IAM-based domains and projects
IAM-based domains in Amazon SageMaker Unified Studio provide another configuration option to setup and manage your data and AI development environment. IAM-based domains automate creation of a Amazon SageMaker Unified Studio domain using AWS Identity and Access Management (IAM) roles, and also use IAM roles to access data and resources for a project within an IAM-based domain.
Note
A project in Amazon SageMaker Unified Studio is a boundary within a domain where you can collaborate with other users to work on a business use case. In projects, you can create and share data and resources. For more details, see Projects.
By default, Amazon SageMaker Unified Studio will create a domain configured with an AWS IAM role. You can use an existing IAM role or choose to create a new IAM role for the domain setup. Projects within this IAM-based domain also use an IAM role to access data and infrastructure within Amazon SageMaker Unified Studio. In addition, each project is assigned an IAM role for login, this federated IAM role is used to authenticate and access the assigned IAM project. Only one IAM-based domain is available per AWS Account per region. Each IAM-based domain supports multiple projects, and each project can be assigned to only one IAM-role for authentication and execution.
Amazon SageMaker Unified Studio also supports domains configured with AWS IAM Identity Center (IdC). Projects within this Identity Center-based domain use the project role to access data and resources, or Identity-based data authorization using AWS IAM Trusted Identity Propagation. End users login using their identity provided directly by Identity Center or through SSO to an identity provider. Additional details to setup an Identity Center based domain are available in Identity Center-based domains.
