HomeBig DataUtilizing Amazon SageMaker Unified Studio Id middle (IDC) and IAM-based domains collectively
Big Data

Utilizing Amazon SageMaker Unified Studio Id middle (IDC) and IAM-based domains collectively

By Jules Jackson
0
4
Utilizing Amazon SageMaker Unified Studio Id middle (IDC) and IAM-based domains collectively


Amazon SageMaker Unified Studio now affords two area configurations: Amazon SageMaker Unified Studio Id Middle(IDC)-based domains with complete governance options, and Amazon SageMaker Unified Studio IAM-based domains with enhanced developer productiveness instruments.

On this submit, we exhibit how you need to use each of those area configurations of Amazon SageMaker Unified Studio utilizing AWS Id and Entry Administration (IAM) position reuse and attribute-based entry management.

How authentication works in every configuration

Amazon SageMaker Unified Studio IDC-based domains authenticate customers by way of AWS Id and Entry Administration (IAM) Id Middle with Single Signal-On, preserving particular person consumer identities all through their periods. These domains excel in governance with identity-based authorization, fine-grained entry controls between customers, and complete catalog administration that includes formal Writer/Subscriber (Pub/Sub) knowledge sharing workflows with approval processes—excellent for enterprise environments requiring sturdy identification administration, compliance monitoring, and identity-based audit trails.

Amazon SageMaker Unified Studio IAM-based domains authenticate by way of federated AWS Id and Entry Administration (IAM) roles the place all customers accessing a mission share the identical position permissions. These domains prioritize developer productiveness with fashionable instruments together with new serverless Notebooks, Athena Spark integration, the improved interface with vertical navigation, and built-in AI help, designed for improvement groups that want streamlined entry and superior analytics capabilities.

This answer facilitates organizations which can be already utilizing IDC-based domains to protect their present governance frameworks established in IDC-based domains whereas unlocking fashionable improvement capabilities for his or her groups by way of IAM-based domains. Should you want to make use of the newly launched IAM-based domains, you may proceed to do as properly. The selection relies on your organization’s wants.

Please word that on the time of penning this weblog, IAM-based domains don’t help Trusted identification propagation. This answer makes use of the mission execution position to configure knowledge entry.

The problem

Think about a knowledge steward (Sam) makes use of the IDC-based area to outline knowledge entry insurance policies, handle the info catalog, and approve subscription requests to confirm compliance and correct knowledge governance.

Alternatively, a knowledge engineer (Sarah), desires to make use of IDC-based area for governance options equivalent to SageMaker catalog and IAM-based area for the brand new serverless Pocket book to construct knowledge pipelines, carry out superior analytics, and speed up improvement cycles. Sarah will request entry to the info by way of IDC-based area, and as soon as entry is accepted by Sam, Sarah can entry this knowledge in serverless pocket book out there in IAM-based area.

Answer overview

The combination leverages IAM position reuse, AWS Lake Formation Attribute-Based mostly Entry Management (ABAC) and Amazon SageMaker Catalog pub-sub mannequin to robotically carry permissions from the IDC-based area to the brand new IAM-based area. When correctly configured, knowledge subscriptions managed by way of the IDC-based area’s Pub/Sub mannequin change into instantly accessible in IAM-based area initiatives, offering a unified knowledge entry expertise.

The answer we’ll implement within the submit includes creating an IAM-based area mission that’s much like your IDC shopper mission (eg identical staff members, use case) , configuring execution roles, and enabling position reuse. This strategy maintains the acquainted subscription workflow whereas extending advantages to the IAM-based area.The next diagram exhibits the high-level structure of how this strategy works.

