How can I deploy an Amazon SageMaker model to a different AWS account?
I'm training an Amazon SageMaker model on one AWS account. I want to deploy this model to an endpoint in a different AWS account.
Resolution
Account A (sandbox account)
1. Create an AWS Key Management Service (AWS KMS) AWS KMS key (KMS key). On the Define key usage permissions page, in the Other AWS accounts section, choose Add another AWS account. Then, enter the AWS account number for account B (the account where you want to deploy the model).
Use this KMS key for the Amazon SageMaker training job. If you don't specify a KMS key, then Amazon SageMaker defaults to an Amazon Simple Storage Service (Amazon S3) server-side encryption key. You can't share or use a default Amazon S3 server-side encryption key with another AWS account.
2. If you didn't create a training job, then create one. In the Estimator class, add the KMS key that you created in the previous step. See the following example:
linear = sagemaker.estimator.Estimator( … output_kms_key='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', … )
Account B (deployment account)
1. Create two AWS Identity and Access Management (IAM) policies similar to the following policies. Because these are inline policies, they're embedded in an IAM identity (a user, group, or role).
Inline policy 1: This allows an IAM role to access the Amazon S3 resource in account A that contains the model artifacts. Replace awsdoc-example-bucket with the name of the S3 bucket where the training job output is stored:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::awsdoc-example-bucket/sagemaker/linear-learner/output/model.tar.gz" } ] }
Inline policy 2: This allows a future IAM role to use the KMS key in account A. For Resource, specify the account ID for account A and the KMS key ID:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseOfTheKey", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:us-east-1:AccountA:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ] } ] }
2. Create an IAM role for Amazon SageMaker. This role has the AmazonSageMakerFullAccess policy attached.
3. Attach the two inline policies that you created in step 1 to the role that you created in step 2. The role has three policies: AmazonSageMakerFullAccess, and the two inline policies.
Account A (sandbox account)
Create an S3 bucket policy for the bucket where the training job output is stored. This bucket policy allows the role that you created in the previous section to access the model artifact:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AccountB:root" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::awsdoc-example-bucket/sagemaker/linear-learner/output/model.tar.gz", "Condition": { "StringEquals": { "aws:PrincipalArn": "arn:aws:iam::AccountB:role/AmazonSageMaker" } } } ] }
Note: In this example, be sure to replace AccountB with the AWS account ID for the deployment account. Replace AmazonSageMaker with the name of the role that you created in the deployment account. Replace awsdoc-example-bucket with the S3 bucket that the training job output is stored in.
Account B (deployment account)
Create the deployment model:
1. Open the Amazon SageMaker console.
2. On the navigation pane, under Inference, choose Models.
3. Choose Create model, and then enter a name for your model.
4. For IAM role, choose Enter a custom IAM role ARN. Then, complete your custom ARN with the following:
For YourAccountID, enter the ID for account B.
For YourRole, enter the name of the IAM role that you created in account B.
5. For Location of inference code image, provide the registry path where the inference code image is stored. The inference image is stored in either Amazon Elastic Container Registry (Amazon ECR) or a private Docker registry.
6. For Location of model artifacts, provide the URL where model artifacts are stored in Amazon S3.
7. At the bottom of the page, choose Create model. For more information about creating a model, see Create a pipeline model.
Create the endpoint configuration:
1. Open the Amazon SageMaker console.
2. On the navigation pane, under Inference, choose Endpoint configurations.
3. Choose Create endpoint configuration. Then, under Production variants, add the model that you created in the previous section.
4. Choose Create endpoint configuration.
Create the endpoint:
1. Open the Amazon SageMaker console.
2. On the navigation pane, under Inference, choose Endpoints.
3. Choose Create endpoint, and then select the endpoint configuration that you created in the previous section.
4. Choose Create endpoint.
You're now ready to deploy the model from account A to account B.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Monaten
- AWS OFFICIALAktualisiert vor einem Monat