2 Answers
- Newest
- Most votes
- Most comments
0
Sagemaker does not support mounting custom EFS volumes when creating a domain. It will always provision a new EFS volume.
Consider the following:
- Use the default EFS volume provisioned by Sagemaker and ensure it has appropriate IAM policies. The volume will be encrypted using an AWS managed KMS key.
- Provision the EFS volume separately before creating the Sagemaker domain. Use the
FileSystemIdparameter when creating the domain to associate the existing EFS volume. You will need to ensure the volume has appropriate encryption and IAM policies. - Leverage lifecycle policies on the EFS volume to automatically move files to infrequent access storage classes after a period of inactivity. This can help reduce storage costs over time.
- Consider using Sagemaker Studio instead of domains if your use case allows for per-user file storage instead of shared storage.
0
SageMaker Studio automatically creates an EFS volume per domain for storage. You cannot associate a different default EFS volume for a Studio domain.
For the new Studio experience, you can bring your own EFS volume (see the CustomFileSystemConfigs parameter), but for the intents and purposes of this post, I don't think you're looking at this use case.
The EFS policy required by SageMaker is below, as Didier mentioned on the comments, you can get the HomeEfsFileSystemId via CFN and update the policy for the EFS volume -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Resource": "<efs-file-system-arn>",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "<efs-file-system-arn>",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
answered a month ago
Relevant content
- asked 7 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
This is correct: SageMaker creates the EFS volume for it. But, you can reference it elsewhere in your CFN via Fn::GetAtt for HomeEfsFileSystemId. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-domain.html
Thanks Giovanni,
Currently, the team is looking at deploying SageMaker Studio (instead of Studio Classic) to take advantage of the MLOps capabilities.
I've tried re-creating the domain with the
FileSystemIdspecified, however, both the custom-created and SageMaker-created EFS volumes were deployed using IaC.Thankfully, the KMS key is using the one associated with the domain, with one less thing to worry about.
There are a couple of inaccuracies with this answer - 1/You cannot provision an EFS volume and attach it when you create a domain (CreateDomain API does not allow providing a default EFS, only mounting BYO EFS for the new Studio experience). 2/ Not sure what you mean by using SageMaker Studio instead of Domains? Domains are a logical entity through which you can create users and they can access SageMaker Studio. The new Studio domains also create the EFS volumes for Studio Classic and Canvas apps.