# Amazon SageMaker AI domain overview Domain overview Amazon SageMaker AI uses domains to organize user profiles, applications, and their associated resources. An Amazon SageMaker AI domain consists of the following: + An associated Amazon Elastic File System (Amazon EFS) volume + A list of authorized users + A variety of security, application, policy, and Amazon Virtual Private Cloud (Amazon VPC) configurations The following diagram provides an overview of private apps and shared spaces within each domain. ![\[Overview of a domain.\]](http://docs.aws.amazon.com/sagemaker/latest/dg/images/domains/private-apps-shared-spaces.png) To have access to most Amazon SageMaker AI environments and resources, you must complete the Amazon SageMaker AI domain onboarding process using the SageMaker AI console or the AWS CLI. For a guide describing how to get started using SageMaker AI based on how you want to access SageMaker AI, and if necessary how to set up a domain, see [Guide to getting set up with Amazon SageMaker AI](gs.md). **Topics** + [ # Amazon SageMaker AI domain entities and statuses ](sm-domain.md) + [ # Choose an Amazon VPC ](onboard-vpc.md) # Amazon SageMaker AI domain entities and statuses SageMaker AI domain entities Amazon SageMaker AI domain supports SageMaker AI machine learning (ML) environments. A SageMaker AI domain is composed of the following entities and their associated status values. For onboarding steps to create a domain, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md). + **Domain**: A domain consists of the following. + An associated Amazon Elastic File System (Amazon EFS) volume. + A list of authorized users. + A variety of security, application, policy, and Amazon Virtual Private Cloud (Amazon VPC) configurations. Users within a domain can share notebook files and other artifacts with each other. An account can have multiple domains. For more information about multiple domains, see [Multiple domains overview](domain-multiple.md). + **User profile**: A user profile represents a single user within a domain. It is the main way to reference a user for the purposes of sharing, reporting, and other user-oriented features. This entity is created when a user onboards to the Amazon SageMaker AI domain. For more information about user profiles, see [Domain user profiles](domain-user-profile.md). + **Shared space**: A shared space consists of a shared JupyterServer application and shared directory. All users within the domain have access to the shared space. All user profiles in a domain have access to all shared spaces in the domain. For more information about shared spaces, see [Collaboration with shared spaces](domain-space.md). + **App**: An app represents an application that supports the reading and execution experience of the user’s notebooks, terminals, and consoles. The type of app can be JupyterServer, KernelGateway, RStudioServerPro, or RSession. A user may have multiple apps active simultaneously. The following tables describe the status values for the `domain`, `UserProfile`, `shared space`, and `App` entities. Where applicable, they also give troubleshooting steps. domain status values | Value | Description | | --- | --- | | Pending | Ongoing creation of domain. | | InService | Successful creation of domain. | | Updating | Ongoing update of domain. | | Deleting | Ongoing deletion of domain. | | Failed | Unsuccessful creation of domain. Call the DescribeDomain API to see the failure reason for domain creation. Delete the failed domain and recreate the domain after fixing the error mentioned in FailureReason. | | Update\$1Failed | Unsuccessful update of domain. Call the DescribeDomain API to see the failure reason for domain update. Call the UpdateDomain API after fixing the error mentioned in FailureReason. | | Delete\$1Failed | Unsuccessful deletion of domain. Call the DescribeDomain API to see the failure reason for domain deletion. Because deletion failed, you might have some resources that are still running, but you cannot use or update the domain. Call the DeleteDomain API again after fixing the error mentioned in FailureReason. | `UserProfile` status values | Value | Description | | --- | --- | | Pending | Ongoing creation of UserProfile. | | InService | Successful creation of UserProfile. | | Updating | Ongoing update of UserProfile. | | Deleting | Ongoing deletion of UserProfile. | | Failed | Unsuccessful creation of UserProfile. Call the DescribeUserProfile API to see the failure reason for UserProfile creation. Delete the failed UserProfile and recreate it after fixing the error mentioned in FailureReason. | | Update\$1Failed | Unsuccessful update of UserProfile. Call the DescribeUserProfile API to see the failure reason for UserProfile update. Call the UpdateUserProfile API again after fixing the error mentioned in FailureReason. | | Delete\$1Failed | Unsuccessful deletion of UserProfile. Call the DescribeUserProfile API to see the failure reason for UserProfile deletion. Because deletion failed, you might have some resources that are still running, but you cannot use or update the UserProfile. Call the DeleteUserProfile API again after fixing the error mentioned in FailureReason. | shared space status values | Value | Description | | --- | --- | | Pending | Ongoing creation of shared space. | | InService | Successful creation of shared space. | | Deleting | Ongoing deletion of shared space. | | Failed | Unsuccessful creation of shared space. Call the DescribeSpace API to see the failure reason for shared space creation. Delete the failed shared space and recreate it after fixing the error mentioned in FailureReason. | | Update\$1Failed | Unsuccessful update of shared space. Call the DescribeSpace API to see the failure reason for shared space update. Call the UpdateSpace API again after fixing the error mentioned in FailureReason. | | Delete\$1Failed | Unsuccessful deletion of shared space. Call the DescribeSpace API to see the failure reason for shared space deletion. Because deletion failed, you might have some resources that are still running, but you cannot use or update the shared space. Call the DeleteSpace API again after fixing the error mentioned in FailureReason. | | Deleted | Successful deletion of shared space. | `App` status values | Value | Description | | --- | --- | | Pending | Ongoing creation of App. | | InService | Successful creation of App. | | Deleting | Ongoing deletion of App. | | Failed | Unsuccessful creation of App. Call the DescribeApp API to see the failure reason for App creation. Call the CreateApp API again after fixing the error mentioned in FailureReason. | | Deleted | Successful deletion of App. | ## Maintenance of applications At least once every 90 days, SageMaker AI performs security and performance updates to the underlying software for Amazon SageMaker Studio Classic JupyterServer and KernelGateway, SageMaker Canvas, and Amazon SageMaker Data Wrangler applications. Some maintenance items, such as operating system upgrades, require that SageMaker AI takes your application offline for a short time during the maintenance window. Because this maintenance takes the application offline, you cannot perform any operations while the underlying software is being updated. When the maintenance activity is in progress, the state of the application transitions from **InService** to **Pending**. When maintenance is complete, the status of the application transitions back to **InService**. If patching fails, then the status of the application becomes **Failed**. If an application is in the **Failed** state, we recommend creating a new application of the same type. For information about creating Studio Classic applications, see [Shut Down and Update Amazon SageMaker Studio Classic and Apps](studio-tasks-update.md). For information about creating SageMaker Canvas applications, see [Applications management](canvas-manage-apps.md). For more information, contact https://aws.amazon.com/premiumsupport/. **Topics** + [ ## Maintenance of applications ](#domain-maintenance) + [ # Complete prerequisites ](domain-prerequisites.md) + [ # Hide machine learning tools and applications in the Amazon SageMaker Studio UI ](studio-updated-ui-customize-tools-apps.md) + [ # Hide instance types and images in the Amazon SageMaker Studio UI ](studio-updated-ui-customize-instances-images.md) + [ # Multiple domains overview ](domain-multiple.md) + [ # Isolate domain resources ](domain-resource-isolation.md) + [ # Default settings for Amazon SageMaker AI domains ](domain-set-defaults.md) + [ # Custom tag propagation ](custom-tags.md) + [ # Adding a custom file system to a domain ](domain-custom-file-system.md) + [ # View domain environment details ](domain-space-environment.md) + [ # View domains ](domain-view.md) + [ # Edit domain settings ](domain-edit.md) + [ # Delete an Amazon SageMaker AI domain ](gs-studio-delete-domain.md) + [ # Domain user profiles ](domain-user-profile.md) + [ # IAM Identity Center groups in a domain ](domain-groups.md) + [ # Understanding domain space permissions and execution roles ](execution-roles-and-spaces.md) + [ # View SageMaker AI resources in your domain ](sm-console-domain-resources-view.md) + [ # Shut down SageMaker AI resources in your domain ](sm-console-domain-resources-shut-down.md) + [ # Where to shut down resources per SageMaker AI features ](sm-shut-down-resources-per-feature.md) # Complete prerequisites To use the features available in an Amazon SageMaker AI domain, you must complete the following prerequisites. + Onboard to a domain. For more information, see [Onboard to Amazon SageMaker AI domain](https://docs.aws.amazon.com/sagemaker/latest/dg/gs-studio-onboard.html). + (Optional) If you are interacting with your domain using the AWS CLI, you must also complete the following prerequisites. + Update the AWS CLI by following the steps in [Installing the current AWS CLI Version](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html#install-tool-bundled). + From your local machine, run `aws configure` and provide your AWS credentials. For information about AWS credentials, see [Understanding and getting your AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html). # Hide machine learning tools and applications in the Amazon SageMaker Studio UI Hide ML tools and apps in the Studio UI **Important** As of November 30, 2023, the previous Amazon SageMaker Studio experience is now named Amazon SageMaker Studio Classic. The following section is specific to using the updated Studio experience. For information about using the Studio Classic application, see [Amazon SageMaker Studio Classic](studio.md). This topic shows how to hide applications and machine learning (ML) tools displayed in the Amazon SageMaker Studio user interface (UI). For information on the Studio UI, see [Amazon SageMaker Studio UI overview](studio-updated-ui.md). This customization does not block access to these resources. If, instead, you want to block access to an application, see [Amazon SageMaker Role Manager](role-manager.md). For information about the applications, see [Applications supported in Amazon SageMaker Studio](studio-updated-apps.md). The customize Studio UI feature is not available in Amazon SageMaker Studio Classic. You can customize the Studio UI on a domain level and a user level: + Customization on a domain level sets the default for all users in the domain. These default settings apply for all users in the domain who have *not* had these changes made to their individual user settings. + Customization on a user level will take priority over the domain level settings. Use the following topics to learn more on the different customization levels and how to apply them. **Topics** + [ # Hide machine learning tools and applications on a domain level ](studio-updated-ui-customize-tools-apps-domain.md) + [ # Hide machine learning tools and applications on a user level ](studio-updated-ui-customize-tools-apps-user.md) # Hide machine learning tools and applications on a domain level The following shows how to use the console to customize the applications and ML tools displayed in Studio on a domain level. For more information, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md). This feature is not available if Amazon SageMaker Studio Classic is set as your default experience. ## Hide machine learning tools and applications on a domain level instructions (console) **To hide machine learning tools and applications Studio UI on a domain level (console)** 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, choose the link to the domain you wish to edit. 1. On the **Domain details** page, choose the **App Configurations** tab. 1. In the **SageMaker Studio** section, choose **Customize Studio UI**. 1. On the **Customize Studio UI** page you can hide applications and ML tools displayed in Studio by toggling them off. Note that not all ML features are available in all regions. 