# Data discovery, subscription, and consumption In Amazon SageMaker Unified Studio, after an asset is published to a domain, subscribers can discover and request a subscription to this asset. The subscription process begins with a subscriber searching for and browsing the catalog to find an asset they want. In the Amazon SageMaker Catalog, they subscribe to the asset by submitting a subscription request that includes justification and the reason for the request. The owner of the asset reviews the request. They can either approve or reject the request. After a subscription is granted, a fulfillment process starts to facilitate access to the asset for the subscriber. There are two primary modes of asset access control and fulfillment: those for Amazon SageMaker Unified Studio managed assets and those for assets that are not managed by Amazon SageMaker Unified Studio. + **Managed assets** – Amazon SageMaker Unified Studio can manage fulfillment and permissions for managed assets, such as AWS Glue tables and Amazon Redshift tables and views. + **Unmanaged assets** – Amazon SageMaker Unified Studio publishes standard events related to your actions (for example, approval given to a subscription request to Amazon EventBridge). You can use these standard events to integrate with other AWS services or third-party solutions for custom integrations. **Topics** + [ # Search for and view assets in the Amazon SageMaker Unified Studio catalog ](search-for-data.md) + [ # Request subscription to assets in Amazon SageMaker Unified Studio ](subscribe-to-data-assets-managed.md) + [ # Approve or reject a subscription request in Amazon SageMaker Unified Studio ](approve-reject-subscription-request.md) + [ # Revoke an existing subscription in Amazon SageMaker Unified Studio ](revoke-subscription.md) + [ # Cancel a subscription request in Amazon SageMaker Unified Studio ](cancel-subscription-request.md) + [ # Unsubscribe from an asset in Amazon SageMaker Unified Studio ](unsubscribe-from-subscription.md) + [ # Grant access to managed AWS Glue Data Catalog assets in Amazon SageMaker Unified Studio ](grant-access-to-glue-asset.md) + [ # Grant access to managed Amazon Redshift assets in Amazon SageMaker Unified Studio ](grant-access-to-redshift-asset.md) + [ # Grant access for approved subscriptions to unmanaged assets in Amazon SageMaker Unified Studio ](grant-access-to-unmanaged-asset.md) + [ # Metadata enforcement rules for subscription requests ](metadata-rules-subscription.md) # Search for and view assets in the Amazon SageMaker Unified Studio catalog Search for and view assets in the catalog Amazon SageMaker Unified Studio provides a streamlined way to search for data. Any Amazon SageMaker Unified Studio user with permissions to access Amazon SageMaker Unified Studio can search for assets in the Amazon SageMaker Unified Studio catalog and view asset names and the metadata assigned to them. You can take a closer look at an asset by examining its details page. **Note** To view the actual data that an asset contains, you must first subscribe to the asset and have your subscription request approved and access granted. **To search for assets in the catalog** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 1. Navigate to the **Discover** menu in the top navigation bar. 1. Choose **Data catalog**. 1. Find the asset that you want to subscribe to by browsing or entering the name of the asset into the search bar. You can apply filters to narrow the results. The filters include asset type, source account, the AWS Region to which the asset belongs, date range, and custom metadata filters. To add a custom metadata filter, choose **Add Filter** at the bottom of the filters panel. You can filter by asset name, description, or metadata form fields. For metadata form filters, select the form, field, and operator (`contains` for string fields; `equals`, `greater than`, or `less than` for numeric fields). Enter a value and choose **Apply**. You can combine multiple custom filters. Filter selections persist in your browser by using local storage. Only fields that are marked as searchable (strings) or sortable (numerics) are available for filtering. 1. To view details about a specific asset, choose the asset to open its details page. The details page includes the following information: + The asset name and type. + A description of the asset. + The current published revision of the asset, the owner, whether approval is required for subscriptions, and update history. + A **Business metadata** tab which includes glossary terms and metadata forms. + A **Subscription requests** tab which includes a list of subscribers to the domain. + A **Lineage** tab which displays a chart of past revisions of the asset. # Request subscription to assets in Amazon SageMaker Unified Studio Request subscription to assets Amazon SageMaker Unified Studio allows you to find, access and consume the assets in the Amazon SageMaker Unified Studio catalog. When you find an asset in the catalog that you want to access, you need to *subscribe* to the asset, which creates a subscription request. An approver can then approve or request your request. You must be a member of a project in order to request subscription to an asset within that project. **To subscribe to an asset** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 1. Navigate to the **Discover** menu in the top navigation bar. 1. Choose **Data catalog**. 