amazon SageMaker Canvas lets you use machine learning (ML) to generate predictions without having to write any code. It does this by covering the end-to-end machine learning workflow: whether you're looking for powerful data preparation and AutoML, managed endpoint deployment, simplified MLOps capabilities, or the ability to configure base models for generative ai, SageMaker Canvas can help you. reach your goals.
To enable agility for your users while ensuring secure environments, you can adopt single sign-on (SSO) using AWS IAM Identity Center, which is the recommended AWS service for managing user access to AWS resources. With IAM Identity Center, you can create or connect workforce users and centrally manage their access across all your AWS accounts and applications.
Part 1 of this series describes the steps required to configure SSO for SageMaker Canvas using IAM Identity Center for amazon SageMaker Studio Classic.
In this post, we'll walk you through the steps required to set up SSO for SageMaker Canvas using the updated IAM Identity Center for amazon SageMaker Studio. Your users can seamlessly access SageMaker Canvas with their credentials from IAM Identity Center without having to first go through the AWS Management Console. We also demonstrate how you can streamline user management with IAM Identity Center.
Solution Overview
To configure SSO from IAM Identity Center, you must complete the following steps:
- Enable IAM Identity Center using AWS Organizations
- Create a SageMaker Studio domain that uses IAM Identity Center for user authentication
- Create users or groups in IAM Identity Center
- Add users or groups to the SageMaker Studio domain
We'll also show how to rename your SageMaker Studio app to clearly identify it as SageMaker Canvas and how to access it using IAM Identity Center.
Enable IAM Identity Center
Follow these steps to connect SageMaker Canvas to IAM Identity Center:
- In the IAM Identity Center console, choose Allow.
- Choose Enable with AWS Organizations.
- Choose Edit to add an instance name.
- Enter a name for your instance (for this post, canvas app).
- Choose Save Changes.
Create the SageMaker Studio domain
In this section, we create the SageMaker Studio domain and configure the authentication method as IAM Identity Center. Complete the following steps:
- In the SageMaker console, choose Domains.
- Choose Create domain.
- Choose Configured for organizations.
- Choose Setting.
- Enter a domain name of your choice (for this post,
canvas-domain
). - Choose Next.
- Select AWS Identity Center.
- Choose Create a new role.
- Select the SageMaker Canvas permissions you want to grant.
For more details on permissions, see ML Users and Activities.
- Specify one or more amazon Simple Storage Service (amazon S3) buckets.
- Choose Next.
- Select SageMaker Studio – New.
- Choose Next.
You can then provide VPC details for your network configuration.
- For this post, we selected Public Internet Access.
- Choose your VPC, subnets, and security groups.
- Choose Next.
- Keep the default storage settings and choose Next.
- Choose Deliver.
Wait for the SageMaker domain status to change to In service.
Rename the SageMaker Studio application
Before creating a user, let's rename the SageMaker Studio application. This will allow users to quickly identify the SageMaker Canvas application when they sign in through the IAM Identity Center, where they can access multiple applications.
- In the IAM Identity Center console, choose Applications.
- Choose the SageMaker Studio app in the Managed AWS eyelash.
- Choose Edit details about him Behavior menu.
- For Display nameenter a name (for this post,
Canvas
). - For Descriptionenter a description.
- Choose Save Changes.
Create a user in IAM Identity Center
You can now create users and, optionally, groups who will be given access to SageMaker Canvas. For this post, we created a single user to demonstrate the process for providing access. However, groups are typically preferred for better user management and to provide access in organizations.
A user group is a collection of users. Groups allow you to specify permissions for multiple users, which can make it easier to manage permissions for those users. For example, you could have a user group called Business Analysts and grant that user group permission to SageMaker Canvas; all users in that group will have access to SageMaker Canvas. If a new user joins your organization and needs access to SageMaker Canvas, you can add them to the Business Analyst group. If a person changes jobs in your organization, instead of editing that user's permissions, you can remove them from the old user groups and add them to the appropriate new user groups.
Complete the following steps to create a user in IAM Identity Center to test access to the SageMaker Canvas app:
- In the IAM Identity Center console, choose Users in the navigation panel.
- Choose Add user.
- Provide the required details such as username, email address, first name, and last name.
- Choose Next.
- Choose Add user.
You will see a success message indicating that the user has been successfully added.
