Create roles and policies for ML Activities and ML Personas
Project description
cdk-aws-sagemaker-role-manager
Usage
Create Role from ML Activity with VPC and KMS conditions
import { Stack } from 'aws-cdk-lib';
import { Activity } from '@cdklabs/cdk-aws-sagemaker-role-manager';
const stack = new Stack(app, 'CdkRoleManagerDemo');
const activity = Activity.manageJobs(stack, 'id1', {
rolesToPass: [iam.Role.fromRoleName('Enter Name')],
subnets: [ec2.Subnet.fromSubnetId('Enter Id')],
securityGroups: [ec2.SecurityGroup.fromSecurityGroupId('Enter Id')],
dataKeys: [kms.Key.fromKeyArn('Enter Key Arn')],
volumeKeys: [kms.Key.fromKeyArn('Enter Key Arn')],
});
activity.createRole(stack, 'role id', 'Enter Name');
Create Role from ML Activity without VPC and KMS conditions
import { Stack } from 'aws-cdk-lib';
import { Activity } from '@cdklabs/cdk-aws-sagemaker-role-manager';
const stack = new Stack(app, 'CdkRoleManagerDemo');
const activity = Activity.manageJobs(this, 'id1', {
rolesToPass: [iam.Role.fromRoleName('Enter Name')],
});
activity.createRole(this, 'role id', 'Enter Name', 'Enter Description');
Create Role from Data Scientist ML Persona
import { Stack } from 'aws-cdk-lib';
import { Activity, Persona } from '@cdklabs/cdk-aws-sagemaker-role-manager';
const stack = new Stack(app, 'CdkRoleManagerDemo');
let persona = new Persona(this, 'persona id', {
activities: [
Activity.useStudioApps(),
Activity.manageJobs(this, 'id1', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.manageModels(this, 'id2', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.manageExperiments(this, 'id3', {}),
Activity.searchExperiments(this, 'id4', {}),
Activity.accessBuckets(this, 'id5', {buckets: [s3.S3Bucket.fromBucketName('Enter Name')]})
],
subnets: [ec2.Subnet.fromSubnetId('Enter Id')],
securityGroups: [ec2.SecurityGroup.fromSecurityGroupId('Enter Id')],
dataKeys: [kms.Key.fromKeyArn('Enter Key Arn')],
volumeKeys: [kms.Key.fromKeyArn('Enter Key Arn')],
});
persona.createRole(this, 'role id', 'Enter Name', 'Enter Description');
Create Role from Data Scientist ML Persona without vpc and kms global conditions
import { Stack } from 'aws-cdk-lib';
import { Activity, Persona } from '@cdklabs/cdk-aws-sagemaker-role-manager';
const stack = new Stack(app, 'CdkRoleManagerDemo');
// Please see below how to create the Data Scientist ML Persona using its ML Activities.
// You can update the following list with changes matching your usecase.