Utilizing Amazon SageMaker Unified Studio Id middle (IDC) and IAM-based domains collectively

The answer structure consists of:

  • Current IDC-based area: Accommodates producer and shopper initiatives with established knowledge sharing by way of Pub/Sub mannequin
  • IAM-based area: New initiatives with federated and execution roles configured for contemporary improvement instruments
  • IAM Id Middle: Manages federated entry and permission units
  • Attribute-Based mostly Entry Management: Tags on execution roles allow automated permission inheritance

The answer supplies 2 choices: Possibility 1: IDC-Based mostly Area mission position reuse supplies the best integration path by instantly reusing the prevailing shopper mission IAM position out of your IDC-based area because the execution position within the IAM-based area. The first advantages embrace simplified setup requiring solely coverage modifications (coated later within the weblog), diminished administrative overhead with one much less position to handle and decrease threat of misconfiguration because you’re leveraging confirmed, present roles. Select Possibility 1 while you need the quickest implementation path, your group prefers minimal position proliferation, you could have well-established IDC-based area roles that have already got knowledge entry permissions, or your staff has restricted IAM experience and desires to keep away from complicated tagging configurations.

Possibility 2: Creating a brand new execution position for the IAM-based area mission and use attribute-based entry management (ABAC) by way of tagging with the IDC-based area mission ID. The important thing advantages embrace enhanced auditability with two distinct roles (one for IDC-based area, one for IAM-based area), clear separation displaying which area generated every request in CloudTrail logs, better flexibility to customise permissions particular to IAM-based area wants with out affecting IDC-based area operations, and higher safety isolation between the 2 area sorts. The `AmazonDatazoneProject` tag permits attribute based mostly entry management, whereas sustaining distinct position identities. Select Possibility 2 when: your group requires detailed audit trails distinguishing between area sorts, compliance insurance policies mandate separation of issues between governance and improvement environments, you wish to observe and attribute prices individually for every area, or it’s good to present proof displaying which area (governance vs. improvement) accessed particular knowledge sources for compliance reporting.

Right here is the high-level view of how the identification and area entities map to one another for each choices:

AWS IAM Identity Center integration with Amazon SageMaker diagram showing access flow from IdC Groups through Permission Sets to AWS SSO IAM Roles, connecting to SageMaker domains with two implementation options: Option 1 using identical IAM roles, or Option 2 using project-tagged execution roles

Conditions

To observe together with this submit, you need to have:

For this demonstration, we use a simplified setup with a gross sales producer mission and a advertising and marketing shopper mission that subscribes to those tables.

Understanding the present IDC-based area setup

Our place to begin features a well-established Amazon SageMaker Unified Studio IDC-based area construction:

Gross sales Producer Mission

  • Accommodates a database with pipeline and gross sales tables
  • Managed by Sam, the info steward who creates and publishes knowledge property
  • Has its personal mission IAM position

Advertising and marketing Client Mission

  • Managed by Sarah, the info engineer who subscribes to revealed knowledge by way of IDC area mission
  • Has its personal mission IAM position
  • Efficiently queries subscribed knowledge by way of the IDC-based area interface

Every mission has an related IAM position that governs entry to knowledge property, and the Pub/Sub mannequin manages subscription workflows and permissions.

Organising federated position by way of permission units

Federated roles by way of permission units are used to authenticate and supply customers with console entry to IAM-based domains by way of AWS IAM Id Middle, the place all customers inside a mission share the identical position permissions. Once you assign a permission set, IAM Id Middle creates corresponding IAM Id Middle-controlled IAM position in AWS account, and attaches the insurance policies specified within the permission set to that position.

IAM-based SMUS domains allow streamlined entry to fashionable improvement instruments (serverless Notebooks, Athena Spark, AI help) whereas sustaining governance, robotically propagating permissions throughout domains with out requiring duplicate entry approvals, and simplifying staff member onboarding.You need to use any IAM position to entry IAM-based area. For this submit, we’ll use federated position possibility utilizing AWS IAM Id Middle (IDC).

Grant entry to Information engineer group for IAM-based domains in Id Middle

1) Arrange federated position in AWS IAM Id Middle

Navigate to IAM Id Middle (IDC) within the AWS Administration Console, then full the next steps:

  1. Go to permission set part in IDC. Create a brand new permission set known as Advertising and marketing-federated-role and choose Connect Coverage.

AWS IAM Identity Center console screenshot displaying the marketing-federated-role permission set configuration page with provisioned status, 1-hour session duration, and empty AWS managed and customer managed policy sections with attach policy options.

