Ločite poslovne linije ali ekipe z več domenami Amazon SageMaker

Amazon SageMaker Studio je popolnoma integrirano razvojno okolje (IDE) za strojno učenje (ML), ki znanstvenikom in razvijalcem podatkov omogoča izvajanje vseh korakov delovnega toka ML, od priprave podatkov do gradnje, usposabljanja, prilagajanja in uvajanja modelov.

To access SageMaker Studio, Amazon SageMaker Canvasali drugo Amazon ML environments kot RStudio na Amazon SageMaker, you must first provision a SageMaker domain. A SageMaker domain includes an associated Elastični datotečni sistem Amazon (Amazon EFS) volume; a list of authorized users; and a variety of security, application, policy, and Navidezni zasebni oblak Amazon (Amazon VPC) konfiguracije.

Administrators can now provision multiple SageMaker domains in order to separate different lines of business or teams within a single AWS account. This creates a logical separation between the users, files storage, and configuration settings for various groups in your organization. As an example, your organization may want to separate your financial line of business from the sustainability research division, as shown in the following multi-domain console.

Creating multiple SageMaker domains also allows you to granularly set domain-level configurations such as VPC configurations in order to permit public internet access for some groups’ research, while enforcing that traffic goes through a specified VPC for business units with greater restriction.

Automated tagging

In addition to separating users, file storage, and domain configurations, administrators can also separate SageMaker resources that are created within their domain. By default, SageMaker now automatically tags new SageMaker resources such as training jobs, processing jobs, experiments, pipelines, and model registry entries with their respective sagemaker:domain-arn. SageMaker tudi označi vir z sagemaker:user-profile-arn or sagemaker:space-arn za določitev ustvarjanja vira na še bolj razdrobljeni ravni.

Razporeditev stroškov

Skrbniki lahko uporabljajo samodejno označevanje za enostavno spremljanje stroškov, povezanih z njihovo dejavnostjo, skupinami, posameznimi uporabniki ali posameznimi poslovnimi težavami z uporabo orodij, kot je Proračuni AWS in Raziskovalec stroškov AWS. As an example, an administrator can attach a oznaka za razdelitev stroškov za sagemaker:domain-arn oznaka.

This allows them to utilize Cost Explorer to visualize the notebook spend for a given domain.

Domain-level resource isolation

Administrators can attach AWS upravljanje identitete in dostopa (IAM) policies that ensure a domain’s user can only create and open SageMaker resources that are originating from their respective domain. The following code is an example of such a policy:

{
    "Version": "2012-10-17",
    "Statement":
    [
        {
            "Sid": "CreateRequireDomainTag",
            "Effect": "Allow",
            "Action":
            [
                "SageMaker:Create*",
                "SageMaker:Update*"
            ],
            "Resource": "*",
            "Condition":
            {
                "ForAllValues:StringEquals":
                {
                    "aws:TagKeys":
                    [
                        "sagemaker:domain-arn"
                    ]
                }
            }
        },
        {
            "Sid": "ResourceAccessRequireDomainTag",
            "Effect": "Allow",
            "Action":
            [
                "SageMaker:Update*",
                "SageMaker:Delete*",
                "SageMaker:Describe*"
            ],
            "Resource": "*",
            "Condition":
            {
                "StringEquals":
                {
                    "aws:ResourceTag/sagemaker:domain-arn": "arn:aws:sagemaker:::domain/"
                }
            }
        }
    ]
}

Za več informacij si oglejte Multiple domains overview.

Backfilling existing resources with domain tags

Since the launch of the multi-domain capability, new resources are automatically tagged with aws:ResourceTag/sagemaker:domain-arn. However, if you want to update existing resources to facilitate resource isolation, administrations can use the add-tag SageMaker API call in a script. The below example shows how to tag all existing experiments to a domain:

domain_arn=arn:aws:sagemaker:::domain/
experiments=`aws --region $REGION 
sagemaker list-experiments`
for row in $(echo "${experiments}" | jq -r '.ExperimentSummaries[] | @base64'); do
    _jq() {
     echo ${row} | base64 --decode | jq -r ${1}
    }

    exp_name=$(_jq '.ExperimentName')
    exp_arn=$(_jq '.ExperimentArn')

    echo "Tagging resource name: $exp_name and arn: $exp_arn with "sagemaker:domain-arn=$domain_arn""
    echo `aws sagemaker 
        add-tags 
        --resource-arn $exp_arn 
        --tags "Key=sagemaker:domain-arn,Value=$domain_arn" 
        --region $REGION`
    echo "Tagging done for: $exp_name"
    sleep 1
done

You can verify that any individual resource was correctly tagged with the following code sample:

aws sagemaker 
list-tags 
--resource-arn  
--region  

Pregled rešitev

In this section, we outline how you can set up multiple SageMaker domains in your own AWS account. You can either use the Vmesnik ukazne vrstice AWS (AWS CLI) or the SageMaker console. Refer to Vkrcajte se na domeno Amazon SageMaker for the most up-to-date instructions on creating a domain.

Create a domain using the AWS CLI

There are no necessary API changes from the previous aws sagemaker create-domain CLI call, but there is now support for --default-space-settings if you intend to use shared spaces in SageMaker Studio. For more information, see skupne prostore v Amazon SageMaker Studio.

Create a new domain with your specified configurations using aws sagemaker create-domain, and then you’re ready to populate it with users.

Create a domain using the SageMaker console

On the updated SageMaker console, you can administer your domains via the new option called SageMaker Domains v podoknu za krmarjenje.

Here you’ll be presented with the options to open existing domains, or create a new one using the graphical interface.

zaključek

Utilizing multiple SageMaker domains provides flexibility to meet your organizational needs. Whether you need to isolate users and their business groups, or you want to run separate domains due to configuration differences, we encourage you to stand up multiple SageMaker domains within a single AWS account!

O avtorjih

Sean Morgan je arhitekt rešitev AI/ML pri AWS. Ima izkušnje na področju polprevodnikov in akademskih raziskav ter svoje izkušnje uporablja za pomoč strankam pri doseganju njihovih ciljev na AWS. V prostem času Sean aktivno prispeva/vzdržuje odprtokodni program in je vodja posebne interesne skupine za dodatke TensorFlow.

Arkaprava De je višji programski inženir pri AWS. V Amazonu je zaposlen že več kot 7 let in trenutno dela na izboljšanju izkušnje Amazon SageMaker Studio IDE. Najdete ga na LinkedIn.

Kunal Jha je višji produktni vodja pri AWS. Osredotočen je na izdelavo Amazon SageMaker Studio kot IDE izbire za vse razvojne korake ML. V prostem času Kunal uživa v smučanju in raziskovanju pacifiškega severozahoda. Najdete ga na LinkedIn.

Han Zhang je višji programski inženir pri Amazon Web Services. Je del skupine za zagon prenosnikov Amazon SageMaker in Amazon SageMaker Studio ter se osredotoča na gradnjo varnih okolij strojnega učenja za stranke. V prostem času uživa v pohodništvu in smučanju na pacifiškem severozahodu.