1. Find the asset you want to subscribe to by browsing or typing the name of the asset into the search bar. 1. Choose the asset to which you want to subscribe, and then choose **Subscribe**. 1. In the **Subscribe** pop-up window, provide the following information: + The project that you want to subscribe to the asset. + A short justification for your subscription request. 1. Choose **Request**. The project will be subscribed to the asset when the publisher approves your request. To view the status of the subscription request, locate and choose the project with which you subscribed to the asset. Choose **Subscription requests** from the project left side navigation, then choose the **Outgoing requests** tab. This page lists the assets to which the project has requested access. You can filter the list by the status of the request. # Approve or reject a subscription request in Amazon SageMaker Unified Studio Approve or reject a subscription request Amazon SageMaker Unified Studio allows you to find, access and consume the assets in the Amazon SageMaker Unified Studio catalog. When you find an asset in the catalog that you want to access, you must *subscribe* to the asset, which creates a subscription request. An approver can then approve or reject your request. You must be a member of the owning project (the project that published the asset) to approve or reject a subscription request. **To approve or reject a subscription request** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 1. Navigate to the project that contains the asset that has a subscription request. You can do this by using the center menu at the top of the page and choosing **Browse all projects**, then choosing the name of the project that you want to navigate to. 1. Under **Project catalog**, choose **Subscription requests**. 1. Choose the **Incoming requests** tab. 1. Locate the request and choose **View request**. You can filter by **Requested** to see only requests that are still open. 1. Review the subscription request and reason for access, and decide whether to approve or reject it. 1. To approve, select between the two options: + **Full access**: If you choose to approve the subscription with full access option, the subscriber will get access to all the rows and columns in your data asset. + **Approve with row and column filters**: To limit access to specific rows and columns of data, you can choose the option to approve with row and column filters. For more information, see [Fine-grained access control to data](fine-grained-access-control.md). + Select **Choose filters**, and then from the drop down select one or more available filters you want to apply to the subscription. + To create a new filter you can choose Create new filter option, which opens a new page to create a new row or column filter. For more information, see [Create column filters in Amazon SageMaker Unified Studio](create-column-filter.md) and [Create row filters in Amazon SageMaker Unified Studio](create-row-filter.md). 1. (Optional) Enter a response that explains your reason for accepting or rejecting the request. 1. Choose either **Approve** or **Reject**. As the project owner, you can revoke the subscription at any time. For more information, see [Revoke an existing subscription in Amazon SageMaker Unified Studio](revoke-subscription.md). **Note** Amazon SageMaker Unified Studio supports fine-grained access control for AWS Glue tables, Amazon Redshift tables, and Amazon Redshift views. ## Automatic approval of subscription requests By default, subscription requests to a published asset require manual approval by a data owner. However, Amazon SageMaker Unified Studio supports two scenarios where subscription requests can be automatically approved: + Approval disabled during asset publishing - when publishing a data asset, you can choose to not require subscription approval. In this case, all incoming subscription requests to that asset are automatically approved. To learn how to disable approval for an asset, see [Publish assets to the Amazon SageMaker Unified Studio catalog from the project inventory](publishing-data-asset.md) . + Requester is an owner or contributor in the project that published the asset - a subscription request is also automatically approved if the requester is already authorized to approve it manually. Specifically, if they are a member of both the project that published the asset and the project requesting access. To qualify for auto-approval: + The requester must be listed as an owner or contributor in the project where the asset was originally published. + The requester must also be listed as an owner or contributor in the project making the subscription request. This ensures that auto-approval only occurs when the requester has visibility and permissions in both projects — the one sharing the asset and the one requesting access. If the requester meets both conditions, the system auto-approves the request. # Revoke an existing subscription in Amazon SageMaker Unified Studio Revoke an existing subscription Amazon SageMaker Unified Studio allows you to find, access and consume the assets in the Amazon SageMaker Unified Studio catalog. When you find an asset in the catalog that you want to access, you need to *subscribe* to the asset, which creates a subscription request. An approver can then approve or request your request. You might need to revoke a subscription after you have approved it, either because the approval was a mistake, or because the subscriber no longer needs access to the asset. You must be a member of the owning project (the project that published the asset) to revoke a subscription. **To revoke a subscription** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 1. Navigate to the project that contains the asset that has a subscription request. You can do this by using the center menu at the top of the page and choosing **Browse all projects**, then choosing the name of the project that you want to navigate to. 1. Under **Project catalog**, choose **Subscription requests**. 