# Amazon SageMaker Role Manager
Machine learning (ML) administrators striving for least-privilege permissions with Amazon SageMaker AI must account for a diversity of industry perspectives, including the unique least-privilege access needs required for personas such as data scientists, machine learning operation (MLOps) engineers, and more. Use Amazon SageMaker Role Manager to build and manage persona-based IAM roles for common machine learning needs directly through the Amazon SageMaker AI console.
Amazon SageMaker Role Manager provides 3 preconfigured role personas and predefined permissions for common ML activities. Explore the provided personas and their suggested policies, or create and maintain roles for personas unique to your business needs. If you require additional customization, specify networking and encryption permissions for [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc/) resources and [AWS Key Management Service](https://aws.amazon.com/kms/) encryption keys in [Step 1. Enter role information](role-manager-tutorial.md#role-manager-tutorial-enter-role-information) of the Amazon SageMaker Role Manager.
**Topics**
+ [Using the role manager (console)](role-manager-tutorial.md)
+ [Using the role manager (AWS CDK)](role-manager-tutorial-cdk.md)
+ [Persona reference](role-manager-personas.md)
+ [ML activity reference](role-manager-ml-activities.md)
+ [Launch Studio Classic](role-manager-launch-notebook.md)
+ [Role Manager FAQs](role-manager-faqs.md)
# Using the role manager (console)
You can use the Amazon SageMaker Role Manager from the following locations on the left-hand navigation of the Amazon SageMaker AI console:
+ **Getting started** – Quickly add permissions policies for your users.
+ **domains** – Add permissions policies for users within a Amazon SageMaker AI domain.
+ **Notebooks** – Add least permissions for users who create and run notebooks.
+ **Training** – Add least permissions for users who create and manage training jobs.
+ **Inference** – Add least permissions for users who deploy and manage models for inference.
You can use the following are procedures to start the process of creating a role from different locations in the SageMaker AI console.
## Getting started
If you're using SageMaker AI for the first time, we recommend creating a role from the **Getting started** section.
To create a role using Amazon SageMaker Role Manager, do the following.
1. Open the Amazon SageMaker AI console.
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **Role manager**.
1. Choose **Create a role**.
## domains
You can create a role using Amazon SageMaker Role Manager when you start the process of creating a Amazon SageMaker AI domain.
To create a role using Amazon SageMaker Role Manager, do the following.
1. Open the Amazon SageMaker AI console.
1. On the left navigation pane, choose **Admin configurations**.
1. Under **Admin configurations**, choose **domains**.
1. Choose **Create domain**.
1. Choose **Create role using the role creation wizard**.
## Notebook
You can create a role using Amazon SageMaker Role Manager when you start the process of creating a notebook.
To create a role using Amazon SageMaker Role Manager, do the following.
1. Open the Amazon SageMaker AI console.
1. On the left-hand navigation, select **Notebook**.
1. Choose **Notebook instances**.
1. Choose **Create notebook instance**.
1. Choose **Create role using the role creation wizard**.
## Training
You can create a role using Amazon SageMaker Role Manager when you start the process of creating a training job.
To create a role using Amazon SageMaker Role Manager, do the following.
1. Open the Amazon SageMaker AI console.
1. On the left-hand navigation, choose **Training**.
1. Select **Training jobs**.
1. Choose **Create training job**.
1. Choose **Create role using the role creation wizard**.
## Inference
You can create a role using Amazon SageMaker Role Manager when you start the process of deploying a model for inference.
To create a role using Amazon SageMaker Role Manager, do the following.
1. Open the Amazon SageMaker AI console.
1. On the left-hand navigation, choose **Inference**.
1. Select **Models**.
1. Choose **Create model**.
1. Choose **Create role using the role creation wizard**.
After you've completed one of the preceding procedures, use the information in the following sections to help you create the role.
## Prerequisites
To use Amazon SageMaker Role Manager, you must have permission to create an IAM role. This permission is usually available to ML administrators and roles with least-privilege permissions for ML practitioners.
You can temporarily assume an IAM role in the AWS Management Console by [switching roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html). For more information about methods for using roles, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide*.
## Step 1. Enter role information
Provide a name to use as the unique suffix of your new SageMaker AI role. By default, the prefix `"sagemaker-"` is added to every role name for easier search in the IAM console. For example, if you name your role `test-123` during role creation, your role shows up as `sagemaker-test-123` in the IAM console. You can optionally add a description of your role to provide additional details.