  1. Seek for SageMakerStudioUserIAMConsolePolicy within the present coverage identify from record and choose SageMakerStudioUserIAMConsolePolicy from the record. Notice that the managed coverage SageMakerStudioUserIAMConsolePolicy have to be hooked up or have the identical permissions added by way of one other coverage to have the ability to entry initiatives in a SageMaker IAM area.

AWS IAM Identity Center console screenshot showing AWS managed policies section with one attached SageMakerStudioUserIAMConsolePolicy and empty customer managed policies section with detach and attach policy options available.

  1. Go to the AWS account part of IDC.
  2. Assign the created permission set to your AWS account.

AWS IAM Identity Center console screenshot showing AWS accounts page in hierarchy view with organization o-9svtz1aavh, displaying Root organizational unit containing AWS account n.com with marketing-federated-role permission set assigned and assign users or groups option.

  1. For this submit we assigned the permission set to advertising and marketing group, As a greatest apply, you need to setup and grant entry to teams relatively than particular person customers.

AWS IAM Identity Center console screenshot showing marketing group details page with AWS accounts tab selected, displaying one AWS account access (management account amazon.com) with marketing-federated-role permission set applied.

  1. Add Sarah to advertising and marketing group.

AWS IAM Identity Center console screenshot showing marketing group's Users tab with one enabled member (user sarah, Display name: Sarah M) who inherits permissions to AWS accounts and Identity Center enabled applications.

This creates a federated position that Sarah can use to entry the IAM-based area. The federated position seems as an IAM position inside your account and serves because the entry level for console entry.

Organising IAM-based area execution position

There are 2 choices to setup execution position for IAM-based area mission. The execution position has a one-to-one mapping with the federated position.

Possibility 1 – IDC-based area Mission Position reuse

As a substitute of making a brand new execution position and tagging it, you may configure the IAM-based area mission to instantly reuse the buyer mission IAM position from the IDC-based area because the execution position. This feature solely wants coverage modifications to the buyer mission IAM position. To search out the IDC-based area shopper mission IAM position:

  1. Navigate to the Amazon SageMaker Unified Studio IDC-based area portal.
  2. Open the Advertising and marketing Client Mission.
  3. Copy the mission position ARN from the mission overview web page.

Amazon DataZone project overview page displaying marketing-project details with active status, project ID 4tcycvm4c684rt, domain ID dzd-47supbt0i3jysp, All capabilities profile, Corp domain unit, Amazon S3 location in us-east-2, and project role ARN with up-to-date status.

  1. You will have to switch this execution position’s coverage with detailed directions supplied later within the weblog.

Organising IAM-based area mission for possibility 1

To create an IAM-based area mission that may combine together with your present IDC-based area permissions, full the next steps:

  1. Log in to the AWS Console utilizing IAM-based area administrator.
  2. Navigate to Amazon SageMaker web page inside console.
  3. Select Open.

Amazon SageMaker landing page displaying "The center for data, analytics, and AI" with tagline about next-generation integrated analytics experience, serverless notebooks with built-in AI Agent, Amazon DataZone integration note, and call-to-action panel featuring "Get started with Amazon SageMaker Unified Studio" with Open button and View existing domains

  1. As soon as logged in to IAM-based area as admin, select Handle initiatives.

Amazon SageMaker admin-project dashboard displaying left navigation menu with data analytics and AI/ML sections, quick-start cards for exploring data, building in notebooks, and discovering ML models, plus four sample data project templates: Customer usage analysis (3 mins), Customer segmentation (8 mins), Customer churn prediction (5 mins), and Retail sales forecasting (20 mins).

  1. Subsequent, click on on Create Mission.

Amazon DataZone Domain Administration Projects page showing "Projects (3)" with description about enabling IAM role-based access to AWS Analytics and AI/ML tools, search functionality to find projects, last refreshed timestamp, and green Create project button.

  1. Enter mission identify as “Advertising and marketing Client Mission”.

Amazon DataZone Create project dialog showing Step 1 "Enter Details" with required Project name field containing "Marketing Consumer Project" (1-64 characters, a-z, A-Z, 0-9, spaces, dashes, underscores allowed) and optional Description field with 0/2048 character count, followed by Step 2 "Assign roles".

