

On this put up, we display how you should utilize each of those area configurations of Amazon SageMaker Unified Studio utilizing AWS Id and Entry Administration (IAM) position reuse and attribute-based entry management.

How authentication works in every configuration

Amazon SageMaker Unified Studio IDC-based domains authenticate customers by way of AWS Id and Entry Administration (IAM) Id Middle with Single Signal-On, preserving particular person consumer identities all through their classes. These domains excel in governance with identity-based authorization, fine-grained entry controls between customers, and complete catalog administration that includes formal Writer/Subscriber (Pub/Sub) information sharing workflows with approval processes—supreme for enterprise environments requiring robust identification administration, compliance monitoring, and identity-based audit trails.

Amazon SageMaker Unified Studio IAM-based domains authenticate by way of federated AWS Id and Entry Administration (IAM) roles the place all customers accessing a undertaking share the identical position permissions. These domains prioritize developer productiveness with trendy instruments together with new serverless Notebooks, Athena Spark integration, the improved interface with vertical navigation, and built-in AI help, designed for improvement groups that want streamlined entry and superior analytics capabilities.

This answer facilitates organizations which might be already utilizing IDC-based domains to protect their present governance frameworks established in IDC-based domains whereas unlocking trendy improvement capabilities for his or her groups by way of IAM-based domains. If you happen to favor to make use of the newly launched IAM-based domains, you may proceed to do as nicely. The selection will depend on your organization’s wants.

Please word that on the time of penning this weblog, IAM-based domains don’t assist Trusted identification propagation. This answer makes use of the undertaking execution position to configure information entry.

The problem

Think about a information steward (Sam) makes use of the IDC-based area to outline information entry insurance policies, handle the info catalog, and approve subscription requests to confirm compliance and correct information governance.

However, a information engineer (Sarah), needs to make use of IDC-based area for governance options reminiscent of SageMaker catalog and IAM-based area for the brand new serverless Pocket book to construct information pipelines, carry out superior analytics, and speed up improvement cycles. Sarah will request entry to the info by way of IDC-based area, and as soon as entry is authorized by Sam, Sarah can entry this information in serverless pocket book obtainable in IAM-based area.

Answer overview

The combination leverages IAM position reuse, AWS Lake Formation Attribute-Based mostly Entry Management (ABAC) and Amazon SageMaker Catalog pub-sub mannequin to routinely carry permissions from the IDC-based area to the brand new IAM-based area. When correctly configured, information subscriptions managed by way of the IDC-based area’s Pub/Sub mannequin develop into instantly accessible in IAM-based area tasks, offering a unified information entry expertise.

The answer we are going to implement within the put up entails creating an IAM-based area undertaking that’s just like your IDC client undertaking (eg identical group members, use case) , configuring execution roles, and enabling position reuse. This method maintains the acquainted subscription workflow whereas extending advantages to the IAM-based area.The next diagram exhibits the high-level structure of how this method works.

The answer structure consists of:

  • Current IDC-based area: Incorporates producer and client tasks with established information sharing by way of Pub/Sub mannequin
  • IAM-based area: New tasks with federated and execution roles configured for contemporary improvement instruments
  • IAM Id Middle: Manages federated entry and permission units
  • Attribute-Based mostly Entry Management: Tags on execution roles allow automated permission inheritance

The answer gives 2 choices: Possibility 1: IDC-Based mostly Area undertaking position reuse gives the only integration path by straight reusing the prevailing client undertaking IAM position out of your IDC-based area because the execution position within the IAM-based area. The first advantages embrace simplified setup requiring solely coverage adjustments (lined later within the weblog), lowered administrative overhead with one much less position to handle and decrease danger of misconfiguration because you’re leveraging confirmed, present roles. Select Possibility 1 while you need the quickest implementation path, your group prefers minimal position proliferation, you’ve well-established IDC-based area roles that have already got information entry permissions, or your group has restricted IAM experience and desires to keep away from advanced tagging configurations.