1. Once you have reviewed your changes, choose **Save**. Once completed, you will see a green banner containing a success message at the top of the page. ## Hide machine learning tools and applications on a domain level instructions (AWS CLI) **Note** To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). You can use the AWS CLI to customize the applications and ML tools displayed in Studio on a domain level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenAppTypes` to hide applications and `HiddenMlTools` to hide ML tools. In the following example, SageMaker Canvas and Code Editor are being hidden for users in the domain `domainId`. ``` aws sagemaker update-domain \ --domain-id domainId \ --default-user-settings '{"StudioWebPortalSettings": {"HiddenAppTypes": ["Canvas", "CodeEditor"]}}' ``` Note that not all ML features are available in all AWS Regions. # Hide machine learning tools and applications on a user level The following shows how to customize the applications and ML tools displayed in Studio on a user level. For more information, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md). This feature is not available if Studio Classic is set as your default experience. ## Hide machine learning tools and applications on a user level instructions (console) **To hide machine learning tools and applications Studio UI on a user level (console)** 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, choose the link to the domain you wish to edit. 1. On the **Domain details** page, choose the **User profiles** tab. 1. In the **User profiles** section, choose the link to the user profile you wish to edit. 1. Choose the **App Configurations** tab. 1. In the **SageMaker Studio** section, choose **Customize Studio UI**. 1. On the **Customize Studio UI** page you can hide applications and ML tools displayed in Studio by toggling them off. Note that not all ML features are available in all regions. 1. Once you have reviewed your changes, choose **Save**. This will take you back to the user profile edit flow. 1. Choose **Save changes**. Once completed, you will see a green banner containing a success message at the top of the page. ## Hide machine learning tools and applications on a user level instructions (AWS CLI) **Note** To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). You can use the AWS CLI to customize the applications and ML tools displayed in Studio on a user level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenAppTypes` to hide applications and `HiddenMlTools` to hide ML tools. In the following example, SageMaker Canvas and Code Editor are being hidden for user *userProfileName* in the domain `domainId`. ``` aws sagemaker update-user-profile \ --domain-id domainId \ --user-profile-name userProfileName \ --user-settings '{"StudioWebPortalSettings": {"HiddenAppTypes": ["Canvas", "CodeEditor"]}}' ``` Note that not all ML features are available in all AWS Regions. # Hide instance types and images in the Amazon SageMaker Studio UI Hide instance types and images in the Studio UI **Important** As of November 30, 2023, the previous Amazon SageMaker Studio experience is now named Amazon SageMaker Studio Classic. The following section is specific to using the updated Studio experience. For information about using the Studio Classic application, see [Amazon SageMaker Studio Classic](studio.md). This topic shows how to hide Amazon SageMaker AI instance types and images displayed in the Amazon SageMaker Studio user interface (UI). For information on the Studio UI, see [Amazon SageMaker Studio UI overview](studio-updated-ui.md). When you hide SageMaker AI instance types and images: + The impacted users will not be able to view the hidden resources in the Studio UI. + The impacted users will not be able to run or create a new space with the hidden configurations. + Any currently running spaces for the impacted users will not be effected. + When an impacted user attempts to run a space with the hidden resources, they will be notified that the relevant resources have been disabled by the administrator. **Note** If, instead of *hiding*, you would like to *restrict* the instance types available to users through an AWS Identity and Access Management policy, see: [Can I limit the type of instances that data scientists can launch for training jobs in SageMaker AI?](https://repost.aws/questions/QUd77APmdHTx-2FZCvZfS6Qg/can-i-limit-the-type-of-instances-that-data-scientists-can-launch-for-training-jobs-in-sagemaker) in AWS re:Post. [Limiting instances types on Amazon SageMaker AI via IAM policy](https://stackoverflow.com/questions/76426316/limiting-instances-types-on-aws-sagemaker-via-iam-policy) in StackOverflow. The customize Studio UI feature is not available in Amazon SageMaker Studio Classic. You can customize the Studio UI on a domain level and a user level: + Customization on a domain level sets the default for all users in the domain. + Customization on a user level will take priority over the domain level settings. Use the following topics to learn more on the different customization levels and how to apply them. **Topics** + [ # Hide instance types and images on a domain level ](studio-updated-ui-customize-instances-images-domain.md) + [ # Hide instance types and images on a user level ](studio-updated-ui-customize-instances-images-user.md) # Hide instance types and images on a domain level The following shows how to use the console to set rules to hide Amazon SageMaker AI instance types and images from being displayed in the Amazon SageMaker Studio Classic UI on a *domain level*. For more information, see [Hide instance types and images in the Amazon SageMaker Studio UI](studio-updated-ui-customize-instances-images.md). Once these changes are made on a domain level: + These changes will not effect any currently open spaces. + These changes will impact the domain’s users’ *default* visibility from that point onward. These default settings apply for all users in the domain who have *not* had these changes made to their individual user settings. + User level settings take priority over the domain level settings. The customize Studio UI feature is not available in Amazon SageMaker Studio Classic. ## Hide instance types and images on a domain level instructions (console) **To hide instance types and images Studio UI on a domain level (console)** 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, choose the link to the domain you wish to edit. 1. On the **Domain details** page, choose **Domain settings**. 1. In the **Domain settings** tab, you can view the domain rules in the **Domain rules** section. 1. In the **Domain rules** section choose **Manage rules**. 1. On the **Manage domain rules** page choose a **Rule type**. Note that not all instance types and images are available in all AWS Regions. 1. If you choose **Instance type**, you can use the **Hide** action to hide SageMaker AI instance types you choose in the dropdown list under **Instance types**. 1. If you choose **Image**, you can use the **Hide** action to hide SageMaker images you choose under the dropdown list under **Image**. 1. (Optional) Choose **\$1 Add new rule** to add more rules. 1. Once you have reviewed your changes, choose **Submit**. Once completed, you will see a green banner containing a success message at the top of the page. ## Hide instance types and images on a domain level instructions (AWS CLI) **Note** To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). You can use the AWS CLI to customize the SageMaker AI instances and images displayed in the Studio UI on a domain level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenInstanceTypes` to hide instance types and use `HiddenSageMakerImageVersionAliases` to hide SageMaker images. Note that when you use `HiddenSageMakerImageVersionAliases`: + The API only accepts minor `VersionAliases` (for example, `1.9`), rather than patch versions (For example, `1.9.1`). + You may enter unpublished versions through the CLI or SDK. However, these versions will not be displayed in the console and will be overwritten after the rules are edited through the console. In the following example, for Code Editor, based on Code-OSS, Visual Studio Code - Open Source and JupyterLab, the following are being hidden for users by default in the domain `domainId`: + The instance types `ml.r6id.24xlarge` and `ml.r6id.32xlarge`. + The image `sagemaker_distribution` versions `1.9` and `1.8`. ``` aws sagemaker update-domain \ --domain-id domainId \ --default-user-settings '{ "StudioWebPortalSettings": { "HiddenInstanceTypes": [ "ml.r6id.24xlarge", "ml.r6id.32xlarge" ], "HiddenSageMakerImageVersionAliases": [ { "SageMakerImageName": "sagemaker_distribution", "VersionAliases": [ "1.9", "1.8" ] } ] } }' ``` Note that not all instance types and images are available in all AWS Regions. # Hide instance types and images on a user level **Warning** Customizing a user profile is a permanent action. If custom settings are saved, this user profile will overwrite the domain settings, and no longer dynamically update with the domain in the future. The following shows how to use the console to set rules to hide Amazon SageMaker AI instance types and images from being displayed in the Amazon SageMaker Studio Classic UI on a *user level*. For more information, see [Hide instance types and images in the Amazon SageMaker Studio UI](studio-updated-ui-customize-instances-images.md). This setting will take priority over the domain level settings. The customize Studio UI feature is not available in Studio Classic. ## Hide instance types and images on a user level instructions (console) **To hide instance types and images Studio UI on a user level (console)** 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, choose the link to the domain you wish to edit. 1. On the **Domain details** page, choose the **User profiles** tab. 1. In the **User profiles** section, choose the link to the user profile you wish to edit. 1. On the User details tab, you can view the rules applied to the user in the User profile rules section. 1. In the User profile rules section choose Manage rules. 1. On the Manage user profile rules page choose a Rule type. Note that not all instance types and images are available in all AWS Regions. 1. If you choose **Instance type**, you can use the **Hide** action to hide SageMaker AI instance types you choose in the dropdown list under **Instance types**. 1. If you choose **Image**, you can use the **Hide** action to hide SageMaker images you choose under the dropdown list under **Image**. 1. (Optional) Choose **\$1 Add new rule** to add more rules. 1. Once you have reviewed your changes, choose **Submit**. Once completed, you will see a green banner containing a success message at the top of the page. ## Hide instance types and images on a user level instructions (AWS CLI) **Note** To use this feature you may need to update to the latest AWS CLI version. For more information, see [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). You can use the AWS CLI to customize the applications and ML tools displayed in Studio on a user level, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenInstanceTypes` to hide instance types and use `HiddenSageMakerImageVersionAliases` to hide SageMaker images. Note that when you use `HiddenSageMakerImageVersionAliases`: + The API only accepts minor `VersionAliases` (for example, `1.9`), rather than patch versions (For example, `1.9.1`). + You may enter unpublished versions through the CLI or SDK. However, these versions will not be displayed in the console and will be overwritten after the rules are edited through the console. In the following example, for Code Editor, based on Code-OSS, Visual Studio Code - Open Source and JupyterLab, the following are being hidden for user `userProfileName` in the domain `domainId`: + The instance types `ml.r6id.24xlarge` and `ml.r6id.32xlarge`. + The image `sagemaker_distribution` versions `1.9` and `1.8`. ``` aws sagemaker update-user-profile \ --domain-id domainId \ --user-profile-name userProfileName \ --user-settings '{ "StudioWebPortalSettings": { "HiddenInstanceTypes": [ "ml.r6id.24xlarge", "ml.r6id.32xlarge" ], "HiddenSageMakerImageVersionAliases": [ { "SageMakerImageName": "sagemaker_distribution", "VersionAliases": [ "1.9", "1.8" ] } ] } }' ``` Note that not all instance types and images are available in all AWS Regions. # Multiple domains overview **Important** Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see [Provide permissions for tagging SageMaker AI resources](security_iam_id-based-policy-examples.md#grant-tagging-permissions). [AWS managed policies for Amazon SageMaker AI](security-iam-awsmanpol.md) that give permissions to create SageMaker resources already include permissions to add tags while creating those resources. Having multiple Amazon SageMaker AI domain simplifies managing machine learning workflows for administrators of enterprises with diverse business units, teams, or