let persona = new Persona(this, 'persona id', {
activities: [
Activity.useStudioApps(),
Activity.manageJobs(this, 'id1', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.manageModels(this, 'id2', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.manageExperiments(this, 'id3', {}),
Activity.searchExperiments(this, 'id4', {}),
Activity.accessBuckets(this, 'id5', {buckets: [s3.S3Bucket.fromBucketName('Enter Name')]})
],
});
// We can create a role with Data Scientist persona permissions
const role = persona.createRole(this, 'role id', 'Enter Name', 'Enter Description');
Create Role MLOps ML Persona
import { Stack } from 'aws-cdk-lib';
import { Activity, Persona } from '@cdklabs/cdk-aws-sagemaker-role-manager';
const stack = new Stack(app, 'CdkRoleManagerDemo');
let persona = new Persona(this, 'persona id', {
activities: [
Activity.useStudioApps(this, 'id1', {}),
Activity.manageModels(this, 'id2', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.manageEndpoints(this, 'id3',{rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.managePipelines(this, 'id4', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.searchExperiments(this, 'id5', {})
],
subnets: [ec2.Subnet.fromSubnetId('Enter Id')],
securityGroups: [ec2.SecurityGroup.fromSecurityGroupId('Enter Id')],
dataKeys: [kms.Key.fromKeyArn('Enter Key Arn')],
volumeKeys: [kms.Key.fromKeyArn('Enter Key Arn')],
});
const role = persona.createRole(this, 'role id', 'Enter Name', 'Enter Description');
Create Role from MLOps ML Persona without vpc and kms global conditions
import { Stack } from 'aws-cdk-lib';
import { Activity, Persona } from '@cdklabs/cdk-aws-sagemaker-role-manager';
const stack = new Stack(app, 'CdkRoleManagerDemo');
let persona = new Persona(this, 'persona id', {
activities: [
Activity.useStudioApps(this, 'id1', {}),
Activity.manageModels(this, 'id2', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.manageEndpoints(this, 'id3',{rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.managePipelines(this, 'id4', {rolesToPass: [iam.Role.fromRoleName('Enter Name')]}),
Activity.searchExperiments(this, 'id5', {})
],
});
const role = persona.createRole(this, 'role id', 'Enter Name', 'Enter Description');
Available ML Activities
ML Activity Name | ML Activity Interface | ML Activity Description | ML Activity Required Parameters |
---|---|---|---|
Access Required AWS Services | Activity.accessAwsServices() | Permissions to access S3, ECR, Cloudwatch and EC2. Required for execution roles for jobs and endpoints. | ecrRepositories, s3Buckets |
Run Studio Applications | Activity.runStudioApps() | Permissions to operate within a Studio environment. Required for domain and user-profile execution roles. | rolesToPass |
Manage ML Jobs | Activity.manageJobs() | Permissions to manage SageMaker jobs across their lifecycles. | rolesToPass |
Manage Models | Activity.manageModels() | Permissions to manage SageMaker models and Model Registry. | rolesToPass |
Manage Endpoints | Activity.manageEndpoints() | Permissions to manage SageMaker Endpoint deployments and updates. | No required parameters |
Manage Pipelines | Activity.managePipelines() | Permissions to manage SageMaker Pipelines and pipeline executions. | rolesToPass |
Manage Experiments | Activity.manageExperiments() | Permissions to manage experiments and trials. | No required parameters |
Search and visualize experiments | Activity.visualizeExperiments() | Permissions to audit, query lineage and visualize experiments. | No required parameters |
Manage Model Monitoring | Activity.monitorModels() | Permissions to manage monitoring schedules for SageMaker Model Monitor. | rolesToPass |
S3 Full Access | Activity.accessS3AllResources() | Permissions to perform all S3 operations | No required parameters |
S3 Bucket Access | Activity.accessS3Buckets() | Permissions to perform operations on specified buckets. | s3Buckets |
Query Athena Workgroups | Activity.queryAthenaGroups() | Permissions to execute and manage Amazon Athena queries. | athenaWorkgroupNames |
Manage Glue Tables | Activity.manageGlueTables() | Permissions to create and manage Glue tables for SageMaker Feature Store and Data Wrangler. | s3Buckets, glueDatabaseNames |
Security
See CONTRIBUTING for more information.
License
This project is licensed under the Apache-2.0 License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for cdklabs.cdk-aws-sagemaker-role-manager-0.0.30.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | fffe866f11f70a03ec5af72c00194be2a40f9f648a21495ad55df2313463f4f1 |
|
MD5 | 884d7ac696ab1e94c934420d7f74533a |
|
BLAKE2b-256 | 04c2f83b455f434ba8283006f1d169db72b6d95770c184247c024346642f8ae3 |
Close
Hashes for cdklabs.cdk_aws_sagemaker_role_manager-0.0.30-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0f2e5e341e1e0c93ffca2681400fa6169bea32fa484e4da15463e424d93ef962 |
|
MD5 | fa8514a89c1ffb2825bd41f0f24f301c |
|
BLAKE2b-256 | 5d25d42bb4abd55b27d4ddf5d9e0a171c4b4758ec9b61f5c98357288dedc31c6 |