Possibility 2: Creating a brand new execution position for the IAM-based area undertaking and use attribute-based entry management (ABAC) by way of tagging with the IDC-based area undertaking ID. The important thing advantages embrace enhanced auditability with two distinct roles (one for IDC-based area, one for IAM-based area), clear separation exhibiting which area generated every request in CloudTrail logs, larger flexibility to customise permissions particular to IAM-based area wants with out affecting IDC-based area operations, and higher safety isolation between the 2 area varieties. The `AmazonDatazoneProject` tag permits attribute based mostly entry management, whereas sustaining distinct position identities. Select Possibility 2 when: your group requires detailed audit trails distinguishing between area varieties, compliance insurance policies mandate separation of considerations between governance and improvement environments, you wish to observe and attribute prices individually for every area, or it’s essential present proof exhibiting which area (governance vs. improvement) accessed particular information sources for compliance reporting.

Right here is the high-level view of how the identification and area entities map to one another for each choices:

AWS IAM Identity Center integration with Amazon SageMaker diagram showing access flow from IdC Groups through Permission Sets to AWS SSO IAM Roles, connecting to SageMaker domains with two implementation options: Option 1 using identical IAM roles, or Option 2 using project-tagged execution roles

Stipulations

To comply with together with this put up, you need to have:

For this demonstration, we use a simplified setup with a gross sales producer undertaking and a advertising client undertaking that subscribes to those tables.

Understanding the present IDC-based area setup

Our place to begin features a well-established Amazon SageMaker Unified Studio IDC-based area construction:

Gross sales Producer Undertaking

  • Incorporates a database with pipeline and gross sales tables
  • Managed by Sam, the info steward who creates and publishes information belongings
  • Has its personal undertaking IAM position

Advertising Client Undertaking

  • Managed by Sarah, the info engineer who subscribes to revealed information by way of IDC area undertaking
  • Has its personal undertaking IAM position
  • Efficiently queries subscribed information by way of the IDC-based area interface

Every undertaking has an related IAM position that governs entry to information belongings, and the Pub/Sub mannequin manages subscription workflows and permissions.

Organising federated position by way of permission units

Federated roles by way of permission units are used to authenticate and supply customers with console entry to IAM-based domains by way of AWS IAM Id Middle, the place all customers inside a undertaking share the identical position permissions. While you assign a permission set, IAM Id Middle creates corresponding IAM Id Middle-controlled IAM position in AWS account, and attaches the insurance policies specified within the permission set to that position.

IAM-based SMUS domains allow streamlined entry to trendy improvement instruments (serverless Notebooks, Athena Spark, AI help) whereas sustaining governance, routinely propagating permissions throughout domains with out requiring duplicate entry approvals, and simplifying group member onboarding.You need to use any IAM position to entry IAM-based area. For this put up, we are going to use federated position choice utilizing AWS IAM Id Middle (IDC).

Grant entry to Information engineer group for IAM-based domains in Id Middle

1) Arrange federated position in AWS IAM Id Middle

Navigate to IAM Id Middle (IDC) within the AWS Administration Console, then full the next steps:

  1. Go to permission set part in IDC. Create a brand new permission set known as Advertising-federated-role and choose Connect Coverage.

AWS IAM Identity Center console screenshot displaying the marketing-federated-role permission set configuration page with provisioned status, 1-hour session duration, and empty AWS managed and customer managed policy sections with attach policy options.

  1. Seek for SageMakerStudioUserIAMConsolePolicy within the present coverage identify from checklist and choose SageMakerStudioUserIAMConsolePolicy from the checklist. Notice that the managed coverage SageMakerStudioUserIAMConsolePolicy have to be hooked up or have the identical permissions added by way of one other coverage to have the ability to entry tasks in a SageMaker IAM area.

AWS IAM Identity Center console screenshot showing AWS managed policies section with one attached SageMakerStudioUserIAMConsolePolicy and empty customer managed policies section with detach and attach policy options available.