Add users to the SageMaker Studio domain
You must add this user to the SageMaker domain that you created. If you are using groups, add the group, not just a user.
- In the SageMaker console, choose Domains in the navigation panel.
- Choose the domain you created.
- Choose Assign users and groups.
- About him Users tab, select the user you created.
- Choose Assign users and groups.
Access the SageMaker Canvas app from IAM Identity Center
The user will receive an email with a link to set up a password and instructions for connecting to the AWS Access Portal. The link will be valid for up to 7 days.
When the user receives the email, they must complete the following steps to access SageMaker Canvas:
- Choose Accept the invitation from email.
- Set a new password to access SageMaker Canvas on the specified account and domain.
Once authenticated, the user has three options to log in to SageMaker Canvas:
- Option 1 – Access from SageMaker Studio through the IAM Identity Center portal
- option 2 – Access from SageMaker Canvas through the IAM Identity Center portal, bypassing SageMaker Studio
- Option 3 – Use the IAM Identity Center portal link in IAM Identity Center to access SageMaker Canvas
We discuss each of these options in this section.
Option 1
In the first option, the user first logs into SageMaker Studio to access SageMaker Canvas. This option is appropriate for users who should be able to access all relevant applications from SageMaker Studio, including SageMaker Canvas.
- Navigate to the AWS Access Portal URL from your email.
- Sign in with the credentials you configured for the user.
You will see the name of the app you set up earlier.
- Choose the SageMaker Canvas app.
You will be redirected to SageMaker Studio.
- Choose Run canvas.
- Choose Open canvas.
You will be redirected to SageMaker Canvas.
option 2
In this option, the user still goes through the IAM Identity Center portal, but bypasses SageMaker Studio to go directly to SageMaker Canvas. This option should be used when access to SageMaker Studio is not required, as the user's SageMaker login will always take them directly to SageMaker Canvas.
- In the SageMaker console, choose Domains in the navigation panel.
- Note the SageMaker domain ID.
- Open AWS CloudShell or any other CLI and run the following command, providing your domain ID. This command updates the default launcher application for the SageMaker domain from SageMaker Studio to SageMaker Canvas:
You will see the following response if the command is executed successfully.
- Navigate to the AWS Access Portal URL from your email.
- Sign in with the credentials you configured for the user.
- Choose the SageMaker Canvas app.
This time you will be redirected to SageMaker Canvas, bypassing SageMaker Studio.
Option 3
If the default launcher application for the SageMaker domain was upgraded from SageMaker Studio to SageMaker Canvas in Option 2, a user can also use the IAM Identity Center portal link to access SageMaker Canvas. To do this, choose the AWS Access Portal URL that is displayed in the identity source in the IAM Identity Center console. You can use this URL as a browser bookmark or integrate it with your custom application to get direct access to SageMaker Canvas.
Clean
To avoid incurring charges for future sessions, sign out of SageMaker Canvas.
Conclusion
In this post, we discuss how users can securely access SageMaker Canvas using SSO. To do this, we configure IAM Identity Center and link it to the SageMaker domain where SageMaker Canvas is used. Users are now one click away from using SageMaker Canvas and solving new challenges with no-code machine learning. This approach supports the secure environment requirements of cloud engineering and security teams, while enabling agility and independence for development teams.
For more information about SageMaker Canvas, see Announcement of amazon SageMaker Canvas: A no-code, visual machine learning capability for business analysts. SageMaker Canvas also enables collaboration with data science teams. To learn more, see Build, Share, Deploy: How Business Analysts and Data Scientists Achieve Faster Time to Market Using No-Code Machine Learning and amazon SageMaker Canvas. For IT administrators, we suggest checking out Setting up and managing amazon SageMaker Canvas (for IT administrators).
About the authors
Dhiraj Thakur He is a solutions architect at amazon Web Services. He works with AWS customers and partners to provide guidance on enterprise cloud adoption, migration, and strategy. He is passionate about technology and likes to build and experiment in the analytics and ai/ML space.
Dan Sinnreich is a Senior Product Manager at AWS, helping to democratize machine learning with low-code and no-code innovations. Prior to AWS, Dan built and marketed SaaS platforms and time series risk models used by institutional investors to manage risk and optimize investment portfolios. Outside of work, he can be found playing hockey, scuba diving, and reading science fiction.