How do I check what role my Amazon SageMaker Studio user uses, and how do I change this role?

2 minute read
0

I want to know what role my Amazon SageMaker Studio user uses, and then change this role.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

When a user creates a SageMaker Studio domain, SageMaker lets the user create the following AWS Identity and Access Management (IAM) roles:

  • SageMaker Studio domain execution role: This role sets up and provisions the studio infrastructure after the user accesses the Studio integrated development environment (IDE) through the presigned URL.
  • SageMaker user profile role: This role defines the actions that a user profile can perform within the Studio environment. SageMaker assumes this role within Studio to create resources for the user.

The AmazonSageMakerFullAccess policy is attached to the role and gives extended access to the user profile. You can change the SageMaker user profile role to restrict access to user profiles.

To check what role is attached to the user profile, run the following code on a Jupyter notebook that the user profile created:

import sagemaker
sagemaker_session = sagemaker.Session()
#Check which role is being used
role = sagemaker.get_execution_role()
print(role)

To change the role that's attached to the user profile, run the update-user-profile command:

aws sagemaker update-user-profile \
--domain-id <example-domain-id> \
--user-profile-name <example-user-profile-name> \
--user-settings ExecutionRole=<example-role-arn>

Important: Before you change the IAM role for a SageMaker Studio user profile, be sure that your user doesn't have any active InService apps.

Related information

SageMaker roles

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
2 Comments

The options --example-domain-id and --example-user-profile-name are not valid options for aws sagemaker update-user-profile. I think the authors meant something like --domain-id <example-domain-id> --user-profile-name <example-user-profile-name>. Please correct, otherwise it is confusing (and wrong).

Also, I keep seeing these long CLI commands as long one-liners, which are a pain to read even in big screens. Would it be possible to add line breaks to make the command more readable? Like this

aws sagemaker update-user-profile \
    --domain-id <example-domain-id> \
    --user-profile-name <example-user-profile-name> \
    --user-settings ExecutionRole=$ROLE

?

Thanks.

Daniel
replied 8 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 8 months ago