  1. Go to the AWS account part of IDC.
  2. Assign the created permission set to your AWS account.

AWS IAM Identity Center console screenshot showing AWS accounts page in hierarchy view with organization o-9svtz1aavh, displaying Root organizational unit containing AWS account n.com with marketing-federated-role permission set assigned and assign users or groups option.

  1. For this put up we assigned the permission set to advertising group, As a greatest observe, you need to setup and grant entry to teams moderately than particular person customers.

AWS IAM Identity Center console screenshot showing marketing group details page with AWS accounts tab selected, displaying one AWS account access (management account amazon.com) with marketing-federated-role permission set applied.

  1. Add Sarah to advertising group.

AWS IAM Identity Center console screenshot showing marketing group's Users tab with one enabled member (user sarah, Display name: Sarah M) who inherits permissions to AWS accounts and Identity Center enabled applications.

This creates a federated position that Sarah can use to entry the IAM-based area. The federated position seems as an IAM position inside your account and serves because the entry level for console entry.

Organising IAM-based area execution position

There are 2 choices to setup execution position for IAM-based area undertaking. The execution position has a one-to-one mapping with the federated position.

Possibility 1 – IDC-based area Undertaking Function reuse

As a substitute of making a brand new execution position and tagging it, you may configure the IAM-based area undertaking to straight reuse the patron undertaking IAM position from the IDC-based area because the execution position. This feature solely wants coverage adjustments to the patron undertaking IAM position. To seek out the IDC-based area client undertaking IAM position:

  1. Navigate to the Amazon SageMaker Unified Studio IDC-based area portal.
  2. Open the Advertising Client Undertaking.
  3. Copy the undertaking position ARN from the undertaking overview web page.

Amazon DataZone project overview page displaying marketing-project details with active status, project ID 4tcycvm4c684rt, domain ID dzd-47supbt0i3jysp, All capabilities profile, Corp domain unit, Amazon S3 location in us-east-2, and project role ARN with up-to-date status.

  1. You have to to switch this execution position’s coverage with detailed directions supplied later within the weblog.

Organising IAM-based area undertaking for choice 1

To create an IAM-based area undertaking that may combine together with your present IDC-based area permissions, full the next steps:

  1. Log in to the AWS Console utilizing IAM-based area administrator.
  2. Navigate to Amazon SageMaker web page inside console.
  3. Select Open.

Amazon SageMaker landing page displaying "The center for data, analytics, and AI" with tagline about next-generation integrated analytics experience, serverless notebooks with built-in AI Agent, Amazon DataZone integration note, and call-to-action panel featuring "Get started with Amazon SageMaker Unified Studio" with Open button and View existing domains

  1. As soon as logged in to IAM-based area as admin, select Handle tasks.

Amazon SageMaker admin-project dashboard displaying left navigation menu with data analytics and AI/ML sections, quick-start cards for exploring data, building in notebooks, and discovering ML models, plus four sample data project templates: Customer usage analysis (3 mins), Customer segmentation (8 mins), Customer churn prediction (5 mins), and Retail sales forecasting (20 mins).

  1. Subsequent, click on on Create Undertaking.

Amazon DataZone Domain Administration Projects page showing "Projects (3)" with description about enabling IAM role-based access to AWS Analytics and AI/ML tools, search functionality to find projects, last refreshed timestamp, and green Create project button.

  1. Enter undertaking identify as “Advertising Client Undertaking”.

Amazon DataZone Create project dialog showing Step 1 "Enter Details" with required Project name field containing "Marketing Consumer Project" (1-64 characters, a-z, A-Z, 0-9, spaces, dashes, underscores allowed) and optional Description field with 0/2048 character count, followed by Step 2 "Assign roles".

  1. Throughout undertaking creation, choose the next essential roles after which select Create Undertaking:
  • Undertaking IAM Function: The advertising federated position created in IAM Id Middle above. That is the position within the member account that has a job identify with suffix AWSReservedSSO.
  • Undertaking Function: – Select undertaking position for information engineer, copied from choice 1.