projects. Each domain acts as a logically separate environment with its own configurations, settings, and user access controls. This compartmentalization enables organizations to enforce clear boundaries between different groups, teams, or use cases, enhancing the ability to securely allocate AWS resources and permissions on a broad and granular level. The following provides information about creating multiple domains. + Amazon SageMaker AI supports the creation of multiple Amazon SageMaker AI domains in a single AWS Region for each account. + Additional domains in an AWS Region have the same features and capabilities as the first domain in a Region. + Each domain can have distinct domain settings. + The same user profile cannot be added to multiple domains in a single Region within the same account. For information about domain limits, see [Amazon SageMaker AI endpoints and quotas](https://docs.aws.amazon.com//general/latest/gr/sagemaker.html). The following topics provides information on how to use tags for your domain. **Topics** + [ # Automatic tag propagation ](domain-multiple-tag.md) + [ # How domain resource display filtering works ](domain-multiple-filtering.md) + [ # Backfill domain tags ](domain-multiple-backfill.md) # Automatic tag propagation Tags allow you to categorize and label your resources based on various criteria, such as project, team, environment (For example, dev, staging, prod), or any other custom metadata. You can tag resources by your domain automatically when they are created within your domain. This makes it easier to identify and manage your resources across your domains. You can also use these tags for cost allocation using AWS Billing and Cost Management. For more information, see [Using AWS cost allocation tags](https://docs.aws.amazon.com//awsaccountbilling/latest/aboutv2/cost-alloc-tags.html). By default, any SageMaker AI resources that support tagging and are created from within the Amazon SageMaker Studio or Amazon SageMaker Studio Classic UI after 11/30/2022 are automatically tagged with a domain ARN tag. The domain ARN tag is based on the domain ID of the domain that the resource is created in. To backfill your SageMaker AI resources, you can add the `sagemaker:domain-arn` tag to untagged resources by following the steps in [Backfill domain tags](domain-multiple-backfill.md). The following list describes the only SageMaker AI resources that *do not* support automatic tag propagation, as well as the impacted API calls where the tag is not returned because it was not automatically set. **Note** All SageMaker `List` APIs do not support tag-based resource isolation. The `default` app, which manages the Studio UI, is not automatically tagged. | SageMaker AI resource | Affected API calls | | --- | --- | | ImageVersionArn | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/domain-multiple-tag.html) | | ModelCardExportJobArn | [describe-model-card-export-job](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/describe-model-card-export-job.html) | | ModelPackageArn | [describe-model-package](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/describe-model-package.html) | # How domain resource display filtering works Amazon SageMaker AI automatically filters the resources displayed in Studio or Studio Classic based on the Amazon SageMaker AI domain. This filtering is done by using the `sagemaker:domain-arn` tag attached to SageMaker AI resources. Resources created in other domains are automatically hidden. **Note** This only applies to the Studio or Studio Classic UI. SageMaker AI does not support resource filtering using the AWS CLI by default. In Amazon SageMaker Studio or Amazon SageMaker Studio Classic, you'll only see resources that: + Were created within the current domain. + Don't have the `sagemaker:domain-arn` tag associated with them. These untagged resources are either created outside the context of a domain or were created before 11/30/2022. To improve resource filtering, you can add the `sagemaker:domain-arn` tag to untagged resources by following the steps in [Backfill domain tags](domain-multiple-backfill.md). Additionally, all resources created in shared spaces are automatically filtered to that particular shared space. # Backfill domain tags You can improve resource filtering by adding domain tags to untagged resources. If you have resources that are not tagged, you can backfill them. If you have created resources in a domain before 11/30/2022, those resources are not automatically tagged with the domain Amazon Resource Name (ARN) tag. To accurately attribute resources to their respective domain, you must add the domain tag to existing resources using the AWS CLI, as follows. 1. Map all existing SageMaker AI resources and their respective ARNs to the domains that exist in your account. 1. Run the following command from your local machine to tag the resource with the ARN of the resource's respective domain. This must be repeated for every SageMaker AI resource in your account. ``` aws resourcegroupstaggingapi tag-resources \ --resource-arn-list arn:aws:sagemaker:region:account-id:space/domain-id/space-name \ --tags sagemaker:domain-arn=arn:aws:sagemaker:region:account-id:domain/domain-id ``` # Isolate domain resources **Important** Custom IAM policies that allow Amazon SageMaker Studio or Amazon SageMaker Studio Classic to create Amazon SageMaker resources must also grant permissions to add tags to those resources. The permission to add tags to resources is required because Studio and Studio Classic automatically tag any resources they create. If an IAM policy allows Studio and Studio Classic to create resources but does not allow tagging, "AccessDenied" errors can occur when trying to create resources. For more information, see [Provide permissions for tagging SageMaker AI resources](security_iam_id-based-policy-examples.md#grant-tagging-permissions). [AWS managed policies for Amazon SageMaker AI](security-iam-awsmanpol.md) that give permissions to create SageMaker resources already include permissions to add tags while creating those resources. You can isolate resources between each of the domains in your account and AWS Region using an AWS Identity and Access Management (IAM) policy. The isolated resources will no longer be accessed from other domains. In this topic we will discuss the conditions required for the IAM policy and how to apply them. The resources that can be isolated by this policy are the resource types that have condition keys containing `aws:ResourceTag/${TagKey}` or `sagemaker:ResourceTag/${TagKey}`. For a reference on the SageMaker AI resources and associated condition keys, see [Actions, resources, and condition keys for Amazon SageMaker AI](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html). **Warning** The resource types that *do not *contain the above condition keys (and therefore the [Actions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-actions-as-permissions) that use the resource types) are *not* impacted by this resource isolation policy. For example, the [pipeline-execution](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-pipeline-execution) resource type does *not* contain the above condition keys and is *not* impacted by this policy. Therefore, the following are a few actions, with the pipeline-execution resource type, are *not* supported for resource isolation: DescribePipelineExecution StopPipelineExecution UpdatePipelineExecution RetryPipelineExecution DescribePipelineDefinitionForExecution ListPipelineExecutionSteps SendPipelineExecutionStepSuccess SendPipelineExecutionStepFailure The following topic shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain. You must repeat this process for each domain in your account. For more information about domain tags and backfilling these tags, see [Multiple domains overview](domain-multiple.md) ## Console The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the IAM execution role of the domain, from the Amazon SageMaker AI console. **Note** This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience. 1. Create an IAM policy named `StudioDomainResourceIsolationPolicy-domain-id` with the following JSON policy document by completing the steps in [Creating IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "domain-arn" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default" } ] } ``` ------ 1. Attach the `StudioDomainResourceIsolationPolicy-domain-id` policy to the domain's execution role by completing the steps in [Modifying a role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy). ## AWS CLI The following section shows how to create a new IAM policy that limits access to resources in the domain to user profiles with the domain tag, as well as how to attach this policy to the execution role of the domain, from the AWS CLI. **Note** This policy only works in domains that use Amazon SageMaker Studio Classic as the default experience. 1. Create a file named `StudioDomainResourceIsolationPolicy-domain-id` with the following content from your local machine. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateAPIs", "Effect": "Allow", "Action": "sagemaker:Create*", "NotResource": [ "arn:aws:sagemaker:*:*:domain/*", "arn:aws:sagemaker:*:*:user-profile/*", "arn:aws:sagemaker:*:*:space/*" ] }, { "Sid": "ResourceAccessRequireDomainTag", "Effect": "Allow", "Action": [ "sagemaker:Update*", "sagemaker:Delete*", "sagemaker:Describe*" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sagemaker:domain-arn": "domain-arn" } } }, { "Sid": "AllowActionsThatDontSupportTagging", "Effect": "Allow", "Action": [ "sagemaker:DescribeImageVersion", "sagemaker:UpdateImageVersion", "sagemaker:DeleteImageVersion", "sagemaker:DescribeModelCardExportJob", "sagemaker:DescribeAction" ], "Resource": "*" }, { "Sid": "DeleteDefaultApp", "Effect": "Allow", "Action": "sagemaker:DeleteApp", "Resource": "arn:aws:sagemaker:*:*:app/domain-id/*/jupyterserver/default" } ] } ``` ------ 1. Create a new IAM policy using the `StudioDomainResourceIsolationPolicy-domain-id` file. ``` aws iam create-policy --policy-name StudioDomainResourceIsolationPolicy-domain-id --policy-document file://StudioDomainResourceIsolationPolicy-domain-id ``` 1. Attach the newly created policy to a new or existing role that is used as the domain's execution role. ``` aws iam attach-role-policy --policy-arn arn:aws:iam:account-id:policy/StudioDomainResourceIsolationPolicy-domain-id --role-name domain-execution-role ``` # Default settings for Amazon SageMaker AI domains Default settings for domains With SageMaker AI, you can set default settings for your resources at the Amazon SageMaker AI domain level. These default settings are used in the creation of resources within the domain. The following sections list default settings for domain and give information on using context keys when setting defaults. **Topics** + [ ## Domain default settings ](#domain-set-defaults-domains) + [ ## Context keys ](#domain-set-defaults-context) ## Domain default settings You can set the following defaults when creating or updating a domain. Values passed at the user profile and shared space level override defaults set at the domain level. + [ DefaultUserSettings ](https://docs.aws.amazon.com//sagemaker/latest/APIReference/API_UserSettings.html) + DefaultSpaceSettings **Note** `DefaultSpaceSettings` only supports the use of JupyterLab 3 image ARNs for `SageMakerImageArn`. For more information, see [JupyterLab Versioning in Amazon SageMaker Studio Classic](studio-jl.md). ``` "DefaultSpaceSettings": { "ExecutionRole": "string", "JupyterServerAppSettings": { "DefaultResourceSpec": { "InstanceType": "string", "LifecycleConfigArn": "string", "SageMakerImageArn": "string", "SageMakerImageVersionArn": "string" }, "LifecycleConfigArns": [ "string" ] }, "KernelGatewayAppSettings": { "CustomImages": [ { "AppImageConfigName": "string", "ImageName": "string", "ImageVersionNumber": number } ], "DefaultResourceSpec": { "InstanceType": "string", "LifecycleConfigArn": "string", "SageMakerImageArn": "string", "SageMakerImageVersionArn": "string" }, "LifecycleConfigArns": [ "string" ] }, "SecurityGroups": [ "string" ] } ``` ## Context keys You can add context keys to the IAM policy that creates a domain. This restricts the values that users can pass for those fields. The following list shows the context keys that domain supports and where they're implemented. + `sagemaker:ImageArns` + **Implemented as part of `DefaultUserSettings`:**`SagemakerImageArn` in `DefaultUserSettings.JupyterServerAppSettings` and `DefaultUserSettings.KernelGatewayAppSettings`. `CustomImages` in `DefaultUserSettings.KernelGatewayAppSettings`. + **Implemented as part of `DefaultSpaceSettings`:**`SagemakerImageArn` in `DefaultSpaceSettings.JupyterServerAppSettings` and `DefaultSpaceSettings.KernelGatewayAppSettings`. `CustomImages` in `DefaultSpaceSettings.KernelGatewayAppSettings`. + `sagemaker:VpcSecurityGroupIds` + **Implemented