Set up remote access - Amazon SageMaker AI
Step 1: Configure security and permissionsStep 2: Enable remote access for your space

Set up remote access

Before users can connect their local Visual Studio Code to Studio spaces, the administrator must configure permissions. This section provides instructions for administrators on how to set up their Amazon SageMaker AI domain with remote access.

Different connection methods require different IAM permissions. Configure the appropriate permissions based on how your users will connect. Use the following workflow along with the permissions aligned with the connection method.

Important

Currently remote IDE connections are authenticated using IAM credentials, not IAM Identity Center. This applies for domains that use the IAM Identity Center authentication method for your users to access the domain. If you prefer not to use IAM authentication for remote connections, you can opt-out by disabling this feature using the RemoteAccess conditional key in your IAM policies. For more information, see Remote access enforcement.

  1. Choose one of the following connection method permissions that align with your users’ Connection methods.

  2. Create a custom IAM policy based on the connection method permission.

Topics

Step 1: Configure security and permissions

For users connecting via deep links from the SageMaker UI, use the following permission and attach it to your SageMaker AI space execution role or domain execution role. If the space execution role is not configured, the domain execution role is used by default.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RestrictStartSessionOnSpacesToUserProfile",
            "Effect": "Allow",
            "Action": [
                "sagemaker:StartSession"
            ],
            "Resource": "arn:*:sagemaker:*:*:space/${sagemaker:DomainId}/*",
            "Condition": {
                "ArnLike": {
                    "sagemaker:ResourceTag/sagemaker:user-profile-arn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}"
                }
            }
        }
    ]
}

Method 2: AWS Toolkit permissions

For users connecting through the AWS Toolkit for Visual Studio Code extension, attach the following policy to one of the following:

  • For IAM authentication, attach this policy to the IAM user or role

  • For IdC authentication, attach this policy to the Permission sets managed by the IdC

Important

The following policy using * as the resource constraint is only recommended for quick testing purposes. For production environments, you should scope down these permissions to specific space ARNs to enforce the principle of least privilege. See Advanced access control for examples of more granular permission policies using resource ARNs, tags, and network-based constraints.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:ListSpaces",
                "sagemaker:DescribeSpace",
                "sagemaker:UpdateSpace",
                "sagemaker:ListApps",
                "sagemaker:CreateApp",
                "sagemaker:DeleteApp",
                "sagemaker:DescribeApp",
                "sagemaker:StartSession",
                "sagemaker:DescribeDomain",
                "sagemaker:AddTags"
            ],
            "Resource": "*"
        }
    ]
}

Method 3: SSH terminal permissions

For SSH terminal connections, the StartSession API is called by the SSH proxy command script below, using the local AWS credentials. See Configure the AWS CLI for information and instructions on setting up the users’ local AWS credentials. To use these permissions:

  1. Attach this policy to the IAM user or role associated with the local AWS credentials.

  2. If using a named credential profile, modify the proxy command in your SSH config:

    ProxyCommand '/home/user/sagemaker_connect.sh' '%h' YOUR_CREDENTIAL_PROFILE_NAME
    Note

    The policy needs to be attached to the IAM identity (user/role) used in your local AWS credentials configuration, not to the Amazon SageMaker AI domain execution role.

    Important

    The following policy using * as the resource constraint is only recommended for quick testing purposes. For production environments, you should scope down these permissions to specific space ARNs to enforce the principle of least privilege. See Advanced access control for examples of more granular permission policies using resource ARNs, tags, and network-based constraints.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sagemaker:StartSession",
            "Resource": "*"
        }
    ]
}

After setup, users can run ssh my_studio_space_abc to start up the space. For more information, see Method 3: Connect from the terminal via SSH CLI.

Step 2: Enable remote access for your space

After you set up the permissions, you must toggle on Remote Access and start your space in Studio before the user can connect using their local VS Code. This setup only needs to be done once.

Note

If your users are connecting using Method 2: AWS Toolkit permissions, you do not necessarily need this step. AWS Toolkit for Visual Studio users can enable remote access from the Toolkit.

Activate remote access for your Studio space

  1. Launch Amazon SageMaker Studio.

  2. Open the Studio UI.

  3. Navigate to your space.

  4. In the space details, toggle on Remote Access.

  5. Choose Run space.