  1. Throughout mission creation, choose the next essential roles after which select Create Mission:
  • Mission IAM Position: The advertising and marketing federated position created in IAM Id Middle above. That is the position within the member account that has a job identify with suffix AWSReservedSSO.
  • Mission Position: – Select mission position for knowledge engineer, copied from possibility 1.

Amazon SageMaker Unified Studio Create project dialog showing IAM role configuration with AWSReservedSSO_marketing-federated-role selected, blue alert requiring SageMakerStudioUserIAMConsolePolicy attachment, Execution role section with "Use an existing role" option selected, and datazone_usr_role_4tcycvm4c684rt_ajtckkwo2fnhyh IAM role specified with note that role is not editable after project creation

  1. Make coverage modifications to this mission position as per the instruction on the SMUS UI web page.

Amazon SageMaker Unified Studio role selection interface showing "Use an existing role" option selected with IAM role datazone_usr_role_4tcycvm4c684rt_ajtckkwo2fnhyh, blue information box displaying required permissions including SageMakerStudioUserIAMDefaultExecutionPolicy managed policy, trust policy enabling Amazon SageMaker Unified Studio service assumption, and inline policy for role pass-through, with note that role is not editable after project creation.

Possibility 2 – Carry your individual execution position. 

To create an IAM-based area mission that may combine together with your present IDC-based area permissions., you need to tag the execution position for permission propagation. Amazon SageMaker Catalog and AWS Lake Formation use attribute-based entry management, which implies permissions may be inherited based mostly on useful resource tags. For this feature, you have to shopper mission ID.To search out the IDC-based area shopper mission ID:

  1. Navigate to the Amazon SageMaker Unified Studio IDC-based area portal.
  2. Open the Advertising and marketing Client Mission.
  3. Copy the mission ID from the mission particulars.

Amazon SageMaker Unified Studio marketing-project overview page displaying navigation breadcrumb (Home > Projects > marketing-project > Project overview), left sidebar menu with Project overview, Data, Compute, Members, and Project catalog sections, Project files section listing 3 JupyterLab files (.libs.json, README.md, getting_started.ipynb) last modified November 18, 2025, Readme section with Welcome heading describing SageMaker Unified Studio, and Project details tab showing project name, ID, last modified date November 21, 2025, and Amazon S3 location.

Organising IAM-based area mission for possibility 2

Full the next steps:

  1. Create one other mission with identify “Advertising and marketing Client Mission 2” within the IAM-based area whereas logged in as admin.
  2. Throughout mission creation, choose the next roles:
    1. Federated Position: The advertising and marketing federated position created in IAM Id Middle above.
    2. Execution Position: – Select execution position from possibility 2.
  3. Make coverage modifications to this execution position as per the instruction.

Amazon SageMaker Unified Studio role selection interface showing "Use an existing role" option selected with IAM role field containing "sagemaker-marketing-execution-role", blue information box displaying required permissions including SageMakerStudioUserIAMDefaultExecutionPolicy managed policy, trust policy enabling Amazon SageMaker Unified Studio and related services to assume the role, and inline policy allowing role pass-through to other services, with note that role is not editable after project creation

  1. Subsequent, navigate to the IAM console and find the execution position created on your IAM-based area shopper mission.
  2. Add the next tag, this step depends on ABAC insurance policies with projectId for subscriptions.
  • Key: AmazonDatazoneProject
  • Worth: The mission ID out of your Amazon SageMaker Unified Studio IDC-based area shopper mission

AWS IAM console displaying sagemaker-marketing-execution-role details page with Summary section showing creation date November 18, 2025, last activity 3 days ago, ARN arn:aws:iam::role/sagemaker-marketing-execution-role, 1-hour maximum session duration, five tabs (Permissions, Trust relationships, Tags (1), Last Accessed, Revoke sessions), and Tags section displaying one tag with Key "AmazonDataZoneProject" and Value "4tcycvm4c684rt" with Delete, Edit, and Manage tags buttons available.

This tag configuration leads to knowledge entry grant from IDC-based area shopper mission to the IAM-based area mission execution position.

