Amazon SageMaker Canvas permits you to use machine studying (ML) to generate predictions with out having to jot down any code. It does so by masking the end-to-end ML workflow: whether or not you’re searching for highly effective information preparation and AutoML, managed endpoint deployment, simplified MLOps capabilities, or the power to configure basis fashions for generative AI, SageMaker Canvas can assist you obtain your targets.
To allow agility to your customers whereas guaranteeing safe environments, you possibly can undertake single sign-on (SSO) utilizing AWS IAM Identification Heart, which is the beneficial AWS service for managing person entry to AWS sources. With IAM Identification Heart, you possibly can create or join workforce customers and centrally handle their entry throughout all their AWS accounts and functions.
Half 1 of this sequence describes the mandatory steps to configure SSO for SageMaker Canvas utilizing IAM Identification Heart for Amazon SageMaker Studio Traditional.
On this put up, we stroll you thru the mandatory steps to configure SSO for SageMaker Canvas utilizing IAM Identification Heart for the up to date Amazon SageMaker Studio. Your customers can seamlessly entry SageMaker Canvas with their credentials from IAM Identification Heart with out having to first undergo the AWS Administration Console. We additionally reveal how one can streamline person administration with IAM Identification Heart.
Resolution overview
To configure SSO from IAM Identification Heart, you could full the next steps:
- Allow IAM Identification Heart utilizing AWS Organizations
- Create a SageMaker Studio area that makes use of IAM Identification Heart for person authentication
- Create customers or teams in IAM Identification Heart
- Add customers or teams to the SageMaker Studio area
We will even present rename the SageMaker Studio utility to obviously establish it as SageMaker Canvas, and entry it utilizing IAM Identification Heart.
Allow IAM Identification Heart
Observe these steps to attach SageMaker Canvas to IAM Identification Heart:
- On the IAM Identification Heart console, select Allow.
- Select Allow with AWS Organizations.
- Select Edit so as to add an occasion title.
- Enter a reputation to your occasion (for this put up, canvas-app).
- Select Save adjustments.
Create the SageMaker Studio area
On this part, we create SageMaker Studio area and configure the authentication technique as IAM Identification Heart. Full the next steps:
- On the SageMaker console, select Domains.
- Select Create area.
- Select Arrange for organizations.
- Select Arrange.
- Enter a website title of your selection (for this put up,
canvas-domain
). - Select Subsequent.
- Choose AWS Identification Heart.
- Select Create a brand new position.
- Choose the SageMaker Canvas permissions that you simply need to grant.
For extra particulars about permissions, see Customers and ML Actions.
- Specify a number of Amazon Easy Storage Service (Amazon S3) bucket.
- Select Subsequent.
- Choose SageMaker Studio – New.
- Select Subsequent.
Subsequent, you possibly can present VPC particulars to your community configuration.
- For this put up, we choose Public web entry.
- Select your VPC, subnets, and safety teams.
- Select Subsequent.
- Maintain default storage configuration and select Subsequent.
- Select Submit.
Look forward to SageMaker area standing to alter to InService.
Rename the SageMaker Studio utility
Earlier than we create a person, let’s rename the SageMaker Studio utility title. It will permit customers to rapidly establish the SageMaker Canvas utility after they log in via IAM Identification Heart, the place they might have entry to a number of functions.
- On the IAM Identification Heart console, select Functions.
- Select the SageMaker Studio utility on the AWS managed tab.
- Select Edit particulars on the Actions menu.
- For Show title, enter a reputation (for this put up,
Canvas
). - For Description, enter an outline.
- Select Save adjustments.
Create a person in IAM Identification Heart
Now you possibly can create customers, and optionally, teams, that shall be given entry to SageMaker Canvas. For this put up, we create a single person to reveal the method to supply entry. Nonetheless, teams are sometimes most popular for higher person administration, and to provision entry in organizations.
A person group is a set of customers. Teams allow you to specify permissions for a number of customers, which might make it extra simple to handle the permissions for these customers. For instance, you possibly can have a person group known as enterprise analysts and provides that person group permission to SageMaker Canvas; all customers in that group can have SageMaker Canvas entry. If a brand new person joins your group and wishes entry to SageMaker Canvas, you possibly can add the person to the enterprise analyst group. If an individual adjustments jobs in your group, as a substitute of enhancing that person’s permissions, you possibly can take away them from the previous person teams and add them to the suitable new person teams.
Full the next steps to create a person in IAM Identification Heart to check the SageMaker Canvas utility entry:
- On the IAM Identification Heart console, select Customers within the navigation pane.
- Select Add person.
- Present required particulars such because the person title, electronic mail deal with, first title, and final title.
- Select Subsequent.
- Select Add person.
You see a hit message that the person has been added efficiently.