Then, choose from one of the available personas to get suggested permissions for personas such as data scientists, data engineers, or machine learning operations (MLOps) engineers. For information on available personas and their suggested permissions, see [Persona reference](role-manager-personas.md). To create a role without any suggested permissions to guide you, choose **Custom Role Settings**.
**Note**
We recommend that you first use the role manager to create a SageMaker AI Compute Role so that SageMaker AI compute resources have the ability to perform tasks such as training and inference. Use the SageMaker AI Compute Role persona to create this role with the role manager. After creating a SageMaker AI Compute Role, take note of its ARN for future use.
### Network and encryption conditions
We recommend that you activate VPC customization to use VPC configurations, subnets, and security groups with IAM policies associated with your new role. When VPC customization is activated, IAM policies for ML activities that interact with VPC resources are scoped down for least-privilege access. VPC customization is not activated by default. For more details on recommended networking architecture, see [Networking architecture](https://docs.aws.amazon.com/whitepapers/latest/build-secure-enterprise-ml-platform/networking-architecture.html) in the *AWS Technical Guide*.
You can also use a KMS key to encrypt, decrypt, and re-encrypt data for regulated workloads with highly sensitive data. When AWS KMS customization is activated, IAM policies for ML activities that support custom encryption keys are scoped down for least-privilege access. For more information, see [Encryption with AWS KMS](https://docs.aws.amazon.com/whitepapers/latest/build-secure-enterprise-ml-platform/encryption-with-kms.html) in the *AWS Technical Guide*.
## Step 2. Configure ML activities
Each Amazon SageMaker Role Manager ML activity includes suggested IAM permissions to provide access to relevant AWS resources. Some ML activities require that you add service role ARNs to complete setup. For information on predefined ML activities and their permissions, see [ML activity reference](role-manager-ml-activities.md). For information on adding service roles, see [Service roles](#role-manager-tutorial-configure-ml-activities-service-roles).
Based on the chosen persona, certain ML activities are already selected. You can deselect any suggested ML activities or select additional activities to create your own role. If you selected the Custom Role Settings persona, then no ML activities are preselected in this step.
You can add any additional AWS or customer-managed IAM policies to your role in [Step 3: Add additional policies and tags](#role-manager-tutorial-add-policies-and-tags).
### Service roles
Some AWS services require a service role to perform actions on your behalf. If the ML activity that you selected requires you to pass a service role, then you must provide the ARN for that service role.
You can either create a new service role or use an existing one, such as a service role created with the SageMaker AI Compute Role persona. You can find the ARN of an existing role by selecting the role name in the Roles section of the [IAM console](https://console.aws.amazon.com/iamv2/). To learn more about service roles, see [Creating a role for an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html).
## Step 3: Add additional policies and tags
You can add any existing AWS or customer-managed IAM policies to your new role. For information on existing SageMaker AI policies, see [AWS Managed Policies for Amazon SageMaker AI](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol.html). You can also check your existing policies in the **Roles** section of the [IAM console](https://console.aws.amazon.com/iamv2/).
Optionally, use tag-based policy conditions to assign metadata information to categorize and manage AWS resources. Each tag is represented by a key-value pair. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html).
## Review role
Take the time to review all of the information associated with your new role. Choose **Previous** to go back and edit any of the information. When you are ready to create your role, choose **Create role**. This generates a role with permissions for your selected ML activities. You can view your new role in the **Roles** section of the [IAM console](https://console.aws.amazon.com/iamv2/).
# Using the role manager (AWS CDK)
Use the AWS Cloud Development Kit (AWS CDK) with Amazon SageMaker Role Manager to programmatically create roles and set permissions. You can use the AWS CDK to accomplish any task that you could perform using the AWS Management Console. The programmatic access of the CDK makes it easier to provide permissions that give your users access to specific resources. For more information about the AWS CDK, see [What is AWS CDK?](https://docs.aws.amazon.com/cdk/v2/guide/home.html)
**Important**
You must use the SageMaker AI Compute Role persona to create a SageMaker AI Compute Role. For more information about the compute persona, see [SageMaker AI compute persona](role-manager-personas.md#role-manager-personas-compute). For code that you can use to create the compute role within the AWS CDK, see [Grant permissions to a Compute persona](#role-manager-cdk-compute-persona).
