Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict Sagemaker Studio Instance Size #1499

Closed
himachalbanik40 opened this issue Sep 9, 2020 · 4 comments
Closed

Restrict Sagemaker Studio Instance Size #1499

himachalbanik40 opened this issue Sep 9, 2020 · 4 comments

Comments

@himachalbanik40
Copy link

In jupyter notebooks of sagemaker studio one can select instance size on the fly. But what i want for an IAM user is to restrict him to specific instance type. For example the user cannot select any other instances except ml.t3.* . So far i have tried by making roles and adding conditions to instance types but nothing worked. Is there any way we can do this?
@seanpmorgan
Copy link
Contributor

seanpmorgan commented Feb 2, 2021
edited

The easiest way to do this would be to limit the IAM SageMakerExecutionRole for a given Studio Domain. Please let us know if this doesn't satisfy your request, and we can re-open this and discuss alternate strategies

@manoj1madhavan
Copy link

manoj1madhavan commented Mar 29, 2021
edited

@seanpmorgan - Sorry for re-opening this thread.

We had a very similar requirement and was trying to limit the access to specific instance types based on the user profiles/roles, rather than having them restricted at the domain level. Is this supported or should we always enforce the instance types on the Studio Domain Role ?

Tried with the createApp and deny, and it works for profiles that have the default App created. For a new user, the launch fails citing createApp permissions, though.

Could find the instance type assigned as "system" when issuing the describe App against the default JupyterServer. I could get everything else working, with the below condition - but could not find any documentation on the "system" .

Is it advisable to have a condition to permit the createApp for "instance type" of "system" - would this be an ok approach ?

"ForAnyValue:StringNotEqualsIgnoreCase": {
"sagemaker:InstanceTypes": "system"
}

@aldegoeij
Copy link 

{
    "Action": [
        "sagemaker:CreateApp"
    ],
    "Resource": [
        "*"
    ],
    "Effect": "Deny",
    "Sid": "BlockSagemakerOtherThanT3",
    "Condition": {
        "ForAnyValue:StringNotLike": {
            "sagemaker:InstanceTypes": [
                "ml.t3.medium",
                "ml.t3.xlarge",
                "system",
                "default"
            ]
        }
    }
}

@manoj1madhavan
Copy link

Thank you - Yes, was using the same and it has been working fine so far. Would have been great if there was a way to enforce the Tag to these "APPS" - would help control access. Was working on a model to track the App run status along with the Tag Name - instead of the user profile it is associated with, to support the Cost/Billing side (for a recharge model).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aldegoeij @seanpmorgan @himachalbanik40 @manoj1madhavan