Set up projects within an Identity Center-based domain

Projects in IAM-based domains provide isolated environments for data analytics and AI/ML development work. Each project has one IAM role for accessing data and resources, IAM and SSO credentials for login, and storage configurations. These configurations determine what resources and data project members can access from within the project. All members of a project within an IAM-based domain have the same access to data and compute. This access is managed through the execution IAM role for the project.

Projects within IAM-based domains require a project member and an Execution IAM role:

Project member — An IAM role or user that provides access to the Amazon SageMaker Unified Studio project. For IAM, the role or user must have the SageMakerStudioUserIAMConsolePolicy managed policy attached, or equivalent permissions through another policy. Log in to Amazon SageMaker Unified Studio to view the projects that you have access to.
Execution IAM role — Defines which AWS analytics, AI, and ML service data the project can access. This role determines available data and resources in the portal. Amazon SageMaker Unified Studio assumes this role to make service calls on behalf of project users. The execution IAM role requires the SageMakerStudioUserIAMDefaultExecutionPolicy managed policy (or equivalent permissions) and a trust policy that allows Amazon SageMaker Unified Studio and related AWS services to assume the role.

Preparing IAM roles

Project Members

For IAM role or user project members, SageMakerStudioUserIAMConsolePolicy must be attached or have the same permissions added through another policy.

Execution IAM role

When Amazon SageMaker Unified Studio creates this role for you, this policy will be attached, SageMakerStudioUserIAMDefaultExecutionPolicy.
When you provide your own role, SageMakerStudioUserIAMConsolePolicy must be attached. An inline policy is needed to allow this role to pass itself to other services. A trust policy is needed to allow Amazon SageMaker Unified Studio and related services to assume this execution IAM role.
During project creation, the Amazon SageMaker Unified Studio service creates the project IAM role as a group profile and adds the group as a project member. An IAM role session user profile is created for the project IAM role. Any logic that depends on the project role being present as a user profile must be updated to handle its presence as a group profile. For more information about user profiles, see Managing users in Amazon SageMaker Unified Studio.

Create a project in Amazon SageMaker Unified Studio

To create a project, complete the following procedure:

From the domain administration page, choose Projects in the left navigation pane.
Choose Create project.
Enter a project name and description, and then choose Next.
Select the Region.
For Execution role, choose either Auto-create a new role with permissions or Use an existing role.
For Storage, choose either to create a new Amazon S3 bucket or use an existing Amazon S3 bucket, and then choose Next.
Add members to your project. Choose IAM or single sign-on users to add as members. You can assign up to 8 members at a time. You can add more members after the project is created.
For each member, assign a Designation.
Choose Create.

Note

Projects created through the domain administration portal for Identity Center-based domains do not allow you to specify a project profile. The default project profile will be used with access to Notebooks, Data Analytics and AI/ML capabilities.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Accessing domain management

View and manage project details