Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I check what IAM execution role my SageMaker AI Studio user uses, and how do I change this role?

2 minute read
0

I want to know what AWS Identity and Access Management (IAM) execution role my Amazon SageMaker AI Studio user uses, and then change this role.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

When a user creates a SageMaker AI domain, the user can choose to create a new execution role or use an existing role. After the user creates the domain, run the describe-domain AWS CLI command to check the domain settings:

aws sagemaker describe-domain --domain-id example-domain-id

Note: Replace example-domain-id with your domain ID.

Example output:

{
    ...
    "DefaultUserSettings": {
        "ExecutionRole": "arn:aws:iam::account-id:role/role-name",
        ...
    }
    ...
    "DefaultSpaceSettings": {
        "ExecutionRole": "arn:aws:iam::account-id:role/role-name",
        ...
    }
}

Note: By default, the ExecutionRole for the DefaultUserSettings and DefaultSpaceSettings is the same.

To check what execution role a user profile uses, run the describe-user-profile AWS CLI command:

 aws sagemaker describe-user-profile --domain-id example-domain-id --user-profile-name example-user-profile-name

Note: Replace example-domain-id with the user's domain ID and example-user-profile-name with the user's profile name.

Example output:

{
    ...
    "UserSettings": {
        "ExecutionRole": "arn:aws:iam::account-id:role/role-name",
        ...
    }
}

To check what execution role a space app uses, run the following command in a JupyterLab or Code Editor app:

import sagemaker
role = sagemaker.get_execution_role()
print(role)

Note: If the user profile's execution role hasn't changed, then the printed role is the same as the ExecutionRole.

To change the execution role that's attached to the user profile, make sure that your user profile doesn't have active InService apps. Then, run the update-user-profile AWS CLI command:

aws sagemaker update-user-profile \--domain-id example-domain-id \
--user-profile-name example-user-profile-name \
--user-settings ExecutionRole=example-role-arn

Note: Replace example-domain-id with your domain ID, example-user-profile-name with the user's profile name, and example-role-arn with the execution role Amazon Resource Name (ARN) that you want to use.

Related information

How to use SageMaker AI execution roles

Topics
Machine Learning & AIStorage
Tags
Amazon SageMaker
Language
English
AWS OFFICIALUpdated 2 days ago
2 Comments

The options --example-domain-id and --example-user-profile-name are not valid options for aws sagemaker update-user-profile. I think the authors meant something like --domain-id <example-domain-id> --user-profile-name <example-user-profile-name>. Please correct, otherwise it is confusing (and wrong).

Also, I keep seeing these long CLI commands as long one-liners, which are a pain to read even in big screens. Would it be possible to add line breaks to make the command more readable? Like this

aws sagemaker update-user-profile \
    --domain-id <example-domain-id> \
    --user-profile-name <example-user-profile-name> \
    --user-settings ExecutionRole=$ROLE

?

Thanks.

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 2 years ago

Relevant content