Amazon SageMaker Unified Studio Create project dialog showing IAM role configuration with AWSReservedSSO_marketing-federated-role selected, blue alert requiring SageMakerStudioUserIAMConsolePolicy attachment, Execution role section with "Use an existing role" option selected, and datazone_usr_role_4tcycvm4c684rt_ajtckkwo2fnhyh IAM role specified with note that role is not editable after project creation

  1. Make coverage adjustments to this undertaking position as per the instruction on the SMUS UI web page.

Amazon SageMaker Unified Studio role selection interface showing "Use an existing role" option selected with IAM role datazone_usr_role_4tcycvm4c684rt_ajtckkwo2fnhyh, blue information box displaying required permissions including SageMakerStudioUserIAMDefaultExecutionPolicy managed policy, trust policy enabling Amazon SageMaker Unified Studio service assumption, and inline policy for role pass-through, with note that role is not editable after project creation.

Possibility 2 – Convey your personal execution position. 

To create an IAM-based area undertaking that may combine together with your present IDC-based area permissions., you will need to tag the execution position for permission propagation. Amazon SageMaker Catalog and AWS Lake Formation use attribute-based entry management, which suggests permissions may be inherited based mostly on useful resource tags. For this feature, you have to client undertaking ID.To seek out the IDC-based area client undertaking ID:

  1. Navigate to the Amazon SageMaker Unified Studio IDC-based area portal.
  2. Open the Advertising Client Undertaking.
  3. Copy the undertaking ID from the undertaking particulars.

Amazon SageMaker Unified Studio marketing-project overview page displaying navigation breadcrumb (Home > Projects > marketing-project > Project overview), left sidebar menu with Project overview, Data, Compute, Members, and Project catalog sections, Project files section listing 3 JupyterLab files (.libs.json, README.md, getting_started.ipynb) last modified November 18, 2025, Readme section with Welcome heading describing SageMaker Unified Studio, and Project details tab showing project name, ID, last modified date November 21, 2025, and Amazon S3 location.

Organising IAM-based area undertaking for choice 2

Full the next steps:

  1. Create one other undertaking with identify “Advertising Client Undertaking 2” within the IAM-based area whereas logged in as admin.
  2. Throughout undertaking creation, choose the next roles:
    1. Federated Function: The advertising federated position created in IAM Id Middle above.
    2. Execution Function: – Select execution position from choice 2.
  3. Make coverage adjustments to this execution position as per the instruction.

Amazon SageMaker Unified Studio role selection interface showing "Use an existing role" option selected with IAM role field containing "sagemaker-marketing-execution-role", blue information box displaying required permissions including SageMakerStudioUserIAMDefaultExecutionPolicy managed policy, trust policy enabling Amazon SageMaker Unified Studio and related services to assume the role, and inline policy allowing role pass-through to other services, with note that role is not editable after project creation

  1. Subsequent, navigate to the IAM console and find the execution position created in your IAM-based area client undertaking.
  2. Add the next tag, this step depends on ABAC insurance policies with projectId for subscriptions.
  • Key: AmazonDatazoneProject
  • Worth: The undertaking ID out of your Amazon SageMaker Unified Studio IDC-based area client undertaking

AWS IAM console displaying sagemaker-marketing-execution-role details page with Summary section showing creation date November 18, 2025, last activity 3 days ago, ARN arn:aws:iam::role/sagemaker-marketing-execution-role, 1-hour maximum session duration, five tabs (Permissions, Trust relationships, Tags (1), Last Accessed, Revoke sessions), and Tags section displaying one tag with Key "AmazonDataZoneProject" and Value "4tcycvm4c684rt" with Delete, Edit, and Manage tags buttons available.

This tag configuration leads to information entry grant from IDC-based area client undertaking to the IAM-based area undertaking execution position.