Confirm knowledge entry within the IAM-based area

After tagging the execution position, confirm that permissions are arrange appropriately.Full the next steps:

  1. Use the SSO URL to log into the SSO Id Middle as Sarah.

AWS IAM Identity Center Dashboard displaying left navigation menu with Dashboard, Users, Groups, Settings, Multi-account permissions (AWS accounts, Permission sets), and Application assignments sections; central management panel showing service control policies guidance with yellow warning banner about member account instances and CloudTrail monitoring section; IAM Identity Center setup area with three action cards for confirming identity source, managing multi-account permissions, and setting up application assignments; right panel Settings summary showing Identity Center directory as identity source, us-east-2 region, organization ID o-9svtz1aavh, AWS access portal URL, and issuer URL; What's new section highlighting customer-managed KMS keys support and Amazon SageMaker Studio user background sessions; Related consoles links to CloudTrail, AWS Organizations, and IAM.

  1. Open the AWS console utilizing federated position created earlier in setting federated position part.
  2. Navigate to Amazon SageMaker.
  3. Select Amazon SageMaker Unified Studio IAM-based area possibility (it will present up if mission is already created with federated position).

Amazon SageMaker Unified Studio marketing-project dashboard displaying left navigation menu with Overview, Files, Data, Connections, Code (Notebooks, JupyterLab), Data analytics (Query Editor, Visual ETL, Data processing jobs), and AI/ML sections (Models, MLflow, Training jobs, Inference endpoints); main content area showing "Jump into your data and models" with three quick-start cards (Explore your data, Build in the notebook, Discover ML models) and four sample data projects: Retail sales forecasting (20 mins), Customer churn prediction (5 mins), Customer segmentation (8 mins), and Customer usage analysis (3 mins); top-right panel displaying account details with us-east-2 region, federated user aws-reserved/sarah, and execution role sagemaker-marketing-execution-role.

  1. Within the Amazon SageMaker Unified Studio IAM-based area mission, navigate to the Information tab. Should you created 2 initiatives with each possibility 1 and possibility 2 execution position, then 2 initiatives will present up and you may login to both to validate knowledge entry.

Amazon SageMaker Unified Studio data explorer interface displaying SQL query "SELECT * FROM glue_db_6doxdp1wuy165l.sales_table LIMIT 100" executed via Athena in 6 seconds, showing six columns (ord_num, sales_qty_sld, wholesale_cost, lst_pr, sell_pr, disnt) with green distribution histograms above data preview table containing six sample sales records with order numbers ranging from 46776931 to 146776932, left navigation showing AwsDataCatalog database structure with glue_db_6doxdp1wuy165l containing pipeline_table and sales_table, last saved 2 minutes ago.

  1. Confirm that the buyer database and subscribed tables seem.

Create and use the brand new serverless notebooks

With permissions correctly configured, now you can use IAM-based area capabilities like serverless Notebooks. Full the next steps:

  1. Within the Amazon SageMaker Unified Studio IAM-based area mission, choose a desk from the Information tab.
  2. Select Create pocket book.
  3. The Pocket book opens with Athena SQL because the default cell kind.
  4. Write and run queries towards your subscribed knowledge.

Amazon SageMaker Unified Studio marketing-project notebook displaying sales_table data from 2025-11-18 21:42:01, left Data explorer showing AwsDataCatalog with glue_db_6doxdp1wuyi65l database containing pipeline_table and sales_table, main data table showing 11 rows with columns (ord_num, sales_qty_sld, wholesale_cost, lst_pr, sell_pr, disnt) displaying rows 4-9 on page 1 of 2, Python PySpark SQL query "SELECT * FROM 'glue_db_6doxdp1wuyi65l'.'pipeline_table' LIMIT 100" executed in 27 seconds, and Filters section displaying distribution histograms for all numerical columns.

The pocket book runs with the execution position’s permissions, which now embrace entry to all knowledge subscribed by way of the IDC-based area.

Key advantages of this integration

This integration strategy delivers a number of necessary benefits:

Protect present investments

  • Proceed utilizing IDC-based area governance and catalogs.
  • Preserve established Pub/Sub workflows.
  • No migration required for present knowledge property.

