# Multiple domains overview
<a name="domain-multiple"></a>

**Important**  
Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see [Provide permissions for tagging SageMaker AI resources](security_iam_id-based-policy-examples.md#grant-tagging-permissions).  
[AWS managed policies for Amazon SageMaker AI](security-iam-awsmanpol.md) that give permissions to create SageMaker resources already include permissions to add tags while creating those resources.

Having multiple Amazon SageMaker AI domain simplifies managing machine learning workflows for administrators of enterprises with diverse business units, teams, or projects. Each domain acts as a logically separate environment with its own configurations, settings, and user access controls. This compartmentalization enables organizations to enforce clear boundaries between different groups, teams, or use cases, enhancing the ability to securely allocate AWS resources and permissions on a broad and granular level.

The following provides information about creating multiple domains.
+ Amazon SageMaker AI supports the creation of multiple Amazon SageMaker AI domains in a single AWS Region for each account. 
+ Additional domains in an AWS Region have the same features and capabilities as the first domain in a Region.
+ Each domain can have distinct domain settings.
+ The same user profile cannot be added to multiple domains in a single Region within the same account.

For information about domain limits, see [Amazon SageMaker AI endpoints and quotas](https://docs.aws.amazon.com//general/latest/gr/sagemaker.html).

The following topics provides information on how to use tags for your domain.

**Topics**
+ [Automatic tag propagation](domain-multiple-tag.md)
+ [How domain resource display filtering works](domain-multiple-filtering.md)
+ [Backfill domain tags](domain-multiple-backfill.md)

# Automatic tag propagation
<a name="domain-multiple-tag"></a>

Tags allow you to categorize and label your resources based on various criteria, such as project, team, environment (For example, dev, staging, prod), or any other custom metadata. You can tag resources by your domain automatically when they are created within your domain. This makes it easier to identify and manage your resources across your domains. You can also use these tags for cost allocation using AWS Billing and Cost Management. For more information, see [Using AWS cost allocation tags](https://docs.aws.amazon.com//awsaccountbilling/latest/aboutv2/cost-alloc-tags.html).

By default, any SageMaker AI resources that support tagging and are created from within the Amazon SageMaker Studio or Amazon SageMaker Studio Classic UI after 11/30/2022 are automatically tagged with a domain ARN tag. The domain ARN tag is based on the domain ID of the domain that the resource is created in. 

To backfill your SageMaker AI resources, you can add the `sagemaker:domain-arn` tag to untagged resources by following the steps in [Backfill domain tags](domain-multiple-backfill.md).

The following list describes the only SageMaker AI resources that *do not* support automatic tag propagation, as well as the impacted API calls where the tag is not returned because it was not automatically set.

**Note**  
All SageMaker `List` APIs do not support tag-based resource isolation.   
The `default` app, which manages the Studio UI, is not automatically tagged.


|  SageMaker AI resource  |  Affected API calls  | 
| --- | --- | 
|  ImageVersionArn  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/domain-multiple-tag.html)  | 
|  ModelCardExportJobArn  | [describe-model-card-export-job](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/describe-model-card-export-job.html)  | 
|  ModelPackageArn  | [describe-model-package](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/describe-model-package.html)  | 

# How domain resource display filtering works
<a name="domain-multiple-filtering"></a>

Amazon SageMaker AI automatically filters the resources displayed in Studio or Studio Classic based on the Amazon SageMaker AI domain. This filtering is done by using the `sagemaker:domain-arn` tag attached to SageMaker AI resources. Resources created in other domains are automatically hidden.

**Note**  
This only applies to the Studio or Studio Classic UI. SageMaker AI does not support resource filtering using the AWS CLI by default. 

In Amazon SageMaker Studio or Amazon SageMaker Studio Classic, you'll only see resources that: 
+ Were created within the current domain.
+ Don't have the `sagemaker:domain-arn` tag associated with them. These untagged resources are either created outside the context of a domain or were created before 11/30/2022.

To improve resource filtering, you can add the `sagemaker:domain-arn` tag to untagged resources by following the steps in [Backfill domain tags](domain-multiple-backfill.md).

Additionally, all resources created in shared spaces are automatically filtered to that particular shared space.

# Backfill domain tags
<a name="domain-multiple-backfill"></a>

You can improve resource filtering by adding domain tags to untagged resources. If you have resources that are not tagged, you can backfill them.

If you have created resources in a domain before 11/30/2022, those resources are not automatically tagged with the domain Amazon Resource Name (ARN) tag.

To accurately attribute resources to their respective domain, you must add the domain tag to existing resources using the AWS CLI, as follows.

1. Map all existing SageMaker AI resources and their respective ARNs to the domains that exist in your account.

1. Run the following command from your local machine to tag the resource with the ARN of the resource's respective domain. This must be repeated for every SageMaker AI resource in your account.

   ```
   aws resourcegroupstaggingapi tag-resources \
       --resource-arn-list arn:aws:sagemaker:region:account-id:space/domain-id/space-name \
       --tags sagemaker:domain-arn=arn:aws:sagemaker:region:account-id:domain/domain-id
   ```