1. Choose the **Incoming requests** tab. 1. Locate the subscription you want to revoke and choose **View subscription**. 1. (Optional) Enable the checkbox to allow the subscriber to keep the asset in the project's subscription targets. A subscription target is a reference to a set of resources where subscribed data can be made available within an environment. If you want to revoke access to the asset from the subscription target at a later time, you must do so in AWS Lake Formation. 1. Choose **Revoke subscription**. You can't re-approve a subscription after you revoke it. The subscriber must request a subscription to the asset again in order for you to approve it. # Cancel a subscription request in Amazon SageMaker Unified Studio Cancel a subscription request Amazon SageMaker Unified Studio allows you to find, access and consume the assets in the Amazon SageMaker Unified Studio catalog. When you find an asset in the catalog that you want to access, you need to *subscribe* to the asset, which creates a subscription request. An approver can then approve or request your request. You might need to cancel a pending subscription request, either because you submitted it by mistake, or because you no longer need read access to the asset. To cancel a subscription request, you must be either a project owner or contributor. **To cancel a subscription request** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 1. Navigate to the project that contains the asset that has a subscription request. You can do this by using the center menu at the top of the page and choosing **Browse all projects**, then choosing the name of the project that you want to navigate to. 1. Under **Project catalog**, choose **Subscription requests**. 1. Choose the **Outgoing requests** tab. 1. Filter by **Requested** to see only requests that are still pending. 1. Locate the request and choose **View request**. 1. Review the subscription request and choose **Cancel request**. If you want to re-subscribe to the asset (or to a different asset), see [Request subscription to assets in Amazon SageMaker Unified Studio](subscribe-to-data-assets-managed.md). # Unsubscribe from an asset in Amazon SageMaker Unified Studio Unsubscribe from an asset Amazon SageMaker Unified Studio allows you to find, access and consume the assets in the Amazon SageMaker Unified Studio catalog. When you find an asset in the catalog that you want to access, you need to *subscribe* to the asset, which creates a subscription request. An approver can then approve or request your request. You might need to unsubscribe from an asset, either because you subscribed by mistake and were approved, or because you no longer need read access to the asset. You must be a member of a project in order to unsubscribe from one of its assets. **To unsubscribe from an asset** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 1. Navigate to the project that contains the asset that has a subscription request. You can do this by using the center menu at the top of the page and choosing **Browse all projects**, then choosing the name of the project that you want to navigate to. 1. Under **Project catalog**, choose **Subscription requests**. 1. Choose the **Outgoing requests** tab. 1. Filter by **Approved** to see only requests that have been approved. 1. Locate the request and choose **View subscription**. 1. Review the subscription and choose **Unsubscribe**. If you want to re-subscribe to the asset (or to a different asset), see [Request subscription to assets in Amazon SageMaker Unified Studio](subscribe-to-data-assets-managed.md). # Grant access to managed AWS Glue Data Catalog assets in Amazon SageMaker Unified Studio Grant access to managed AWS Glue Data Catalog assets **Note** Access management for the AWS Glue Data Catalog assets using the AWS Lake Formation LF-TBAC method is not supported. Support for cross-Region sharing of assets in AWS Glue Data Catalog is not supported. Support for cross-account sharing of assets in a federated catalog within AWS Glue Data Catalog is not supported. When a subscription request to managed AWS Glue Data Catalog assets is approved, Amazon SageMaker Unified Studio grants and manages access to the approved AWS Glue Data Catalog tables on your behalf through AWS Lake Formation. For the subscriber project, assets that are granted appear in the AWS Glue Data Catalog as resources in your account. You can then use Amazon Athena, Amazon Redshift, or Spark to query the tables. For Amazon SageMaker Unified Studio to be able to grant access to AWS Glue Data Catalog tables, the following conditions must be met. + The AWS Glue table must be Lake Formation-managed since Amazon SageMaker Unified Studio grants access by managing Lake Formation permissions. + The IAM role of the project that has published the asset to the Amazon SageMaker Catalog must have the following AWS Lake Formation permissions: + `DESCRIBE` and `DESCRIBE GRANTABLE` permissions on the AWS Glue database that contains the published table. + `DESCRIBE`, `SELECT`, `DESCRIBE GRANTABLE`, `SELECT GRANTABLE` permissions in Lake Formation on the published table itself. For more information, see [Granting and revoking permissions on catalog resources](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-catalog-permissions.html) in the *AWS Lake Formation Developer Guide*. # Grant access to managed Amazon Redshift assets in Amazon SageMaker Unified Studio Grant access to managed Amazon Redshift assets When a subscription to an Amazon Redshift table or view is approved, Amazon SageMaker Unified Studio can automatically add the subscribed asset to the Amazon Redshift Serverless workgroup created for the project, so that members of the project can query the data using the Amazon Redshift query editor link within the project. Under the hood, Amazon SageMaker Unified Studio creates the necessary grants and datashares. The process of granting access varies depending on where the source database (publisher) and the target database (subscriber) are located. + Same cluster, same database - if data must be shared within the same database, Amazon SageMaker Unified Studio grants permissions directly on the source table. + Same cluster, different database - if data must be shared across two databases within the same cluster, Amazon SageMaker Unified Studio creates a view in the target database and permissions are granted on the created view. + Same account different cluster - Amazon SageMaker Unified Studio creates a datashare between the source and target cluster and creates a view on top of the shared table. Permissions are granted on the view. + Cross-account - same as above but an additional step is required to authorize cross-account datashare on the producer cluster side and another step to associate the data share on consumer cluster side. Make sure that your publishing and subscribing Amazon Redshift clusters meet all requirements for Amazon Redshift datashares. For more information, see [Data sharing in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/dg/datashare-overview.html) in the Amazon Redshift Developer Guide. **Note** Cross-Region data sharing using Amazon Redshift is not supported. # Grant access for approved subscriptions to unmanaged assets in Amazon SageMaker Unified Studio Grant access for approved subscriptions to unmanaged assets Amazon SageMaker Unified Studio enables users to publish any type of asset in the Amazon SageMaker Catalog. For some of these assets, Amazon SageMaker Unified Studio can can automatically manage access grants. These assets are called **managed assets** and include Lake Formation-managed AWS Glue Data Catalog tables and Amazon Redshift tables and views. All other assets to which Amazon SageMaker Unified Studio can't automatically grant subscriptions are called **unmanaged**. Amazon SageMaker Unified Studio provides a path for you to manage access grants for your unmanaged assets. When a subscription to an asset in the Amazon SageMaker Catalog is approved by the data owner, Amazon SageMaker Unified Studio publishes an event in Amazon EventBridge in your account along with all the necessary information in the payload that enables you to create the access grants between the source and the target. When you receive this event, you can trigger a custom handler which can use the information in the event to create necessary grants or permissions. After you have granted the access, you can report back and update the status of the subscription in Amazon SageMaker Unified Studio so that it can notify the user(s) who subscribed to the asset that they can start consuming the asset. ## Set up Cross-Region Subscriptions Cross-region subscriptions allow data consumers to subscribe to and access data assets published in a different AWS Region than their consuming project or environment. With cross-region subscriptions, you can: + Subscribe to data published in a different Region than your consuming environment + Extend existing approved subscriptions to another Region For AWS Glue assets, cross-region access is achieved through resource links. The original table remains in the source Region, and a resource link is created in the target Region for consumer access. For Amazon Redshift assets, cross-region data sharing uses Redshift's native datashare functionality. For cross-account scenarios, AWS Resource Access Manager (AWS RAM) authorization is required. ### Supported assets and Regions Cross-region subscriptions support AWS Glue tables, AWS Glue views, Amazon Redshift tables, and Amazon Redshift views across all standard (non-opt-in) AWS Regions. Cross-region subscriptions to opt-in Regions are not supported. ### Prerequisites Before you enable cross-region subscriptions, you must have the following: + An existing Amazon DataZone or SageMaker Unified Studio domain + Permissions to manage blueprints, environments, and projects in your domain + For Glue assets: The appropriate data lake blueprint enabled in both source and target Regions + For Redshift assets: The appropriate data warehouse blueprint enabled in both source and target Regions ### Enabling cross-region subscriptions (DataZone domains - V1) Complete the following steps to enable cross-region subscriptions in DataZone domains. #### Step 1: Enable the blueprint in the target Region 1. Open the Amazon DataZone console at [https://console.aws.amazon.com/datazone/](https://console.aws.amazon.com/datazone/). 