Confirm information entry within the IAM-based area

After tagging the execution position, confirm that permissions are arrange appropriately.Full the next steps:

  1. Use the SSO URL to log into the SSO Id Middle as Sarah.

AWS IAM Identity Center Dashboard displaying left navigation menu with Dashboard, Users, Groups, Settings, Multi-account permissions (AWS accounts, Permission sets), and Application assignments sections; central management panel showing service control policies guidance with yellow warning banner about member account instances and CloudTrail monitoring section; IAM Identity Center setup area with three action cards for confirming identity source, managing multi-account permissions, and setting up application assignments; right panel Settings summary showing Identity Center directory as identity source, us-east-2 region, organization ID o-9svtz1aavh, AWS access portal URL, and issuer URL; What's new section highlighting customer-managed KMS keys support and Amazon SageMaker Studio user background sessions; Related consoles links to CloudTrail, AWS Organizations, and IAM.

  1. Open the AWS console utilizing federated position created earlier in setting federated position part.
  2. Navigate to Amazon SageMaker.
  3. Select Amazon SageMaker Unified Studio IAM-based area choice (this can present up if undertaking is already created with federated position).

Amazon SageMaker Unified Studio marketing-project dashboard displaying left navigation menu with Overview, Files, Data, Connections, Code (Notebooks, JupyterLab), Data analytics (Query Editor, Visual ETL, Data processing jobs), and AI/ML sections (Models, MLflow, Training jobs, Inference endpoints); main content area showing "Jump into your data and models" with three quick-start cards (Explore your data, Build in the notebook, Discover ML models) and four sample data projects: Retail sales forecasting (20 mins), Customer churn prediction (5 mins), Customer segmentation (8 mins), and Customer usage analysis (3 mins); top-right panel displaying account details with us-east-2 region, federated user aws-reserved/sarah, and execution role sagemaker-marketing-execution-role.

  1. Within the Amazon SageMaker Unified Studio IAM-based area undertaking, navigate to the Information tab. If you happen to created 2 tasks with each choice 1 and choice 2 execution position, then 2 tasks will present up and you’ll login to both to validate information entry.

Amazon SageMaker Unified Studio data explorer interface displaying SQL query "SELECT * FROM glue_db_6doxdp1wuy165l.sales_table LIMIT 100" executed via Athena in 6 seconds, showing six columns (ord_num, sales_qty_sld, wholesale_cost, lst_pr, sell_pr, disnt) with green distribution histograms above data preview table containing six sample sales records with order numbers ranging from 46776931 to 146776932, left navigation showing AwsDataCatalog database structure with glue_db_6doxdp1wuy165l containing pipeline_table and sales_table, last saved 2 minutes ago.

  1. Confirm that the patron database and subscribed tables seem.

Create and use the brand new serverless notebooks

With permissions correctly configured, now you can use IAM-based area capabilities like serverless Notebooks. Full the next steps:

  1. Within the Amazon SageMaker Unified Studio IAM-based area undertaking, choose a desk from the Information tab.
  2. Select Create pocket book.
  3. The Pocket book opens with Athena SQL because the default cell sort.
  4. Write and run queries towards your subscribed information.

Amazon SageMaker Unified Studio marketing-project notebook displaying sales_table data from 2025-11-18 21:42:01, left Data explorer showing AwsDataCatalog with glue_db_6doxdp1wuyi65l database containing pipeline_table and sales_table, main data table showing 11 rows with columns (ord_num, sales_qty_sld, wholesale_cost, lst_pr, sell_pr, disnt) displaying rows 4-9 on page 1 of 2, Python PySpark SQL query "SELECT * FROM 'glue_db_6doxdp1wuyi65l'.'pipeline_table' LIMIT 100" executed in 27 seconds, and Filters section displaying distribution histograms for all numerical columns.

The pocket book runs with the execution position’s permissions, which now embrace entry to all information subscribed by way of the IDC-based area.

Key advantages of this integration

This integration method delivers a number of essential benefits:

Protect present investments

  • Proceed utilizing IDC-based area governance and catalogs.
  • Preserve established Pub/Sub workflows.
  • No migration required for present information belongings.

