I'm configuring Amazon SageMaker Studio and aim to implement user-based resource isolation. Specifically, I want each ADFS-authenticated user to only access their corresponding Amazon SageMaker user profile.
Context:
I plan to use the UPN Claim Type from ADFS as the identifier. For example, ADFS would pass bob.smith@acme.com
as the UPN Claim Type.
Approach:
I'm thinking of using IAM policy conditions to compare this UPN claim to a custom tag set on the Amazon SageMaker user profile:
Tag key = upn
Tag value = bob.smith@acme.com
By doing this, the IAM policy could enforce that only users with a matching UPN Claim Type can access that profile.
Additional Restrictions:
I also aim to restrict users from editing the upn
tag on their SageMaker user profiles. This ensures the tag can only be set or modified by admin users.
Questions:
- Is there a more efficient or straightforward way to accomplish user-based resource isolation with ADFS in SageMaker Studio?
- Can someone share a sample IAM policy that accomplishes this, especially the part that restricts tag editing?
- Would the condition to enforce this in the IAM policy look something like this?
"Condition": {
"StringEquals": {
"sagemaker:ResourceTag/upn": "${aws:PrincipalTag/upn}"
}
}