as part of `DefaultUserSettings`:**`SecurityGroups` in `DefaultUserSettings`. + **Implemented as part of `DefaultSpaceSettings`:**`SecurityGroups` in `DefaultSpaceSettings`. + `sagemaker:DomainSharingOutputKmsKey` **Implemented as part of `DefaultUserSettings`:**`S3KmsKeyId` in `DefaultSpaceSettings.SharingSettings`. You cannot restrict users to passing incompatible values when using context keys for the defaults. For example, the values for `SageMakerImageArn` set as part of `DefaultUserSettings` and `DefaultSpaceSettings` must be compatible. You cannot set incompatible default values. # Custom tag propagation Amazon SageMaker AI supports the ability to propagate custom tags set at the domain, user profile, and space level to all of the SageMaker AI resources created in the context of Amazon SageMaker Studio, JupyterLab, Code Editor, based on Code-OSS, Visual Studio Code - Open Source, and Amazon SageMaker Canvas. With custom tag propagation, users can propagate their own custom tags to resources to improve cost tracking and tie resources to specific projects and teams. To activate this feature, use the `TagPropagation` attribute in the [CreateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html) and [UpdateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html) APIs. Custom tag propagation can only be set at the domain level, which means that all users and spaces in a domain use the feature when it is activated. It is not possible to modify custom tag propagation settings at the user profile or space level. For more information about using custom tag propagation, see [Add custom tags to resources](custom-tags-add.md). **Note** System tags added by AWS services on a domain, user profile, and space are not propagated. ## Example use cases Custom tag propagation is particularly useful for the following use cases. + Track cost across all of the SageMaker AI resources created in Amazon SageMaker Studio. + Track cost for SageMaker AI resources that are created in Amazon SageMaker Canvas. This includes models deployed on a SageMaker AI endpoint. + Track cost incurred for an Amazon DataZone project by propagating the Amazon DataZone project ID to all the resources created by Amazon SageMaker Studio. ## Tag merging With custom tag propagation activated, resources created at the user profile and space level take on the tags specified at the domain level, as well as those specified during user profile or space creation. SageMaker AI resources have a 50 tag limit. If the number of tags added to a resource exceeds 50, SageMaker AI returns an error during resource creation. We recommend limiting the number of tags to avoid this. For example, assume a user has 25 tags for their domain and 30 tags for their user profile. When the user creates a resource, a total of 55 tags propagate to the resource. Because the aggregate tag total exceeds 50, resource creation fails until the user removes at least 5 tags. **Note** By default, SageMaker AI automatically adds the `sagemaker:user-profile-arn`, `sagemaker:domain-arn`, or `sagemaker:space-arn` tag to SageMaker AI resources. SageMaker AI adds the ARN tag regardless of whether or not the domain is using custom tag propagation. These ARN tags also contribute toward the 50 tag limit. # Add custom tags to resources The following page demonstrates the steps needed to use custom tag propagation. Custom tag propagation requires the following steps: + Opt-in to custom tag propagation + Add custom tags to resources When you activate custom tag propagation in an existing domain, tag propagation does not work for existing applications until the application is restarted. Similarly, tags are not updated on an existing resource when new custom tags are added. For example, assume a domain has two tags and a user creates a resource in that domain. The resource then has two tags. If a new tag is added to the domain, then that new tag is not added to the existing resource. However, any new resource created will have the new tag attached to the resource. ## Prerequisites + Users must have the `sagemaker:AddTags` permission for any resource creation. + For new domains created with the `SageMakerFullAccess` managed policy or using the SageMaker Role Manager, the `sagemaker:AddTags` permission is pre-populated. + For existing domains using custom AWS Identity and Access Management policies, you must update the policies to include the `sagemaker:AddTags` permission to allow users to create resources. ## Opt-in to custom tag propagation The process to opt-in to custom tag propagation differs based on if you are opting-in from the console or from the AWS CLI. From the console, you can only opt-in to custom tag propagation by updating an existing domain. From the AWS CLI, you can opt-in to custom tag propagation when creating a domain or updating an existing domain. ### Opt-in from the console The following steps outline how to opt-in to custom tag propagation from the console. You can only opt-in to custom tag propagation from the console by updating an existing domain. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**. 1. On the **Domains** page, select the domain that you want to activate custom tag propagation for. 1. From the **Domain details** page, select the **Domain settings** tab. 1. On the **Domain settings** tab, navigate to **Custom Tag Propagation**. 1. Select **Edit**. 1. From the **Edit custom tag propagation** page, select **Automatically propagate custom tags** 1. Select **Submit**. ### Opt-in using the AWS CLI To opt-in to custom tag propagation using the AWS CLI, use the `TagPropagation` attribute in the [CreateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html) and [UpdateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html) APIs. By default, the value of this field is `DISABLED`. An empty value also defaults to `DISABLED`. The following example shows how to activate custom tag propagation. ``` aws sagemaker update-domain \ --domain-id domain-id \ --region region \ --tag-propagation ENABLED ``` ## Add custom tags The process to add custom tags propagation differs based on if you are adding them from the console or from the AWS CLI. ### Add from the console The following steps outline how to add custom tags to a domain from the console. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**. 1. On the **Domains** page, select the domain that you want to add custom tags to. 1. From the **Domain details** page, select the **Domain settings** tab. 1. On the **Domain settings** tab, navigate to **Tags**. 1. Select **Edit**. 1. From the **Tags** page, select **Add tag**. Add a key and value pair for the custom tag. 1. Select **Save**. This custom tag is now propagated to the SageMaker AI resources created in the domain. The following steps outline how to add custom tags to a user profile from the console. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**. 1. On the **Domains** page, select the domain containing the user profile that you want to add custom tags to. 1. From the **Domain details** page, select the **User profiles** tab. 1. On the **User profiles** tab, select the user profile you want to add custom tags to. 1. On the **User Details** tab, navigate to the **Details** section. 1. Select **Edit**. 1. From the **Tags** section, select **Add tag**. Add a key and value pair for the custom tag. 1. Select **Submit**. This custom tag is now propagated to the SageMaker AI resources created in the domain. ### Add using the AWS CLI After you have activated custom tag propagation, you can add custom tags using the AWS CLI at the domain, user profile, or space level during creation or update. The method to add custom tags differs depending on you are creating a new resource or adding tags to an existing resource. The following example shows how to add custom tags at the domain level during creation. ``` aws sagemaker create-domain \ --domain-name domain-id \ --auth-mode IAM \ --default-user-settings '{"ExecutionRole": "execution-role"}' \ --subnet-ids subnet-id \ --vpc-id vpc-id \ --tags Key=key,Value=value \ --tag-propagation ENABLED ``` You must use the [AddTags](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_AddTags.html) API to add custom tags for existing domain, user profile, and spaces as follows. ``` aws sagemaker add-tags \ --resource-arn resource-arn-to-attach-tags \ --tags Key=key, Value=value ``` # Opt-out of custom tag propagation The process to opt-out of custom tag propagation differs based on if you are opting-out from the console or from the AWS CLI. ## Opt-out from the console The following steps outline how to opt-out of custom tag propagation from the console. You can only opt-out of custom tag propagation from the console by updating an existing domain. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation, select **Admin configurations**. Under **Admin configurations**, select **Domains**. 1. On the **Domains** page, select the domain that you want to opt-out of custom tag propagation for. 1. From the **Domain details** page, select the **Domain settings** tab. 1. On the **Domain settings** tab, navigate to **Custom Tag Propagation**. 1. Select **Edit**. 1. From the **Edit custom tag propagation** page, select **Automatically propagate custom tags** 1. Select **Submit**. ## Opt-out using the AWS CLI To opt-out of custom tag propagation, set the `TagPropagation` attribute in the [CreateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateDomain.html) and [UpdateDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UpdateDomain.html) APIs to `DISABLED` as shown in the following example. By default, the value of this field is `DISABLED`. An empty value also defaults to `DISABLED`.  **Note** Tag propagation is not automatically turned off for existing applications when `TagPropagation` is set to `DISABLED`. Applications must be restarted for opt-out to take effect for existing apps. ``` aws sagemaker update-domain \ --domain-id domain-id \ --region region \ --tag-propagation DISABLED ``` # Adding a custom file system to a domain Adding a custom file system When you create a domain, Amazon SageMaker AI adds a default Amazon Elastic File System (Amazon EFS) volume to the domain. SageMaker AI creates this volume for you. You also have the option to add a custom Amazon EFS or a custom Amazon FSx for Lustre file system that you've created. After you add it, your file system is available to users who belong to your domain. Your users can access the file system when they use Amazon SageMaker Studio. They can attach the file system to spaces that they create for the following supported applications: + JupyterLab + Code Editor After running a space and starting the application, your users can access any data, code, or other artifacts that your file system contains. You can enable your users to access your file system in the following ways: + Through *shared spaces* – A shared space can be created by any user who belongs to your domain. Then, it can used by any user who belongs to your domain. + Through *private spaces* – A private space can be created by any user who belongs to your domain. Then, it can be used by only that user. + Exclusively as an individual user – If you don't want to enable all of your users to access the file system, you can enable only a specific user to access it. If you do that, the file system is available only in private spaces that the specific user creates. You can add a custom file system by using the Amazon SageMaker API, the AWS SDKs, or the AWS CLI. You can't add a custom file system by using the SageMaker AI console. ## Prerequisites Before you can add a custom file system to a domain, you must meet the following requirements: + You have a domain in SageMaker AI. Before you can add a file system, you need the domain ID. You can look up the ID by using the SageMaker AI console. You can also run the [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/list-domains.