-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict Sagemaker Studio Instance Size #1499
Comments
The easiest way to do this would be to limit the IAM SageMakerExecutionRole for a given Studio Domain. Please let us know if this doesn't satisfy your request, and we can re-open this and discuss alternate strategies |
@seanpmorgan - Sorry for re-opening this thread. We had a very similar requirement and was trying to limit the access to specific instance types based on the user profiles/roles, rather than having them restricted at the domain level. Is this supported or should we always enforce the instance types on the Studio Domain Role ? Tried with the createApp and deny, and it works for profiles that have the default App created. For a new user, the launch fails citing createApp permissions, though. Could find the instance type assigned as "system" when issuing the describe App against the default JupyterServer. I could get everything else working, with the below condition - but could not find any documentation on the "system" . Is it advisable to have a condition to permit the createApp for "instance type" of "system" - would this be an ok approach ? "ForAnyValue:StringNotEqualsIgnoreCase": {
|
{
"Action": [
"sagemaker:CreateApp"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Sid": "BlockSagemakerOtherThanT3",
"Condition": {
"ForAnyValue:StringNotLike": {
"sagemaker:InstanceTypes": [
"ml.t3.medium",
"ml.t3.xlarge",
"system",
"default"
]
}
}
} |
Thank you - Yes, was using the same and it has been working fine so far. Would have been great if there was a way to enforce the Tag to these "APPS" - would help control access. Was working on a model to track the App run status along with the Tag Name - instead of the user profile it is associated with, to support the Cost/Billing side (for a recharge model). |
In jupyter notebooks of sagemaker studio one can select instance size on the fly. But what i want for an IAM user is to restrict him to specific instance type. For example the user cannot select any other instances except ml.t3.* . So far i have tried by making roles and adding conditions to instance types but nothing worked. Is there any way we can do this?
The text was updated successfully, but these errors were encountered: