![[Update] Amazon SageMaker Unified Studio now supports domain management features for Identity Center-based domains](https://images.ctfassets.net/ct0aopd36mqt/wp-thumbnail-4e6e510f2f74e1cc7d0ec360f38d138a/c00e9d7f4e47022543b37632bc20bcc0/amazon-sagemaker?w=3840&fm=webp)
[Update] Amazon SageMaker Unified Studio now supports domain management features for Identity Center-based domains
This page has been translated by machine translation. View original
This is Ishikawa from the Cloud Business Division. In Amazon SageMaker Unified Studio, domain management capabilities for IAM Identity Center-based domains have been expanded, enabling the same management operations as IAM-based domains to be performed within the portal. Administrators can now enjoy centralized domain management for Identity Center-based domains that was previously only available for IAM-based domains, making governance operations in enterprise environments simpler.
What is Amazon SageMaker Unified Studio
Amazon SageMaker Unified Studio is the next-generation SageMaker environment that integrates data, analytics, and AI/ML. It provides a unified workspace where organizational users can securely share and analyze data on a project basis, and build and operate machine learning models.
For domain configuration, you can choose between two types: "IAM-based domains" that use IAM-based authentication and "Identity Center-based domains" that use SSO through AWS IAM Identity Center.
Update Details
With this update, administrators of Identity Center-based domains can now perform comprehensive domain management within the SageMaker Unified Studio portal without relying on the AWS Management Console. Management features that were previously limited to IAM-based domains have now been extended to Identity Center-based domains as well.
The main changes are as follows.
- Project management: Project creation and management on Identity Center-based domains can now be completed entirely within the portal
- User and permission management: Workforce ID configuration, and management of users and permissions can now be performed from the portal
- Execution role settings: Execution roles can be configured per project to control accessible AWS analytics, AI, and ML services
- Unified VPC settings: VPC settings are consistent regardless of domain type and are inherited by all projects. VPCs, subnets, and security groups can be edited
- Cross-account integration: By managing associated accounts, data can be published and consumed between other AWS accounts
Differences Between IAM-Based Domains and Identity Center-Based Domains
Since this update has aligned the management experience across both domain types, let's organize the criteria for selecting a domain type.
| Item | IAM-Based Domain | Identity Center-Based Domain |
|---|---|---|
| Authentication method | Federated IAM roles | SSO via AWS IAM Identity Center |
| User ID | Shared roles within projects | Individual user IDs maintained |
| Key strengths | Improved developer productivity, latest development tools | Fine-grained access control, enhanced governance |
| Suitable use cases | Quick setup for development teams | Compliance requirements for enterprise environments |
Design patterns that combine both domain types are also possible, such as maintaining the data sharing workflow (Pub/Sub) established with an IAM Identity Center-based domain while leveraging the latest development tools with an IAM-based domain.
Trying It Out
Accessing the Domain Management Portal for Identity Center-Based Domains
Click the [Open] button (or the [Set up] button) from the Amazon SageMaker Unified Studio console.
Select the [Domain management] link from the navigation in the lower left.
From the domain management page, you can access the following items.
- Projects: Manage existing projects and create new projects
- Users: Manage user access and permissions
- Settings: Configure network settings and account associations
Note that access to the domain management page is restricted to domain users designated as "Administrator." This permission is granted by default to the IAM role used when creating the domain.
Project Creation Screen (Execution Role Settings)
Project creation: Step 1
Project creation: Step 2
Project creation: Step 3
The project has been added to the project list.
Domain-Level VPC Settings Screen
Conclusion
With this update, the same domain management features available for IAM-based domains in Amazon SageMaker Unified Studio are now also available for Identity Center-based domains. Project, permission, and VPC setting management can all be completed within the portal, and cross-account data integration is now achievable, making the elimination of differences in management experience a significant improvement.
For those who have adopted or are considering SSO operations with IAM Identity Center for enterprise use, this update offers benefits in terms of both governance requirements and administrative operational burden. Why not consider it when reviewing existing domain operations or during the new domain design phase?
References