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/list-domains.html) command with the AWS CLI. + You have an Amazon EFS or FSx for Lustre file system in your AWS account. ------ #### [ For Amazon EFS ] + For the steps to create an Amazon EFS, see [Create your Amazon EFS file system](https://docs.aws.amazon.com/efs/latest/ug/gs-step-two-create-efs-resources.html) in the *Amazon Elastic File System User Guide*. + Before Studio can access your file system, it must have a mount target in each of the subnets that you associate with the domain. For more information about assigning mount targets to subnets, see [Creating and managing mount targets and security groups](https://docs.aws.amazon.com/efs/latest/ug/accessing-fs.html) in the *Amazon Elastic File System User Guide*. + For each mount target, you must add the security group that Amazon SageMaker AI created in your AWS account when you created the domain. The security group name has the format `security-group-for-inbound-nfs-domain-id`. For instructions on how to obtain your domain ID, see [View domains](domain-view.md). + Your IAM permissions must allow you to use the `elasticfilesystem:DescribeMountTargets` action. For more information about this action, see [Actions, resources, and condition keys for Amazon Elastic File System](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticfilesystem.html) in the *Service Authorization Reference*. ------ #### [ For FSx for Lustre ] + For the steps to create a FSx for Lustre file system, see [Getting started with Amazon FSx for Lustre](https://docs.aws.amazon.com/fsx/latest/LustreGuide/getting-started.html.html) in the *Amazon FSx for Lustre User Guide*. Ensure that the FSx for Lustre file system exists in: + The same Amazon VPC as your domain. + One of the subnets present in your domain. + Before Studio can access the FSx for Lustre file system, you must add your domain's security group to all of the elastic network interfaces (ENIs) in your FSx for Lustre file system. Without this step, the app creation fails with an error. Use the following instructions to add the domain security group to your FSx for Lustre file system ENIs. **Add your domain security group to FSx for Lustre file system ENIs (console)** 1. Navigate to the [Amazon FSx console](https://console.aws.amazon.com/fsx). 1. Choose **File systems**. 1. Choose your FSx for Lustre file system by using the corresponding link under **File system ID**. 1. If not selected already, choose the **Network & security** tab. 1. Under **Subnet** choose **To see all the ENIs, see the Amazon EC2 console**. This will take you to the Amazon EC2 console and shows all of the ENIs linked to your FSx for Lustre file system. 1. For each ENI: 1. Choose the ENI by choosing the corresponding link under **Network interface ID**. 1. Choose **Actions** at the top right of the summary page to expand a drop-down menu. 1. In the drop-down menu, choose **Choose security group**. 1. Search for your domain security group. The security group name has the format `security-group-for-inbound-nfs-domain-id`. For instructions on how to obtain your domain ID, see [View domains](domain-view.md). 1. Choose **Add security group**. ------ ## Adding a custom file system to a domain with the AWS CLI Adding to a domain To add a custom file system to a domain or user profile with the AWS CLI, you pass a `CustomFileSystemConfigs` definition when you use any of the following commands: + [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-domain.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-domain.html) + [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-domain.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-domain.html) + [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-user-profile.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-user-profile.html) + [https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-user-profile.html](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/update-user-profile.html) The following examples show how to add a file system to an existing domain or user profile. **To add a file system that is accessible in shared spaces** + Update the default space settings for your domain. The following example adds the file system settings to the default space settings: ``` aws sagemaker update-domain --domain-id domain-id \ --default-space-settings file://file-system-settings.json ``` This example passes the file system configuration as a JSON file, which is shown in a later example. **To add a file system that is accessible in private spaces** + Update the default user settings for your domain. The following example adds the file system settings to the default user settings: ``` aws sagemaker update-domain --domain-id domain-id \ --default-user-settings file://file-system-settings.json ``` This example passes the file system configuration as a JSON file, which is shown in a later example. **To add a file system that is accessible only to an individual user** + Update the user profile for the user. The following example adds the file system settings to a user profile: ``` aws sagemaker update-user-profile --domain-id domain-id \ --user-profile-name user-profile-name \ --user-settings file://file-system-settings.json ``` This example passes the file system configuration as a JSON file, which is shown in the following example. **Example file system settings file** The file in the preceding examples, `file-system-settings.json`, has the following settings: ``` { "CustomFileSystemConfigs": [ { "FSxLustreFileSystemConfig": { "FileSystemId": "file-system-id", "FileSystemPath": "/" } } ] } ``` This example configuration has the following keys: `CustomFileSystemConfigs` Settings for custom file systems (only Amazon EFS file systems are supported). `FSxLustreFileSystemConfig` Settings for custom FSx for Lustre file systems. `FileSystemId` The ID of your Amazon EFS file system. `FileSystemPath` The path to the file system directory that is accessible to the domain users in their spaces in Studio. Permitted users can access only this directory and below. The default path is the file system root: `/`. ``` { "CustomFileSystemConfigs": [ { "EFSFileSystemConfig": { "FileSystemId": "file-system-id", "FileSystemPath": "/" } } ] } ``` This example configuration has the following keys: `CustomFileSystemConfigs` Settings for custom file systems (only Amazon EFS file systems are supported). `EFSFileSystemConfig` Settings for custom Amazon EFS file systems. `FileSystemId` The ID of your Amazon EFS file system. `FileSystemPath` The path to the file system directory that is accessible to the domain users in their spaces in Studio. Permitted users can access only this directory and below. The default path is the file system root: `/`. When you assign a file system to the default space settings for a domain, you must also include the execution role in the settings: ``` { "ExecutionRole": "execution-role-arn" } ``` This example configuration has the following key: `ExecutionRole` The default execution role for the users of the domain. If you want to apply POSIX permissions for your file system, you can also pass the following settings to the `create-domain` or `create-user-profile` commands: ``` { "CustomPosixUserConfig": { "Uid": UID, "Gid": GID } } ``` This example configuration has the following keys: `CustomPosixUserConfig` The default POSIX identities that are used for file system operations. You can use these settings to apply your existing POSIX permission structure to the user profiles that access the custom file system. At a POSIX permissions level, you can control which users can access the file system and which files or data they can access. You can also apply `CustomPosixUserConfig` settings when you create a user profile by using the `create-user-profile` command. The settings that you apply to a user profile override those that you apply to the associated domain. You can apply `CustomPosixUserConfig` settings when you use the `create-domain` and `create-user-profile` commands. However, you can't apply these settings when you do the following: + Use the `update-domain` command for a domain that is already associated with any user profiles. You can apply these settings only to domains that have no user profiles. + Use the `update-user-profile` command. To apply these settings to profile that you've already created, delete the profile, and create a new one that has the updated settings. `Uid` The POSIX user ID. The default is 200001. `Gid` The POSIX group ID. The default is 1001. ## Attaching a custom file system to a space with the AWS CLI Attaching to a space After you add a custom file system to a domain, the domain users can attach the file system to spaces that they create. For instance, they can attach the file system when they use Studio or the [create-space](https://docs.aws.amazon.com/cli/latest/reference/sagemaker/create-space.html) command with the AWS CLI. **To attach a custom file system to a space** + Add the file system configuration to the space settings. The following example command attaches a file system to a new space. ``` aws sagemaker create-space \ --space-name space-name \ --domain-id domain-id \ --ownership-settings "OwnerUserProfileName=user-profile-name" \ --space-sharing-settings "SharingType=Private" \ --space-settings file://space-settings.json ``` In this example, the file `space-settings.json` has the following settings, which include the `CustomFileSystems` configuration with the `FileSystemId` key. ------ #### [ For your FSx for Lustre file systems ] ``` { "AppType": "JupyterLab", "JupyterLabAppSettings": { "DefaultResourceSpec": { "InstanceType": "instance-type" } }, "CustomFileSystems": [ { "FSxLustreFileSystem": { "FileSystemId": "file-system-id" } } ] } ``` ------ #### [ For your Amazon EFS file systems ] ``` { "AppType": "JupyterLab", "JupyterLabAppSettings": { "DefaultResourceSpec": { "InstanceType": "instance-type" } }, "CustomFileSystems": [ { "EFSFileSystem": { "FileSystemId": "file-system-id" } } ] } ``` ------ SageMaker AI creates a symbolic link at the following path: `/home/sagemaker-user/custom-file-systems/file-system-type/file-system-id`. With this, the domain users can navigate to the custom file system from within their home directory, `/home/sagemaker-user`. # View domain environment details This page gives information about modifications to the Amazon SageMaker AI domain environment. Complete the following procedure to view the custom images, lifecycle configurations, and git repositories attached to a domain environment. **Open the Environment page** 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, select a domain to open the **Environment** page. 1. On the **domain details** page, choose the **Environment** tab. For more information about bringing a custom Amazon SageMaker Studio Classic image, see [Bring your own SageMaker image](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-byoi.html). For more information about bringing a custom RStudio image, see [Bring your own image to RStudio on SageMaker](https://docs.aws.amazon.com/sagemaker/latest/dg/rstudio-byoi.html). For instructions on using a lifecycle configuration with Studio Classic, see [Use Lifecycle Configurations with Amazon SageMaker Studio](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-lcc.html). For information about attaching a git repository to a domain, see [Attach Suggested Git Repos to SageMaker AI](https://docs.aws.amazon.com//sagemaker/latest/dg/studio-git-attach.html). These can also be attached to a shared space using the AWS CLI by passing values to the [create-space](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sagemaker/create-space.html) command using the `space-settings` parameter. # View domains The following section shows how to view a list of your domains, and details of an individual domain from the SageMaker AI console or the AWS CLI. ## Console The console's domain overview page gives information about the structure of a domain, and it provides a list of your domains. The page's domain structure diagram describes domain components and how they interact with each other. The following procedure shows how to view a list of your domains from the SageMaker AI console. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. To view the details of the domain, complete the following procedure. This page gives information about the general settings for the domain, including the name, domain ID, execution role used to create the domain, and the authentication method of the domain.  1. From the list of domains, select the domain for which you want to open the **domain settings** page. 1. On the **domain details** page, choose the **domain settings** tab. ## AWS CLI Run the following command from the terminal of your local machine to view a list of domains from the AWS CLI. ``` aws sagemaker list-domains --region region ``` # Edit domain settings You can edit the settings of a domain from the SageMaker AI console or the AWS CLI. The following considerations apply when updating the settings of a domain. + If `DefaultUserSettings` and `DefaultSpaceSettings` are set, they cannot be unset. + `DefaultUserSettings.ExecutionRole` can only be updated if there are no applications running in any user profile within the domain. This value cannot be unset. + `DefaultSpaceSettings.ExecutionRole` can only be updated if there are no applications running in any of shared spaces within the domain. This value cannot be unset. + If the domain was created in **VPC only** mode, SageMaker AI automatically applies updates to the security group settings defined for the domain to all shared spaces created in the domain. + `DomainId` and `DomainName` cannot be edited. The following section shows how to edit domain settings from the SageMaker AI console or the AWS CLI. ## Console You can edit the domain from the SageMaker AI console using the following procedure. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, select the domain for which you want to open the **domain settings** page. 1. On the **domain details** page, you can configure and manage your domain details by choosing the appropriate tab. 1. To configure the general settings, on the **domain details** page choose the **domain settings** tab then choose **Edit**. ## AWS CLI Run the following command from the terminal of your local machine to update a domain from the AWS CLI. For more information about the structure of `default-user-settings`, see [CreateDomain](https://docs.aws.amazon.com//sagemaker/latest/APIReference/API_CreateDomain.html#API_CreateDomain_RequestSyntax). ``` aws sagemaker update-domain \ --domain-id domain-id \ --default-user-settings default-user-settings \ --default-space-settings default-space-settings \ --domain-settings-for-update settings-for-update \ --region region ``` # Delete an Amazon SageMaker AI domain Delete a domain This page explains how to delete a domain and the requirements needed. A domain consists of a list of authorized users, configuration settings, and an Amazon Elastic File System (Amazon EFS) volume. The Amazon EFS volume contains data for the users, including notebooks, resources, and artifacts. A user can have multiple applications (apps) which support the reading and execution experience of the user’s notebooks, terminals, and consoles. You can delete your domain using one of the following: + AWS console + AWS Command Line Interface (AWS CLI) + SageMaker SDK ## Requirements You must satisfy the following requirements to delete a domain. + You must have admin permission to delete a domain. + You can only delete an app with the status `InService` displayed as **Ready** in the domain. To delete the containing domain, you don't need to delete an app whose status is `Failed`. In the domain, an attempt to delete an app in the failed state results in an error. + To delete a domain, the domain cannot contain any user profiles or shared spaces. To delete a user profile or shared space, the user profile or space cannot contain any non-failed apps. When you delete these resources, the following occurs: + App – The data (files and notebooks) in a user's home directory is saved. Unsaved notebook data is lost. + User profile – The user can no longer sign in to the domain. The user loses access to their home directory, but the data is not deleted. An admin can retrieve the data from the Amazon EFS volume where it is stored under the user's AWS account. + To switch authentication modes from IAM to IAM Identity Center, you must delete the domain. ## EFS files Your files are kept in an Amazon EFS volume as a backup. This backup includes the files in the mounted directory, which is `/home/sagemaker-user` for Amazon SageMaker Studio Classic and `/root` for kernels. When you delete files from these mounted directories, the kernel or app may move the deleted files into a hidden trash folder. If the trash folder is inside the mounted directory, those files are copied into the Amazon EFS volume and will incur charges. To avoid these Amazon EFS charges, you must identify and clean the trash folder location. The trash folder location for default apps and kernels is `~/.local/`. This may vary depending on the Linux distribution used for custom apps or kernels. For more information about the Amazon EFS volume, see [Manage Your Amazon EFS Storage Volume in Amazon SageMaker Studio Classic](studio-tasks-manage-storage.md). When you use the SageMaker AI console to delete the domain, the Amazon EFS volume is detached but not deleted. The same behavior occurs by default when you use the AWS CLI or the SageMaker Python SDK to delete the domain. However, when you use the AWS CLI or the SageMaker Python SDK, you can set the `RetentionPolicy` to `HomeEfsFileSystem=Delete`. This deletes the Amazon EFS volume along with the domain. ## Delete an Amazon SageMaker AI domain (console) Delete a domain (Console) **Important** When a user, space, or domain is deleted, the Amazon EFS volume that contains the corresponding data will be lost. This includes notebooks and other artifacts. **To delete a domain** 1. Open the [SageMaker AI console](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations** to expand the options, if not already expanded. 1. Under **Admin configurations**, choose **Domains**. 1. Select the domain name link that you want to delete. 1. Choose the **User profiles** tab. 1. Repeat the following steps for each user in the **User profiles** list. 1. Choose the user name link. 1. If not already selected, choose the **User Details** tab 1. Find any apps and spaces and choose **Delete** under the corresponding **Action** column. 1. Follow the delete instructions. 1. Once all of the app and spaces have **Status** as **Deleted**, choose **Delete** at the top right of the page. 1. Follow the delete instructions. 1. When all users are deleted, choose the **Space management** tab. 1. Repeat the following steps for each space in the **Spaces** list. 1. Select the bubble corresponding to the space. 1. Choose **Delete**. 1. Follow the delete instructions. 1. When all users and spaces are deleted, choose the **Domain settings** tab. 1. Find the **Delete domain** section. 1. Choose **Delete domain**. If this button is not available, you must repeat the previous steps to delete all spaces and users. 1. Follow the delete instructions. ## Delete an Amazon SageMaker AI domain (AWS CLI) Delete a domain (AWS CLI) **To delete a domain** 1. Retrieve the list of domains in your account. ``` aws --region Region sagemaker list-domains ``` 1. Retrieve the list of applications for the domain to be deleted. ``` aws --region Region sagemaker list-apps \ --domain-id-equals DomainId ``` 1. Delete each application in the list. ``` aws --region Region sagemaker delete-app \ --domain-id DomainId \ --app-name AppName \ --app-type AppType \ --user-profile-name UserProfileName ``` 1. Retrieve the list of user profiles in the domain. ``` aws --region Region sagemaker list-user-profiles \ --domain-id-equals DomainId ``` 1. Delete each user profile in the list. ``` aws --region Region sagemaker delete-user-profile \ --domain-id DomainId \ --user-profile-name UserProfileName ``` 1. Retrieve the list of shared spaces in the domain. ``` aws --region Region sagemaker list-spaces \ --domain-id DomainId ``` 1. Delete each shared space in the list. ``` aws --region Region sagemaker delete-space \ --domain-id DomainId \ --space-name SpaceName ``` 1. Delete the domain. To also delete the Amazon EFS volume, specify `HomeEfsFileSystem=Delete`. ``` aws --region Region sagemaker delete-domain \ --domain-id DomainId \ --retention-policy HomeEfsFileSystem=Retain ``` # Domain user profiles A user profile represents a single user within an Amazon SageMaker AI domain. The user profile is the main way to reference a user for the purposes of sharing, reporting, and other user-oriented features. This entity is created when a user onboards to the Amazon SageMaker AI domain. A user profile can have (at most) a single JupyterServer application outside the context of a shared space. The user profile's Studio Classic application is directly associated with the user profile and has an isolated Amazon EFS directory, an execution role associated with the user profile, and Kernel Gateway applications. A user profile can also create other applications from the console or from Amazon SageMaker Studio. **Topics** + [ # Add user profiles ](domain-user-profile-add.md) + [ # Remove user profiles ](domain-user-profile-remove.md) + [ # View user profiles in a domain ](domain-user-profile-view.md) + [ # View user profile details ](domain-user-profile-describe.md) # Add user profiles The following section shows how to add user profiles to a domain using the SageMaker AI console or the AWS CLI. After you add a user profile to the domain, users can login using a URL. If the domain uses AWS IAM Identity Center for authentication, users receive an email that contains the URL to sign in to the domain. If the domain uses AWS Identity and Access Management, you can create a URL for a user profile using [CreatePresignedDomainUrl](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreatePresignedDomainUrl.html) ## Add user profiles from the console You can add user profiles to a domain from the SageMaker AI console by following this procedure. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, select the domain that you want to add a user profile to. 1. On the **domain details** page, choose the **User profiles** tab. 1. Choose **Add user**. This opens a new page. 1. Use the default name for your user profile or add a custom name. 1. For **Execution role**, choose an option from the role selector. If you choose **Enter a custom IAM role ARN**, the role must have, at a minimum, an attached trust policy that grants SageMaker AI permission to assume the role. For more information, see [SageMaker AI Roles](https://docs.aws.amazon.com//sagemaker/latest/dg/sagemaker-roles.html). If you choose **Create a new role**, the **Create an IAM role** dialog box opens: 1. For **S3 buckets you specify**, specify additional Amazon S3 buckets that users of your notebooks can access. If you don't want to add access to more buckets, choose **None**. 1. Choose **Create role**. SageMaker AI creates a new IAM role, `AmazonSageMaker-ExecutionPolicy`, with the [AmazonSageMakerFullAccess](https://console.aws.amazon.com//iam/home?#/policies/arn:aws:iam::aws:policy/AmazonSageMakerFullAccess) policy attached. 1. (Optional) Add tags to the user profile. All resources that the user profile creates will have a domain ARN tag and a user profile ARN tag. The domain ARN tag is based on domain ID, while the user profile ARN tag is based on the user profile name. 1. Choose **Next**. 1. In the **SageMaker Studio** section, you have the option to choose between the newer and classic version of Studio as your default experience. + If you choose **SageMaker Studio** (recommended) as your default experience, the Studio Classic IDE has default settings. For information on the default settings, see [Default settings](onboard-quick-start.md#onboard-quick-start-defaults). For information on Studio, see [Amazon SageMaker Studio](studio-updated.md). + If you choose **Studio Classic** as your default experience, you can choose to enable or disable notebook resource sharing. Notebook resources include artifacts such as cell output and Git repositories. For more information on Notebook resources, see [Share and Use an Amazon SageMaker Studio Classic Notebook](notebooks-sharing.md). 1. Under **SageMaker Canvas **, you can configure your SageMaker Canvas settings. For the instructions and configuration details for onboarding, see [Getting started with using Amazon SageMaker Canvas](canvas-getting-started.md). 1. For the **Canvas base permissions configuration**, select whether to establish the minimum required permissions to use the SageMaker Canvas application. 1. Under **RStudio**, if RStudio license, select whether you want to create the user with one of the following authorizations: + Unauthorized + RStudio Admin + RStudio User 1. Choose **Next**. 1. In the **Customize Studio UI** page you can customize the viewable applications and machine learning (ML) tools displayed in Studio. This customization only hides the applications and ML tools in the left navigation pane in Studio. For information on the Studio UI, see [Amazon SageMaker Studio UI overview](studio-updated-ui.md). For information about the applications, see [Applications supported in Amazon SageMaker Studio](studio-updated-apps.md). The customize Studio UI feature is not available in Studio Classic. If you wish to set Studio as your default experience, choose **Previous** and to return to the previous step. 1. Choose **Next**. 1. After you have reviewed your changes, choose **Create user profile**. ## Create user profiles from the AWS CLI To create a user profile in a domain from the AWS CLI, run the following command from the terminal of your local machine. For information about the available JupyterLab version ARNs, see [Setting a default JupyterLab version](studio-jl.md#studio-jl-set). ``` aws --region region \ sagemaker create-user-profile \ --domain-id domain-id \ --user-profile-name user-name \ --user-settings '{ "JupyterServerAppSettings": { "DefaultResourceSpec": { "SageMakerImageArn": "sagemaker-image-arn", "InstanceType": "system" } } }' ``` You can use the AWS CLI to customize the applications and ML tools displayed in Studio for the user, using [StudioWebPortalSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StudioWebPortalSettings.html). Use `HiddenAppTypes` to hide applications and `HiddenMlTools` to hide ML tools. For more information on customizing the left navigation of the Studio UI, see [Hide machine learning tools and applications in the Amazon SageMaker Studio UI](studio-updated-ui-customize-tools-apps.md). This feature is not available for Studio Classic. # Remove user profiles All apps launched by a user profile and all spaces owned by the user profile must be deleted to delete the user profile. The following section shows how to remove user profiles from a domain using the SageMaker AI console or AWS CLI. ## Remove user profiles from the console 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, select the domain that you want to remove a user profile from. 1. On the **domain details** page, choose the **User profiles** tab. 1. Select the user profile that you want to delete. 