Get fashionable capabilities

  • Present builders with the brand new serverless Notebooks.
  • Entry Athena Spark for superior analytics.
  • Gives improved consumer expertise and navigation.

Simplified permission administration

  • Single subscription workflow manages entry throughout each domains.
  • Constant knowledge entry by way of position reuse and attribute-based entry management.
  • No duplicate entry requests or approvals wanted.

Unified knowledge expertise

  • Builders entry all subscribed knowledge from one interface.
  • Constant knowledge catalog throughout domains.
  • Simplified onboarding for brand spanking new staff members.

Cleanup

Full the next steps to delete the sources you created:

  1. Delete the serverless Notebooks created within the IAM-based area initiatives.
  2. Delete the IAM-based area initiatives (Advertising and marketing Client Mission and Advertising and marketing Client Mission 2).
  3. Take away the permission set task from advertising and marketing group in IAM Id Middle.
  4. Delete the Advertising and marketing-federated-role permission set in IAM Id Middle.
  5. Take away the tags (AmazonDatazoneProject) from the execution position (if utilizing Possibility 2).
  6. Delete the execution position created for the IAM-based area (if utilizing Possibility 2 and never reusing the IDC-based area mission position).
  7. Revert any coverage modifications made to the IDC-based area shopper mission IAM position (if utilizing Possibility 1).
  8. If you don’t want the IAM-based area anymore, delete it.
  9. Should you created any take a look at knowledge subscriptions within the IDC-based area, take away them.

Conclusion

On this submit, we demonstrated methods to entry Amazon SageMaker Unified Studio IDC-based area with the brand new IAM-based area utilizing position reuse and attribute-based entry management. This setup affords knowledge engineers the very best of each worlds: entry to specialised fashionable improvement instruments—together with the brand new serverless Notebooks, Athena Spark integration, and built-in AI help , whereas sustaining correct governance that features complete catalog administration and sturdy safety controls established within the IDC-based area.Now you can confidently undertake Amazon SageMaker Unified Studio IAM-based area capabilities realizing their established knowledge governance, subscription workflows, and entry controls stay intact and proceed to operate as anticipated.

Able to get began with Amazon SageMaker Unified Studio and unlock the ability of built-in governance and fashionable improvement instruments on your group? Go to the Amazon SageMaker Unified Studio documentation to study extra and start your implementation at this time.

In regards to the authors

Praveen Kumar

Praveen Kumar

Praveen is a Principal Analytics Options Architect at AWS with experience in designing, constructing, and implementing fashionable knowledge and analytics platforms utilizing cloud-based providers. His areas of curiosity are serverless expertise, knowledge governance, and data-driven AI functions.

Durga Mishra

Durga Mishra

Durga is a Principal Information and AI options structure strategist at AWS . Exterior of labor, Durga enjoys constructing new issues and spending time with household. He likes to hike on Appalachian trails and spend time in nature.

Joel

Joel Farvault

Joel is a Principal Specialist SA Analytics for AWS with 25 years’ expertise engaged on enterprise structure, knowledge governance and analytics. He makes use of his expertise to advise clients on their knowledge technique and expertise foundations.

author name

Satish Sarapuri

Satish is a Sr. Information Architect for Information Mesh/Information Lake/Gen AI at AWS. He helps enterprise-level clients construct generative AI, knowledge mesh, knowledge lake, and analytics platform options on AWS to assist them make data-driven choices and acquire impactful outcomes for his or her enterprise. In his spare time, he enjoys path working and spending high quality time along with his household.

author name

Leonardo Gomez

Leonardo is a Principal Analytics Specialist Options Architect at AWS. He has over a decade of expertise in knowledge administration, serving to clients across the globe handle their enterprise and technical wants.

Previous articleSpirent joins ESA to spice up PNT resilience within the UK
Next articleOne dimensional anyons provide tunable quantum statistics
Jules Jacksonhttps://expertlifetips.com
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Load more

Recent Comments

ABOUT US

Expertlifetips is your technology, gadget, and 3D printing website. We provide you with the latest breaking news and videos straight from the technology industry.

POPULAR POSTS

POPULAR CATEGORY

Copyrights 2025 © expertlifetips.com. All rights reserved.