The following are examples of tasks that you can perform in the AWS CDK:
+ Create IAM roles with granular permissions for machine learning (ML) personas, such as Data Scientists and MLOps Engineers.
+ Grant permissions to CDK constructs from ML personas or ML activities.
+ Set ML activity condition parameters.
+ Enable global Amazon VPC and AWS Key Management Service conditions and set values for them.
+ Choose from all versions of the ML activities for your users without causing disruptions in their access.
There are common AWS tasks related to machine learning (ML) with SageMaker AI that require specific IAM permissions. The permissions to perform the tasks are defined as ML activities in Amazon SageMaker Role Manager. ML activities specify a set of permissions that are linked to the IAM role. For example, the ML activity for Amazon SageMaker Studio Classic has all of the permissions that a user needs to access Studio Classic. For more information about ML activities, see [ML activity reference](role-manager-ml-activities.md).
When you're creating roles, you first define the constructs for the ML persona or the ML activity. A construct is a resource within the AWS CDK stack. For example, a construct could be an Amazon S3 bucket, an Amazon VPC subnet, or an IAM role.
As you're creating the persona or activity, you can limit the permissions associated with that persona or activity to specific resources. For example, you can customize the activity to only provide permissions for a specific subnet within an Amazon VPC.
After you've defined permissions, you can create roles and then pass those roles to create other resources, such as SageMaker notebook instances.
The following are code examples in Typescript for tasks that you can accomplish using the CDK. When you create an activity, you specify an ID and the options for the activity's construct. The options are dictionaries that specify the required parameters for the activities, such as an Amazon S3. You pass an empty dictionary for activities that don't have required parameters.
## Grant permissions to a Compute persona
The following code creates a Data Scientist ML persona with a set of ML activities specific to the persona. The permissions from ML activities only apply to the Amazon VPC and AWS KMS configurations specified in the persona construct. The following code creates a class for a Data Scientist persona. The ML activities are defined in the activities list. The VPC permissions and the KMS permissions are defined as optional parameters outside of the activities list.
After you’ve defined the class, you can create a role as a construct within the AWS CDK stack. You can also create a notebook instance. The person who is using the IAM role that you’ve created in the following code can access the notebook instance when they log in to their AWS account.
```
export class myCDKStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const persona = new Persona(this, 'example-persona-id', {
activities: [
Activity.accessAwsServices(this, 'example-id1', {})
]
});
const role = persona.createRole(this, 'example-IAM-role-id', 'example-IAM-role-name');
}
}
```
## Grant permissions to a Data Scientist persona
The following code creates a Data Scientist ML persona with a set of ML activities specific to the persona. The permissions from ML activities only apply to the VPC and KMS configurations specified in the persona construct. The following code creates a class for a Data Scientist persona. The ML activities are defined in the activities list. The Amazon VPC permissions and the AWS KMS permissions are defined as optional parameters outside of the activities list.
After you’ve defined the class, you can create a role as a construct within the AWS CDK stack. You can also create a notebook instance. The person who is using the IAM role that you’ve created in the following code can access the notebook instance when they log in to their AWS account.
```
export class myCDKStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const persona = new Persona(this, 'example-persona-id', {
activities: [
Activity.runStudioAppsV2(this, 'example-id1', {}),
Activity.manageJobs(this, 'example-id2', {rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.manageModels(this, 'example-id3', {rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.manageExperiments(this, 'example-id4', {}),
Activity.visualizeExperiments(this, 'example-id5', {}),
Activity.accessS3Buckets(this, 'example-id6', {s3buckets: [s3.S3Bucket.fromBucketName('amzn-s3-demo-bucket')]})
],
// optional: to configure VPC permissions
subnets: [ec2.Subnet.fromSubnetId('example-VPC-subnet-id')],
securityGroups: [ec2.SecurityGroup.fromSecurityGroupId('example-VPC-security-group-id')],
// optional: to configure KMS permissions
dataKeys: [kms.Key.fromKeyArn('example-KMS-key-ARN')],
volumeKeys: [kms.Key.fromKeyArn('example-KMS-key-ARN')],
});
const role = persona.createRole(this, 'example-IAM-role-id', 'example-IAM-role-name');
const notebookInstance = new CfnNotebookInstance(this, 'example-notebook-instance-name', { RoleArn: role.RoleArn, ...});
}
}
```
## Grant permissions to an ML Ops persona
The following code creates an ML Ops persona with a set of ML activities specific to the persona. The permissions from ML activities only apply to the Amazon VPC and AWS KMS configurations specified in the persona construct. The following code creates a class for an ML Ops persona. The ML activities are defined in the activities list. The VPC permissions and the KMS permissions are defined as optional parameters outside of the activities list.