1. On the **User Details** page, for each non-failed app in the **Apps** list, choose **Action**. 1. From the dropdown list, choose **Delete**. 1. On the **Delete app** dialog box, choose **Yes, delete app**. Then enter *delete* in the confirmation field, and choose **Delete**. 1. When **Status** shows as **Deleted** for all apps, navigate back to the **domain details** page and choose the **Space management** tab. 1. Delete any spaces owned by the user profile. For each space where the user profile is the owner, select the space and choose **Delete**. For detailed steps, see [Delete a Studio space](studio-updated-running-stop.md#studio-updated-running-stop-space). 1. Return to the **User profiles** tab and choose **Edit**. 1. On the **Edit User** page, choose **Delete user**. 1. On the **Delete user** pop-up, choose **Yes, delete user**. 1. Enter *delete* in the field to confirm deletion. 1. Choose **Delete**. ## Remove user profiles from the AWS CLI To delete a user profile from the AWS CLI, first delete any spaces owned by the user profile, then delete the user profile. Run the following commands from the terminal of your local machine. ``` # Delete spaces owned by the user profile aws sagemaker delete-space \ --region region \ --domain-id domain-id \ --space-name space-name # Delete the user profile aws sagemaker delete-user-profile \ --region region \ --domain-id domain-id \ --user-profile-name user-name ``` # View user profiles in a domain The following section describes how to view a list of user profiles in a domain from the SageMaker AI console or the AWS CLI. ## View user profiles from the console Complete the following procedure to view a list of user profiles in the domain from the SageMaker AI console. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, select the domain that you want to view a list of user profiles for. 1. On the **domain details** page, choose the **User profiles** tab. ## View user profiles from the AWS CLI To view the user profiles in a domain from the AWS CLI, run the following command from the terminal of your local machine. ``` aws sagemaker list-user-profiles \ --region region \ --domain-id domain-id ``` # View user profile details The following section describes how to view the details of a user profile from the SageMaker AI console or the AWS CLI. ## View user profile details from the console Complete the following procedure to view the details of a user profile from the SageMaker AI console. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, select the domain that you want to view a list of user profiles for. 1. On the **domain details** page, choose the **User profiles** tab. 1. Select the user profile that you want to view details for. ## View user profile details from the AWS CLI To describe a user profile from the AWS CLI, run the following command from the terminal of your local machine. ``` aws sagemaker describe-user-profile \ --region region \ --domain-id domain-id \ --user-profile-name user-name ``` # IAM Identity Center groups in a domain AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your users consistent access to multiple AWS accounts and applications. For more information about IAM Identity Center authentication, see [What is IAM Identity Center?](https://docs.aws.amazon.com//singlesignon/latest/userguide/what-is.html). If you use AWS IAM Identity Center authentication for your Amazon SageMaker AI domain, you can use the following topics to learn how to view, add, and remove IAM Identity Center groups and users to a domain. **Topics** + [ # View groups and users ](domain-groups-view.md) + [ # Add groups and users ](domain-groups-add.md) + [ # Remove groups ](domain-groups-remove.md) # View groups and users Complete the following procedure to view a list of IAM Identity Center groups and users from the Amazon SageMaker AI console. 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. On the left navigation pane, choose **Admin configurations**. 1. Under **Admin configurations**, choose **domains**. 1. From the list of domains, select the domain that you want to open the **domain settings** page for. 1. On the **domain details** page, choose the **Groups** tab. # Add groups and users The following sections show how to add groups and users to a domain from the SageMaker AI console or AWS CLI. **Note** If the domain was created before October 1st, 2023, you can only add groups and users to the domain from the SageMaker AI console. ## SageMaker AI console Complete the following procedure to add groups and users to your domain from the SageMaker AI console. 1. On the **Groups** tab, choose **Assign users and groups**. 1. On the **Assign users and groups** page, select the users and groups that you want to add. 1. Choose **Assign users and groups**. ## AWS CLI Complete the following procedure to add groups and users to your domain from the AWS CLI. 1. Fetch the `SingleSignOnApplicationArn` of the domain with a call to [describe-domain](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/swf/describe-domain.html). `SingleSignOnApplicationArn` is the ARN of the application managed in IAM Identity Center. ``` aws sagemaker describe-domain \ --region region \ --domain-id domain-id ``` 1. Associate the user or group with the domain. To accomplish this, pass the `SingleSignOnApplicationArn` value returned from the [describe-domain](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/swf/describe-domain.html) command as the `application-arn` parameter in a call to [create-application-assignment](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso-admin/create-application-assignment.html).You must also pass the type and ID of the entity to associate. ``` aws sso-admin create-application-assignment \ --application-arn application-arn \ --principal-id principal-id \ --principal-type principal-type ``` # Remove groups Complete the following procedure to remove groups from your domain from the SageMaker AI console. For information about deleting a user, see [Remove user profiles](domain-user-profile-remove.md). 1. On the **Groups** tab, choose the group that you want to remove. 1. Choose **Unassign groups**. 1. On the pop-up window, choose **Yes, unassign groups**. 1. Enter *unassign* in the field. 1. Choose **Unassign groups**. # Understanding domain space permissions and execution roles Understanding spaces and execution roles For many SageMaker AI applications, when you start up a SageMaker AI application within a domain, a space is created for the application. When a user profile creates a space, that space assumes an AWS Identity and Access Management (IAM) role that defines the permissions granted to that space. The following page gives information about space types and the execution roles that define permissions for the space. An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. **Note** When you start up Amazon SageMaker Canvas or RStudio, it does not create a space that assumes an IAM role. Instead, you change the role associated with the user profile to manage their permissions for the application. For information on obtaining a SageMaker AI user profile’s role, see [Get user execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-user). For SageMaker Canvas, see [Amazon SageMaker Canvas setup and permissions management (for IT administrators)](canvas-setting-up.md). For RStudio, see [Create Amazon SageMaker AI domain with RStudio App](rstudio-create-cli.md#rstudio-create-cli-domain). Users can access their SageMaker AI applications within a shared or private space. **Shared spaces** + There can only be one space associated with an application. A shared space can be accessed by all of the user profiles within the domain. This grants all user profiles in the domain access to the same underlying file storage system for the application. + The shared space will be granted the permissions defined by the **space default execution role**. If you wish to modify the shared space's execution role, you must modify the space default execution role. For information on obtaining the space default execution role, see [Get space execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-space). For information on modifying your execution role, see [Modify permissions to execution role](sagemaker-roles.md#sagemaker-roles-modify-to-execution-role). + For information about shared spaces, see [Collaboration with shared spaces](domain-space.md). + To create a shared space, see [Create a shared space](domain-space-create.md#domain-space-create-app). **Private spaces** + There can only be one space associated with an application. A private space can only be accessed by the user profile who created it. This space cannot be shared with other users. + The private space will assume the **user profile execution role** of the user profile that created it. If you wish to modify the private space's execution role, you must modify the user profile's execution role. For information on obtaining the user profile's execution role, see [Get user execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-user). For information on modifying your execution role, see [Modify permissions to execution role](sagemaker-roles.md#sagemaker-roles-modify-to-execution-role). + All applications that support spaces also support private spaces. + A private space for Studio Classic is already created for each user profile by default. **Topics** + [ ## SageMaker AI execution roles ](#sagemaker-execution-roles) + [ ## Example of flexible permissions with execution roles ](#sagemaker-execution-roles-example) ## SageMaker AI execution roles A SageMaker AI execution role is an [AWS Identity and Access Management (IAM) role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that is assigned to an IAM identity that is performing executions in SageMaker AI. An [IAM identity](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) provides access to an AWS account and represents a human user or programmatic workload that can be authenticated and then authorized to perform actions in AWS, that grants permissions to SageMaker AI to access other AWS resources on your behalf. This role allows SageMaker AI to perform actions like launching compute instances, accessing data and model artifacts stored in Amazon S3, or writing logs to CloudWatch. SageMaker AI assumes the execution role at runtime and is temporarily granted the permissions defined in the role's policy. The role should contain the necessary permissions that define the actions the identity can perform and resources the identity has access to. You can assign roles to various identities to provide a flexible and granular approach to managing permissions and access within your domain. For more information on domains, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md). For example, you can assign IAM roles to the: + **Domain execution role** to grant broad permissions to all of the user profiles within the domain. + **Space execution role** to grant broad permissions for a shared spaces within the domain. All user profiles in the domain can access shared spaces and will use the space's execution role while within the shared space. + **User profile execution role** to grant fine-grained permissions for specific user profiles. A private space created by a user profile will assume that user profile's execution role. This enables you to grant the necessary permissions to the domain while still maintaining the principle of least-privilege permissions for user profiles, to adhere to the [security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *AWS IAM Identity Center User Guide*. Any changes or modifications to the execution roles may take a few minutes to propagate. For more information, see [Change your execution role](sagemaker-roles.md#sagemaker-roles-change-execution-role) or [Modify permissions to execution role](sagemaker-roles.md#sagemaker-roles-modify-to-execution-role), respectively. ## Example of flexible permissions with execution roles With [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) you can manage and grant permissions on broad and granular levels. The following example includes granting permissions on a space-level and a user-level. Suppose you are an administrator setting up a domain for a team of data scientists. You can allow the user profiles within the domain to have full