Set up remote access
Before users can connect their local Visual Studio Code to Studio spaces, the administrator must configure permissions. This section provides instructions for administrators on how to set up their Amazon SageMaker AI domain with remote access.
Different connection methods require different IAM permissions. Configure the appropriate permissions based on how your users will connect. Use the following workflow along with the permissions aligned with the connection method.
-
Choose one of the following connection method permissions that align with your users’ Connection methods
-
Create a custom IAM policy based on the connection method permission
Configure security and permissions
Method 1: Deep link permissions
For users connecting via deep links from the SageMaker AI UI, use the following permission and attach it to your SageMaker AI space execution role or domain execution role. If the space execution role is not configured, the domain execution role is used by default.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictStartSessionOnSpacesToUserProfile", "Effect": "Allow", "Action": [ "sagemaker:StartSession" ], "Resource": "arn:*:sagemaker:*:*:space/${sagemaker:DomainId}/*", "Condition": { "ArnLike": { "sagemaker:ResourceTag/sagemaker:user-profile-arn": "arn:aws:sagemaker:*:*:user-profile/${sagemaker:DomainId}/${sagemaker:UserProfileName}" } } } ] }
Method 2: AWS Toolkit permissions
For users connecting through the AWS Toolkit for Visual Studio Code extension, attach the following policy to one of the following:
-
For IAM authentication, attach this policy to the IAM user or role.
-
For IdC authentication, attach this policy to the Permission sets managed by the IdC.
Important
The following policy using * as the resource constraint is
only recommended for quick testing purposes. For production environments,
you should scope down these permissions to specific space ARNs to enforce
the principle of least privilege. See Advanced access control for examples of more
granular permission policies using resource ARNs, tags, and network-based
constraints.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:ListSpaces", "sagemaker:DescribeSpace", "sagemaker:UpdateSpace", "sagemaker:ListApps", "sagemaker:CreateApp", "sagemaker:DeleteApp", "sagemaker:DescribeApp", "sagemaker:StartSession", "sagemaker:DescribeDomain", "sagemaker:AddTags" ], "Resource": "*" } ] }
Method 3: SSH terminal permissions
For SSH terminal connections, the StartSession API is called by the SSH proxy command script below, using the local AWS credentials. See Configure the AWS CLI for information and instructions on setting up the users’ local AWS credentials. To use these permissions:
-
Attach this policy to the IAM user or role associated with the local AWS credentials.
-
If using a named credential profile, modify the proxy command in your SSH config:
ProxyCommand '/home/user/sagemaker_connect.sh' '%h'YOUR_CREDENTIAL_PROFILE_NAME
Note
The policy needs to be attached to the IAM identity (user/role) used in your local AWS credentials configuration, not to the Amazon SageMaker AI domain execution role.
Important
The following policy using * as the resource constraint is
only recommended for quick testing purposes. For production environments,
you should scope down these permissions to specific space ARNs to enforce
the principle of least privilege. See Advanced access control for examples of more
granular permission policies using resource ARNs, tags, and network-based
constraints.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sagemaker:StartSession", "Resource": "*" } ] }
After setup, users can run ssh my_studio_space_abc to start up
the space. For more information, see Method 3: Connect from the terminal via SSH CLI.
Topics