After you’ve defined the class, you can create a role as a construct within the AWS CDK stack. You can also create an Amazon SageMaker Studio Classic user profile. The person who is using the IAM role that you’ve created in the following code can open SageMaker Studio Classic when they log in to their AWS account.
```
export class myCDKStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const persona = new Persona(this, 'example-persona-id', {
activities: [
Activity.runStudioAppsV2(this, 'example-id1', {}),
Activity.manageModels(this, 'example-id2', {rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.manageEndpoints(this, 'example-id3',{rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.managePipelines(this, 'example-id4', {rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.visualizeExperiments(this, 'example-id5', {})
],
subnets: [ec2.Subnet.fromSubnetId('example-VPC-subnet-id')],
securityGroups: [ec2.SecurityGroup.fromSecurityGroupId('example-VPC-security-group-id')],
dataKeys: [kms.Key.fromKeyArn('example-KMS-key-ARN')],
volumeKeys: [kms.Key.fromKeyArn('example-KMS-key-ARN')],
});
const role = persona.createRole(this, 'example-IAM-role-id', 'example-IAM-role-name');
let userProfile = new CfnNUserProfile(this, 'example-Studio Classic-profile-name', { RoleName: role.RoleName, ... });
}
}
```
## Grant permissions to a construct
The following code creates an ML Ops persona with a set of ML activities specific to the persona. The following code creates a class for a ML Ops persona. The ML activities are defined in the activities list.
After you’ve defined the class, you can create a role as a construct within the AWS CDK stack. You can also create a notebook instance. The code grants permissions from the ML activities to the IAM role of the Lambda function.
```
export class myCDKStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const persona = new Persona(this, 'example-persona-id', {
activities: [
Activity.runStudioAppsV2(this, 'example-id1', {}),
Activity.manageModels(this, 'example-id2', {rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.manageEndpoints(this, 'example-id3',{rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.managePipelines(this, 'example-id4', {rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')]}),
Activity.visualizeExperiments(this, 'example-id5', {})
],
});
const lambdaFn = lambda.Function.fromFunctionName('example-lambda-function-name');
persona.grantPermissionsTo(lambdaFn);
}
}
```
## Grant permissions for a single ML activity
The following code creates an ML activity and creates a role from the activity. The permissions from the activity only apply to the VPC and KMS configuration that you specify for the user.
```
export class myCDKStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const activity = Activity.manageJobs(this, 'example-activity-id', {
rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')],
subnets: [ec2.Subnet.fromSubnetId('example-VPC-subnet-id')],
securityGroups: [ec2.SecurityGroup.fromSecurityGroupId('example-VPC-security-group-id')],
dataKeys: [kms.Key.fromKeyArn('example-KMS-key-ARN')],
volumeKeys: [kms.Key.fromKeyArn('example-KMS-key-ARN')],
});
const role = activity.createRole(this, 'example-IAM-role-id', 'example-IAM-role-name');
}
}
```
## Create a role and give it permissions for a single activity
The following code creates an IAM role for a single ML activity.
```
export class myCDKStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const activity = Activity.manageJobs(this, 'example-activity-id', {
rolesToPass: [iam.Role.fromRoleName('example-IAM-role-name')],
});
activity.create_role(this, 'example-IAM-role-id', 'example-IAM-role-name')
}
}
```
# Persona reference
Amazon SageMaker Role Manager provides suggested permissions for a number of ML personas. These include user execution roles for common ML practitioner responsibilities as well as service execution roles for common AWS service interactions needed to work with SageMaker AI.
Each persona has suggested permissions in the form of selected ML activities. For information on predefined ML activities and their permissions, see [ML activity reference](role-manager-ml-activities.md).