Add customers to the SageMaker Studio area
You’ll want to add this person to the SageMaker area you created. When you’re utilizing teams, you then add the group, not only a single person.
- On the SageMaker console, select Domains within the navigation pane.
- Select the area you created.
- Select Assign customers and teams.
- On the Customers tab, choose the person you created.
- Select Assign customers and teams.
Entry the SageMaker Canvas utility from IAM Identification Heart
The person will obtain an electronic mail with a hyperlink to arrange a password and directions to hook up with the AWS entry portal. The hyperlink shall be legitimate for as much as 7 days.
When the person receives the e-mail, they have to full the next steps to realize entry to SageMaker Canvas:
- Select Settle for invitation from the e-mail.
- Set a brand new password to entry SageMaker Canvas within the specified account and area.
After authentication has been carried out, the person has three choices to log in to SageMaker Canvas:
- Choice 1 – Entry from SageMaker Studio via the IAM Identification Heart portal
- Choice 2 – Entry from SageMaker Canvas via the IAM Identification Heart portal, bypassing SageMaker Studio
- Choice 3 – Use the IAM Identification Heart portal hyperlink in IAM Identification Heart to entry SageMaker Canvas
We undergo every of those choices on this part.
Choice 1
Within the first possibility, the person first accesses SageMaker Studio to entry SageMaker Canvas. This feature is acceptable for customers that ought to be capable to entry all related functions from SageMaker Studio, together with SageMaker Canvas.
- Navigate to the AWS entry portal URL out of your electronic mail.
- Log in with the credentials you set for the person.
You will notice the applying title you configured earlier.
- Select the SageMaker Canvas utility.
You’re redirected to SageMaker Studio.
- Select Run Canvas.
- Select Open Canvas.
You’re redirected to SageMaker Canvas.
Choice 2
On this possibility, the person nonetheless goes via the IAM Identification Heart portal, however bypasses SageMaker Studio to go instantly into SageMaker Canvas. This feature must be used when entry SageMaker Studio just isn’t wanted, for the reason that person’s SageMaker login will at all times take them on to SageMaker Canvas.
- On the SageMaker console, select Domains within the navigation pane.
- Be aware down the SageMaker area ID.
- Open AWS CloudShell or every other CLI and run the next command, offering your area ID. This command updates the default touchdown utility for the SageMaker area from SageMaker Studio to SageMaker Canvas:
You will notice the next response if the command runs efficiently.
- Navigate to the AWS entry portal URL out of your electronic mail.
- Log in with the credentials you set for the person.
- Select the SageMaker Canvas utility.
This time you’re redirected to SageMaker Canvas, bypassing SageMaker Studio.
Choice 3
If the default touchdown utility for the SageMaker area has been up to date from SageMaker Studio to SageMaker Canvas in Choice 2, a person also can use the IAM Identification Heart portal hyperlink to entry SageMaker Canvas. To take action, select the AWS entry portal URL proven within the identification supply on the IAM Identification Heart console. You should utilize this URL as a browser bookmark, or built-in together with your customized utility for direct SageMaker Canvas entry.
Clear up
To keep away from incurring future session prices, sign off of SageMaker Canvas.
Conclusion
On this put up, we mentioned how customers can securely entry SageMaker Canvas utilizing SSO. To do that, we configured IAM Identification Heart and linked it to the SageMaker area the place SageMaker Canvas is used. Customers at the moment are one click on away from utilizing SageMaker Canvas and fixing new challenges with no-code ML. This method helps the safe surroundings necessities of cloud engineering and safety groups, whereas permitting for the agility and independence of growth groups.
To be taught extra about SageMaker Canvas, try Asserting Amazon SageMaker Canvas – a Visible, No Code Machine Studying Functionality for Enterprise Analysts. SageMaker Canvas additionally permits collaboration with information science groups. To be taught extra, see Construct, Share, Deploy: how enterprise analysts and information scientists obtain quicker time-to-market utilizing no-code ML and Amazon SageMaker Canvas. For IT directors, we recommend testing Establishing and managing Amazon SageMaker Canvas (for IT directors).
In regards to the Authors
Dhiraj Thakur is a Options Architect with Amazon Net Companies. He works with AWS prospects and companions to supply steerage on enterprise cloud adoption, migration, and technique. He’s enthusiastic about expertise and enjoys constructing and experimenting within the analytics and AI/ML area.
Dan Sinnreich is a Senior Product Supervisor at AWS, serving to democratize ML with low-code/no-code improvements. Earlier to AWS, Dan constructed and commercialized SaaS platforms and time sequence threat fashions utilized by institutional buyers to handle threat and optimize funding portfolios. Outdoors of labor, he may be discovered enjoying hockey, scuba diving, and studying science fiction.