Get trendy capabilities

  • Present builders with the brand new serverless Notebooks.
  • Entry Athena Spark for superior analytics.
  • Supplies improved consumer expertise and navigation.

Simplified permission administration

  • Single subscription workflow manages entry throughout each domains.
  • Constant information entry by way of position reuse and attribute-based entry management.
  • No duplicate entry requests or approvals wanted.

Unified information expertise

  • Builders entry all subscribed information from one interface.
  • Constant information catalog throughout domains.
  • Simplified onboarding for brand spanking new group members.

Cleanup

Full the next steps to delete the sources you created:

  1. Delete the serverless Notebooks created within the IAM-based area tasks.
  2. Delete the IAM-based area tasks (Advertising Client Undertaking and Advertising Client Undertaking 2).
  3. Take away the permission set project from advertising group in IAM Id Middle.
  4. Delete the Advertising-federated-role permission set in IAM Id Middle.
  5. Take away the tags (AmazonDatazoneProject) from the execution position (if utilizing Possibility 2).
  6. Delete the execution position created for the IAM-based area (if utilizing Possibility 2 and never reusing the IDC-based area undertaking position).
  7. Revert any coverage adjustments made to the IDC-based area client undertaking IAM position (if utilizing Possibility 1).
  8. If you don’t want the IAM-based area anymore, delete it.
  9. If you happen to created any check information subscriptions within the IDC-based area, take away them.

Conclusion

On this put up, we demonstrated learn how to entry Amazon SageMaker Unified Studio IDC-based area with the brand new IAM-based area utilizing position reuse and attribute-based entry management. This setup gives information engineers the most effective of each worlds: entry to specialised trendy improvement instruments—together with the brand new serverless Notebooks, Athena Spark integration, and built-in AI help , whereas sustaining correct governance that features complete catalog administration and strong safety controls established within the IDC-based area.Now you can confidently undertake Amazon SageMaker Unified Studio IAM-based area capabilities realizing their established information governance, subscription workflows, and entry controls stay intact and proceed to perform as anticipated.

Able to get began with Amazon SageMaker Unified Studio and unlock the facility of built-in governance and trendy improvement instruments in your group? Go to the Amazon SageMaker Unified Studio documentation to be taught extra and start your implementation in the present day.

Concerning the authors

Praveen Kumar

Praveen Kumar

Praveen is a Principal Analytics Options Architect at AWS with experience in designing, constructing, and implementing trendy information and analytics platforms utilizing cloud-based providers. His areas of curiosity are serverless expertise, information governance, and data-driven AI purposes.

Durga Mishra

Durga Mishra

Durga is a Principal Information and AI options structure strategist at AWS . Exterior of labor, Durga enjoys constructing new issues and spending time with household. He likes to hike on Appalachian trails and spend time in nature.

Joel

Joel Farvault

Joel is a Principal Specialist SA Analytics for AWS with 25 years’ expertise engaged on enterprise structure, information governance and analytics. He makes use of his expertise to advise prospects on their information technique and expertise foundations.

author name

Satish Sarapuri

Satish is a Sr. Information Architect for Information Mesh/Information Lake/Gen AI at AWS. He helps enterprise-level prospects construct generative AI, information mesh, information lake, and analytics platform options on AWS to assist them make data-driven choices and acquire impactful outcomes for his or her enterprise. In his spare time, he enjoys path operating and spending high quality time along with his household.

author name

Leonardo Gomez

Leonardo is a Principal Analytics Specialist Options Architect at AWS. He has over a decade of expertise in information administration, serving to prospects across the globe tackle their enterprise and technical wants.

Previous article
Is AI killing open supply?
Next article
The MAGA court docket determination that simply supercharged ICE, Buenrostro-Mendez v. Bondi
admin
adminhttps://www.imgsure.com

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

Load more

Imgsure is your health, beauty and tech related website. We provide you with the latest breaking news and videos straight from these topics.

© Copyright 2024 - imgsure.com. All rights reserved.