## Data scientist persona
Use this persona to configure permissions to perform general machine learning development and experimentation in a SageMaker AI environment. This persona includes the following preselected ML activities:
+ Run Studio Classic Applications
+ Manage ML Jobs
+ Manage Models
+ Manage AWS Glue Tables
+ Canvas AI Services
+ Canvas MLOps
+ Canvas Kendra Access
+ Use MLflow
+ Access required to AWS Services for MLflow
+ Run Studio EMR Serverless Applications
## MLOps persona
Choose this persona to configure permissions for operational activities. This persona includes the following preselected ML activities:
+ Run Studio Classic Applications
+ Manage Models
+ Manage Pipelines
+ Search and visualize experiments
+ Amazon S3 Full Access
## SageMaker AI compute persona
**Note**
We recommend that you first use the role manager to create a SageMaker AI Compute Role so that SageMaker AI compute resources can perform tasks such as training and inference. Use the SageMaker AI Compute Role persona to create this role with the role manager. After creating a SageMaker AI Compute Role, take note of its ARN for future use.
This persona includes the following preselected ML activity:
+ Access Required AWS Services
# ML activity reference
ML activities are common AWS tasks related to machine learning with SageMaker AI that require specific IAM permissions. Each [persona](https://docs.aws.amazon.com/sagemaker/latest/dg/role-manager-personas.html) suggests related ML activities when creating a role with Amazon SageMaker Role Manager. You can select any additional ML activities or deselect any suggested ML activities to create a role that meets your unique business needs.
Amazon SageMaker Role Manager provides predefined permissions for the following ML activities:
****
| **ML activity** | **Description** |
| --- | --- |
| Access Required AWS Services | Permissions to access Amazon S3, Amazon ECR, Amazon CloudWatch, and Amazon EC2. Required for execution roles for jobs and endpoints. |
| Run Studio Classic Applications | Permissions to operate within a Studio Classic environment. Required for domain and user profile execution roles. |
| Manage ML Jobs | Permissions to audit, query lineage, and visualize experiments. |
| Manage Models | Permissions to manage SageMaker AI jobs across their lifecycles. |
| Manage Pipelines | Permissions to manage SageMaker pipelines and pipeline executions. |
| Search and visualize experiments | Permissions to audit, query lineage, and visualize SageMaker AI experiments. |
| Manage Model Monitoring | Permissions to manage monitoring schedules for SageMaker AI Model Monitor. |
| Amazon S3 Full Access | Permissions to perform all Amazon S3 operations. |
| Amazon S3 Bucket Access | Permissions to perform operations on specified Amazon S3 buckets. |
| Query Athena Workgroups | Permissions to run and manage Amazon Athena queries. |
| Manage AWS Glue Tables | Permissions to create and manage AWS Glue tables for SageMaker AI Feature Store and Data Wrangler. |
| SageMaker Canvas Core Access | Permissions to perform experimentation in SageMaker Canvas (i.e, basic data prep, model build, validation). |
| SageMaker Canvas Data Preparation (powered by Data Wrangler) | Permissions to perform end-to-end data preparation in SageMaker Canvas (i.e, aggregate, transform and analyze data, create and schedule data preparation jobs on large datasets). |
| SageMaker Canvas AI Services | Permissions to access ready-to-use models from Amazon Bedrock, Amazon Textract, Amazon Rekognition, and Amazon Comprehend. Additionally, user can fine-tune foundation models from Amazon Bedrock and Amazon SageMaker JumpStart. |
| SageMaker Canvas MLOps | Permission for SageMaker Canvas users to directly deploy model to endpoint. |
| SageMaker Canvas Kendra Access | Permission for SageMaker Canvas to access Amazon Kendra for enterprise document search. The permission is only given to your selected index names in Amazon Kendra. |
| Use MLflow | Permissions to manage experiments, runs, and models in MLflow. |
| Manage MLflow Tracking Servers | Permissions to manage, start, and stop MLflow Tracking Servers. |
| Access required to AWS Services for MLflow | Permissions for MLflow Tracking Servers to access S3, Secrets Manager, and Model Registry. |
| Run Studio EMR Serverless Applications | Permissions to Create and Manage EMR Serverless Applications on Amazon SageMaker Studio. |
# Launch Studio Classic
Use your persona-focused roles to launch Studio Classic. If you are an administrator, you can give your users access to Studio Classic and have them assume their persona role either directly through the AWS Management Console or through the AWS IAM Identity Center.
## Launch Studio Classic with AWS Management Console
For data scientists or other users to assume their given persona through the AWS Management Console, they require a console role to get to the Studio Classic environment.
You cannot use Amazon SageMaker Role Manager to create a role that grants permissions to the AWS Management Console. However, after creating a service role in the role manager, you can go to the IAM console to edit the role and add a user access role. The following is an example of a role that provides user access to the AWS Management Console:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DescribeCurrentDomain",
"Effect": "Allow",
"Action": "sagemaker:DescribeDomain",
"Resource": "arn:aws:sagemaker:us-east-1:111122223333:domain/"
},
{
"Sid": "RemoveErrorMessagesFromConsole",
"Effect": "Allow",
"Action": [
"servicecatalog:ListAcceptedPortfolioShares",
"sagemaker:GetSagemakerServicecatalogPortfolioStatus",
"sagemaker:ListModels",
"sagemaker:ListTrainingJobs",
"servicecatalog:ListPrincipalsForPortfolio",
"sagemaker:ListNotebookInstances",
"sagemaker:ListEndpoints"
],
"Resource": "*"
},
{
"Sid": "RequiredForAccess",
"Effect": "Allow",
"Action": [
"sagemaker:ListDomains",
"sagemaker:ListUserProfiles"
],
"Resource": "*"
},
{
"Sid": "CreatePresignedURLForAccessToDomain",
"Effect": "Allow",
"Action": "sagemaker:CreatePresignedDomainUrl",
"Resource": "arn:aws:sagemaker:us-east-1:111122223333:user-profile//"
}
]
}
```
------
In the Studio Classic control panel, choose **Add User** to create a new user. In the **General Settings** section, give your user a name and set the **Default execution role** for the user to be the role that you created using Amazon SageMaker Role Manager.
On the next screen, choose the appropriate Jupyter Lab version, and whether to turn on SageMaker JumpStart and SageMaker AI Project templates. Then choose **Next**. On the SageMaker Canvas settings page, choose whether to turn on SageMaker Canvas support, and additionally whether to allow for timeseries forecasting in SageMaker Canvas. Then choose **Submit**.
Your new user should now be visible in the Studio Classic control panel. To test this user, choose **Studio** from the **Launch app** dropdown list in the same row as the user’s name.
## Launch Studio Classic with IAM Identity Center
To assign IAM Identity Center users to execution roles, the user must first exist in the IAM Identity Center directory. For more information, see [Manage identities in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-sso.html) in the *AWS IAM Identity Center*.
**Note**
Your IAM Identity Center Authentication directory and Studio Classic domain must be in the same AWS Region.
1. To assign IAM Identity Center users to your Studio Classic domain, choose **Assign users and Groups** in the Studio Classic control panel. On the **Assign users and groups** screen select your data scientist user, and then choose **Assign Users and Groups**.
1. After the user is added to the Studio Classic control panel, choose the user to open the user details screen.
1. On the **User details** screen, choose **Edit**.
1. On the **Edit user profile** screen, under **General settings**, modify the **Default execution role** to match the user execution role you’ve created for your data scientists.
1. Choose **Next** through the rest of the settings pages, and choose **Submit** to save your changes.
When your data scientist or other user logs into the IAM Identity Center portal, they see a tile for this Studio Classic domain. Choosing that tile logs them into Studio Classic with their assigned user execution role.
# Role Manager FAQs
Refer to the following FAQ items for answers to commonly asked questions about Amazon SageMaker Role Manager.
## Q. How can I access Amazon SageMaker Role Manager?
A: You can access Amazon SageMaker Role Manager through multiple location in the Amazon SageMaker AI console. For information about accessing role manager and using it to create a role, see [Using the role manager (console)](role-manager-tutorial.md).
## Q. What are personas?
A: Personas are preconfigured groups of permissions based on common machine learning (ML) responsibitilies. For example, the data science persona suggests permissions for general machine learning development and experimentation in a SageMaker AI environment, while the MLOps persona suggests permissions for ML activities related to operations.
## Q. What are ML activities?
A: ML activities are common AWS tasks related to machine learning with SageMaker AI that require specific IAM permissions. Each persona suggests related ML activities when creating a role with Amazon SageMaker Role Manager. ML activities include tasks such as Amazon S3 full access or searching and visualizing experiments. For more information, see [ML activity reference](role-manager-ml-activities.md).