access to Amazon Simple Storage Service (Amazon S3) buckets, run SageMaker training jobs, and deploy models using an application in a *shared space*. In this example, you can create an IAM role called "DataScienceTeamRole" with broad permissions. Then you can assign "DataScienceTeamRole" as the *space default execution role*, granting broad permissions for your team. When a user profile creates a *shared space*, that space will assume the *space default execution role*. For information on assigning an execution role to an existing domain, see [Get space execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-space). Instead of allowing any individual user profile working in their own *private space* to have full access to Amazon S3 buckets, you can restrict a user profile’s permissions and not allow them to alter the Amazon S3 buckets. In this example, you can give them read access to Amazon S3 buckets to retrieve data, run SageMaker training jobs, and deploy models in their *private space*. You can create a user-level execution role called "DataScientistRole" with the relatively more limited permissions. Then you can assign "DataScientistRole" to the *user profile execution role*, granting the necessary permissions to perform their specific data science tasks within the defined scope. When a user profile creates a *private space*, that space will assume the *user execution role*. For information on assigning an execution role to an existing user profile, see [Get user execution role](sagemaker-roles.md#sagemaker-roles-get-execution-role-user). For information on SageMaker AI execution roles and adding additional permissions to them, see [How to use SageMaker AI execution roles](sagemaker-roles.md). # View SageMaker AI resources in your domain ## Use the SageMaker AI console to view your domain resources You can view Amazon SageMaker AI resources in your Amazon SageMaker AI domain using the SageMaker AI console. Use the following instructions to learn how to view the resources tagged by the domain ARN. The displayed SageMaker resources following this procedure are those that have the relevant `sagemaker:domain-arn` tag associated to them. Untagged resources may have been created outside the context of a domain or were created before 11/30/2022, when resources were not automatically tagged with the domain ARN. You can add a tag to untagged resources for better filtration by following the steps in [Backfill domain tags](domain-multiple-backfill.md). Resources created in other domains are automatically filtered out. **Note** This is not a complete list of active resources on your domain. For all active SageMaker resources, see [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/). **To view SageMaker AI resources in your domain using the console** 1. Open the Amazon SageMaker AI console at [https://console.aws.amazon.com/sagemaker/](https://console.aws.amazon.com/sagemaker/). 1. Expand the left navigation pane, if not already expanded. 1. Under **Admin configurations**, choose **Domains**. 1. From the list of domains, select the domain that you want to open the **Domain settings** page for. 1. On the **Domain details** page, choose the **Resources** tab. 1. On the **Domain resources** page, you can view the details of the resources tagged with the relative domain ARN. The running resources are displayed by default. 1. (Optional) You can filter the displayed resources for each resource type by using the search icon or **Filter status** at the top of each resource type. ## Use the AWS CLI to view the SageMaker AI spaces in your domain The following section provides instructions on how to view the spaces in your domain using the AWS CLI. You will need to know your *domain-id*. To obtain your domain details, see [View domains](domain-view.md). ``` aws sagemaker list-spaces \ --region region --domain-id domain-id ``` ## Use the AWS CLI to view the SageMaker AI applications in your domain The following section provides instructions on how to view the applications in your domain using the AWS CLI. You will need to know your *domain-id*. To obtain your domain details, see [View domains](domain-view.md). ``` aws sagemaker list-apps \ --domain-id-equals domain-id ``` If you do not see the applications or your domain, you may need to change your AWS Region. To do so, use `aws configure` to update your AWS credentials. For more information, see [configure](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configure/index.html). # Shut down SageMaker AI resources in your domain You can shut down Amazon SageMaker AI resources in your Amazon SageMaker AI domain using the SageMaker AI console. Use the following instructions to learn how to shut down the resources tagged by the domain ARN. The displayed SageMaker resources following this procedure are those that have the relevant `sagemaker:domain-arn` tag associated to them. Untagged resources may have been created outside the context of a domain or were created before 11/30/2022, when resources were not automatically tagged with the domain ARN. You can add a tag to untagged resources for better filtration by following the steps in [Backfill domain tags](domain-multiple-backfill.md). Resources created in other domains are automatically filtered out. **Note** This is not a complete list of active resources on your domain. For all active SageMaker resources, see [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/). **To shut down SageMaker AI resources in your domain using the console** 1. [View SageMaker AI resources in your domain](sm-console-domain-resources-view.md) 1. Under a resource type section, check the boxes for the resources you wish to shut down. 1. Once the resources are selected, a shutdown option will become available at the top of the resource type section. Choose the option and follow the instructions to shut down the selected resources. For instructions on how to delete your resources per SageMaker AI feature, see [Where to shut down resources per SageMaker AI features](sm-shut-down-resources-per-feature.md). # Where to shut down resources per SageMaker AI features You can shut down your Amazon SageMaker AI resources to avoid incurring unwanted charges. In the following table we list the SageMaker AI features or resources and provide links to the documentation on how to shut down SageMaker AI resources. You can also use the [APIs, CLI, and SDKs](api-and-sdk-reference-overview.md) provided by SageMaker AI. For example, you can search the [Amazon SageMaker API Reference](https://docs.aws.amazon.com/sagemaker/latest/APIReference/Welcome.html) for `Delete*` commands to delete some of the resources you have created. More specifically, you can search for the [DeleteDomain](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_DeleteDomain.html) API to learn how to delete a Amazon SageMaker AI domain. **Note** This is not a complete list of active resources on your domain. For all active SageMaker AI resources, see [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/). | SageMaker AI feature, infrastructure, resources | Instructions to shutting down | | --- | --- | | [Canvas](canvas.md) | [Logging out of Amazon SageMaker Canvas](canvas-log-out.md) | | [Code Editor](code-editor.md) | [Shut down Code Editor resources](code-editor-use-log-out.md) | | [Domain](sm-domain.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) | | [EMR in Studio Classic](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-emr-cluster.html) | [Terminate an Amazon EMR cluster from Studio or Studio Classic](terminate-emr-clusters.md) | | [Experiments](mlflow.md) | [Clean up MLflow resources](mlflow-cleanup.md) | | [HyperPod](sagemaker-hyperpod.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) | | [Inference endpoints](realtime-endpoints-options.md) | [Delete Endpoints and Resources](realtime-endpoints-delete-resources.md) | | [JupyterLab](studio-updated-jl.md) | [Delete unused resources](studio-updated-jl-admin-guide-clean-up.md) | | [MLOps](mlops.md) | [Delete a MLOps Project using Amazon SageMaker Studio or Studio Classic](sagemaker-projects-delete.md) | | [Notebook instances](nbi.md) | [Clean up Amazon SageMaker notebook instance resources](ex1-cleanup.md) | | [Pipelines](pipelines.md) | [Stop a pipeline](pipelines-studio-stop.md) | | [Projects](sagemaker-projects.md) | [Delete a MLOps Project using Amazon SageMaker Studio or Studio Classic](sagemaker-projects-delete.md) | | [RStudio on Amazon SageMaker AI](rstudio.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) | | [Studio](studio-updated.md) | [View your Studio running instances, applications, and spaces](studio-updated-running.md) | | [Studio Classic](studio.md) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sagemaker/latest/dg/sm-shut-down-resources-per-feature.html) | | [Stacks in AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html) | [Deleting a stack on the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) | | [TensorBoard in SageMaker AI](tensorboard-on-sagemaker.md) | [Delete unused TensorBoard applications](debugger-htb-delete-app.md) | # Choose an Amazon VPC This topic provides detailed information about choosing an Amazon Virtual Private Cloud (Amazon VPC) when you onboard to Amazon SageMaker AI domain. For more information about onboarding to SageMaker AI domain, see [Amazon SageMaker AI domain overview](gs-studio-onboard.md). By default, SageMaker AI domain uses two Amazon VPCs. One Amazon VPC is managed by Amazon SageMaker AI and provides direct internet access. You specify the other Amazon VPC, which provides encrypted traffic between the domain and your Amazon Elastic File System (Amazon EFS) volume. You can change this behavior so that SageMaker AI sends all traffic over your specified Amazon VPC. When you choose this option, you must provide the subnets, security groups, and interface endpoints that are necessary to communicate with the SageMaker API and SageMaker AI runtime, and various AWS services, such as Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch, that are used by Studio. When you onboard to SageMaker AI domain, you tell SageMaker AI to send all traffic over your Amazon VPC by setting the network access type to **VPC only**. **To specify the Amazon VPC information** When you specify the Amazon VPC entities (that is, the Amazon VPC, subnet, or security group) in the following procedure, one of three options is presented based on the number of entities you have in the current AWS Region. The behavior is as follows: + One entity – SageMaker AI uses that entity. This can't be changed. + Multiple entities – You must choose the entities from the dropdown list. + No entities – You must create one or more entities in order to use domain. Choose **Create ** to open the VPC console in a new browser tab. After you create the entities, return to the domain **Get started** page to continue the onboarding process. This procedure is part of the Amazon SageMaker AI domain onboarding process when you choose **Set up for organizations**. Your Amazon VPC information is specified under the **Network** section. 1. Select the network access type. **Note** If **VPC only** is selected, SageMaker AI automatically applies the security group settings defined for the domain to all shared spaces created in the domain. If **Public internet only** is selected, SageMaker AI does not apply the security group settings to shared spaces created in the domain. + **Public internet only** – Non-Amazon EFS traffic goes through a SageMaker AI managed Amazon VPC, which allows internet access. Traffic between the domain and your Amazon EFS volume is through the specified Amazon VPC. + **VPC only** – All SageMaker AI traffic is through the specified Amazon VPC and subnets. You must use a subnet that does not have direct internet access in **VPC only** mode. Internet access is disabled by default. 1. Choose the Amazon VPC. 1. Choose one or more subnets. If you don't choose any subnets, SageMaker AI uses all the subnets in the Amazon VPC. We recommend that you use multiple subnets that are not created in constrained Availability Zones. Using subnets in these constrained Availability Zones can result in insufficient capacity errors and longer application creation times. For more information about constrained Availability Zones, see [Constrained Availability Zones](https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-availability-zones.html#constrained-zones) in the *AWS Regions and Availability Zones User Guide*. 1. Choose the security groups. If you chose **Public internet only**, this step is optional. If you chose **VPC only**, this step is required. **Note** For the maximum number of allowed security groups, see [UserSettings](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_UserSettings.html). For Amazon VPC requirements in **VPC only** mode, see [Connect Studio notebooks in a VPC to external resources](studio-notebooks-and-internet-access.md).