The latest articles on DEV Community by Selvaprakash-S (@selvaprakash). https://dev.to/selvaprakash https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1013835%2F2bc26c72-715f-4988-885d-3dfd99cc3503.png https://dev.to/selvaprakash en Selvaprakash-S Sun, 17 Mar 2024 10:42:35 +0000 https://dev.to/selvaprakash/access-multiple-amazon-sage-maker-domainsso-auth-mode-with-same-sso-user-or-group-18nf https://dev.to/selvaprakash/access-multiple-amazon-sage-maker-domainsso-auth-mode-with-same-sso-user-or-group-18nf <p>Hello Community, From this blog I would like to share my experience in Multiple Sagemaker Domain with sso auth mode.</p> <h2> Sagemaker Domain: </h2> <p>As aws sagemaker domain document says domain is the first prerequisite to access or launch the sagemaker studio which has all functionality in one UI from processing to inference endpoint in Machine Learning lifecycle.</p> <p>When it comes to sagemaker domain administration it has two types of authentication mode.</p> <ol> <li><p>IAM Auth Mode</p></li> <li><p>IAM Idc Mode (SSO)</p></li> </ol> <p>Here I'm going to explain my experience in SSO Auth Mode.</p> <h2> IAM Identity Center: </h2> <p>For SSO auth mode, IAM Identity Center should be in the same region that you wanted to create sagemaker domain.</p> <p>When it comes to enterprise company, IAM Idc is utilized in Control Tower where multiple accounts managed with the Organizational Units.</p> <p>Here, I'm not going to talk about Control Tower, I'm just going to create one IAM Idc in N.Virginia where I will be creating sagemaker domain.</p> <p>Step 1: </p> <p>Once the IAM Idc is enabled in us-east-1 I've created 2 groups that I'm part of.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyivjhjw6nipbl44e07qa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyivjhjw6nipbl44e07qa.png" alt="IAM Idc Groups" width="800" height="289"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F236g9scmv0wdgftf1au6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F236g9scmv0wdgftf1au6.png" alt="IAM User" width="800" height="252"></a></p> <p>Step 2:</p> <p>then I've created 2 permission sets</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpa4h7psm68xwdl2t2r3l.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpa4h7psm68xwdl2t2r3l.png" alt="Permission Sets" width="800" height="408"></a></p> <p>step 3:</p> <p>Added those groups and permission sets to the account</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7rdtp45400t3pyinfg7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh7rdtp45400t3pyinfg7.png" alt="account config" width="800" height="273"></a></p> <p>Once IAM Idc is done create two domain in sagemaker console:</p> <p>Step 1:</p> <p>By following the custom wizard you can create domain with sso mode</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg56qxnozwfn4u4etum7g.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg56qxnozwfn4u4etum7g.png" alt="domain" width="800" height="432"></a></p> <p>Step 2:</p> <p>Add the group that we created earlier by clicking assign user or group</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxaubv2scf3hbd2ihe9j.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxaubv2scf3hbd2ihe9j.png" alt="group" width="800" height="406"></a></p> <p>As you can see you can add same group in multiple domain</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegphiweca8p7cy6xdrky.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegphiweca8p7cy6xdrky.png" alt="domain" width="800" height="434"></a></p> <p>Finally, you can see the multiple domain in awsapps page like below</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv8pleqoy057t5b04resg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv8pleqoy057t5b04resg.png" alt="awsapps" width="800" height="333"></a></p> <p>Hence, same sso user can access the multiple domain. However, user profile will be prefixed with some random three number and letters so that user profile will be unique across the domain </p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fushxpxtx63ck5yaxoty3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fushxpxtx63ck5yaxoty3.png" alt="user profile" width="301" height="631"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fra6jaykc90s3zw0i6zoh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fra6jaykc90s3zw0i6zoh.png" alt="domain 2" width="307" height="637"></a></p> <p>Application display name can be changed in IAM Idc's Application section</p> sagemaker mlops sso aws