## Q. Are the roles that I create with the role manager AWS Identity and Access Management (IAM) roles?
A: Yes. Roles created using the Amazon SageMaker Role Manager are IAM roles with customized access policies. You can view created roles in the **Roles** section of the [IAM console](https://console.aws.amazon.com/iamv2/).
## Q. How can I view the roles that I created using Amazon SageMaker Role Manager?
A: You can view created roles in the **Roles** section of the [IAM console](https://console.aws.amazon.com/iamv2/). By default, the prefix `"sagemaker-"` is added to every role name for easier search in the IAM console. For example, if you named your role `test-123` during role creation, your role shows up as `sagemaker-test-123` in the IAM console.
## Q. Can I modify a role made with Amazon SageMaker Role Manager once it is created?
A: Yes. You can modify the roles and policies created by Amazon SageMaker Role Manager through the [IAM console](https://console.aws.amazon.com/iamv2/). For more information, see [Modifying a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html) in the *AWS Identity and Access Management User Guide*.
## Q. Can I attach my own policies to roles created using Amazon SageMaker Role Manager?
A: Yes. You can attach any AWS or customer-managed IAM policies from your account to the role that you create using Amazon SageMaker Role Manager.
## Q. How many policies can I add to a role that I create with Amazon SageMaker Role Manager?
A: The maximum limit for attaching managed policies to an IAM role or user is 20. The maximum character size limit for managed policies is 6,144. For more information, see [IAM object quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entities) and [IAM and AWS Security Token Service quotas name requirements, and character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
## Q. Can I add conditions to ML activities?
A: Any conditions that you provide in [Step 1. Enter role information](role-manager-tutorial.md#role-manager-tutorial-enter-role-information) of the Amazon SageMaker Role Manager, such as subnets, security groups, or KMS keys, are automatically passed to any ML activities selected in [Step 2. Configure ML activities](role-manager-tutorial.md#role-manager-tutorial-configure-ml-activities). You can also add additional conditions to ML activities if necessary. For example, you might also add `InstanceTypes` or `IntercontainerTrafficEncryption` conditions to the Manage Training Jobs activity.
## Q. Can I use tagging to manage access to any AWS resource?
A:****You can add tags to your role in [Step 3: Add additional policies and tags](role-manager-tutorial.md#role-manager-tutorial-add-policies-and-tags) of the Amazon SageMaker Role Manager. To successfully manage AWS resources using tags, you must add the same tag to both the role and any associated policies. For example, you can add a tag to a role and to an Amazon S3 bucket. Then, because the role passes the tag to the SageMaker AI session, only a user with that role can access that S3 bucket. You can add tags to a policy through the [IAM console](https://console.aws.amazon.com/iamv2/). For more information, see [Tagging IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_roles.html) in the *AWS Identity and Access Management User Guide*.
## Q. Can I use Amazon SageMaker Role Manager to create a role to access the AWS Management Console?
A: No. However, after creating a service role in the role manager, you can go to the IAM console to edit the role and add a human access role in IAM console.
## Q. What is difference between a user federation role and a SageMaker AI execution role?
A: A user federation role is directly assumed by a user to access AWS resources such as access to the AWS Management Console. A SageMaker AI execution role is assumed by the SageMaker AI service to perform a function on behalf of a user or an automation tool. For example, when a user opens a Studio Classic instance, Studio Classic assumes the execution role associated with the user profile in order to access AWS resources on the behalf of the user. If the user profile does not specify an execution role, then the execution role is specified at the Amazon SageMaker AI domain level.
## Q. If I am using a custom web application that accesses Studio Classic through a presigned url, what role is used?
A: If you use a custom web application to access Studio Classic, then you have a hybrid user federation role and SageMaker AI execution role. Be sure that this role has least privilege permissions for both what the user can do and what Studio Classic can do on the associated user’s behalf.
## Q: Can I use Amazon SageMaker Role Manager with AWS IAM Identity Center authentication for my Studio Classic domain?
A: AWS IAM Identity Center Studio Classic Cloud Applications use a Studio Classic execution role to grant permissions to federated users. This execution role can be specified at the Studio Classic IAM Identity Center user profile level or the default domain level. User identities and groups must be synchronized into IAM Identity Center and the Studio Classic user profile must be created with IAM Identity Center user assignment using [CreateUserProfile](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_CreateUserProfile.html). For more information, see [Launch Studio Classic with IAM Identity Center](role-manager-launch-notebook.md#role-manager-launch-notebook-iam-identity-center).