1. Choose your domain. 1. In the navigation pane, choose **Blueprints**. 1. Choose the appropriate blueprint: + For Glue assets, choose **DataLake** + For Redshift assets, choose **DataWarehouse** 1. If the blueprint is disabled, choose **Enable**. #### Step 2: Create an environment profile 1. Sign in to the Amazon DataZone data portal. 1. Navigate to the subscriber project. 1. Choose **Create environment profile**. 1. For **Region**, select the Region that you enabled in Step 1. 1. Configure other settings as needed, and then choose **Create**. #### Step 3: Create an environment 1. In the subscriber project, choose **Environments**. 1. Choose **Create environment**. 1. For **Environment profile**, select the environment profile that you created in Step 2. 1. Configure other settings as needed, and then choose **Create**. #### Step 4: Subscribe to assets 1. Navigate to the data catalog and find the asset that you want to subscribe to. 1. Choose **Subscribe**. 1. Select the subscriber project with the cross-region environment. 1. Complete the subscription request. The subscription automatically fulfills to the new Region. You can query the data from the new Region environment. ### Enabling cross-region subscriptions (SageMaker Unified Studio domains - V2) Complete the following steps to enable cross-region subscriptions in SageMaker Unified Studio domains. #### Step 1: Enable the blueprints in the target Region 1. Open the SMUS portal. 1. Choose your domain. 1. In the navigation pane, choose **Blueprints**. 1. Enable the **Tooling** blueprint in the target Region. This is required for both Glue and Redshift assets. 1. Enable the appropriate asset blueprint in the target Region: + For Glue assets, choose **LakeHouseDatabase** + For Redshift assets, choose **RedshiftServerless** + **Tooling** (required) 1. Add the target Regions to each blueprint. #### Step 2: Create a project profile 1. In the navigation pane, choose **Project profiles**. 1. Choose **Create project profile**. 1. For **Region**, select the Region that you enabled in Step 1. 1. Configure other settings as needed, and then choose **Create**. #### Step 3: Create a project 1. On SMUS, Choose **Create project**. 1. For **Project profile**, select the project profile that you created in Step 2. 1. Configure other settings as needed, and then choose **Create**. The project is provisioned in the target Region. Subscriptions to this project automatically fulfill to the target Region. ### Considerations When working with cross-region subscriptions, keep the following in mind: + **Region restrictions** – Cross-region subscriptions are not supported in opt-in Regions. + **Blueprint requirements** – Blueprints must be enabled in both the source and target Regions before you can create cross-region subscriptions. + **Environment requirements (V1)** – Environments must exist in the target Region before subscriptions can be fulfilled to that Region. + **Project requirements (V2)** – In SageMaker Unified Studio domains, you cannot add new environments to existing projects through the console. To subscribe to assets in a new Region, you must create a new project with a project profile configured for that Region. + **Tooling blueprint (V2)** – The Tooling blueprint must be enabled in the target Region before enabling LakeHouseDatabase or RedshiftServerless blueprints. + **Cross-account Redshift sharing** – For cross-account Redshift data sharing, AWS RAM authorization is required on both the producer and consumer sides. # Metadata enforcement rules for subscription requests The metadata enforcement rules for subscription requests in Amazon SageMaker Unified Studio strengthen data governance by enabling domain unit owners to establish clear metadata requirements for data consumers, streamlining access requests and enhancing data governance. The feature is supported in all the AWS commercial Regions where Amazon SageMaker Unified Studio is currently available. Domain unit owners can can complete the following procedure to configure metadata enforcement for subscription requests in Amazon SageMaker Unified Studio: 1. Navigate to Amazon SageMaker Unified Studio using the URL from your admin and log in using your SSO or AWS credentials. 1. Choose **Govern** -> **Domain units** from the top navigation pane and then choose the domain or the domain unit that you want to work with. 1. Choose the **Rules** tab and then choose **Add**. 1. On the **Create required metadata form rule** page, do the following and then choose **Add rule**: + Specify a name for your rule. + Under **Action**, choose **Subscription request**. + Under **Required forms**, choose **Add metadata form**, choose a metadata form within the domain / domain unit that you want to add to this rule, and then choose **Add**. You can add up to 5 metadata forms per rule. + Under **Scope**, specify with which data entities you want to associate these forms. You can choose data products and/or data assets. + Under **Data asset types**, specify whether the rule applies across all asset types or limit it to selected asset types. + Under **Projects**, specify whether the required forms will be associated with data products and/or assets published by all projects or only selected projects in this domain unit. Also, check **Cascade rule to child domain units** if you want child domain units to inherit this requirement.