# Account pools in Amazon SageMaker Unified Studio
In Amazon SageMaker Unified Studio, you can configure your domain to create project profiles where an account pool provides AWS account and AWS Region information. An account pool is a list of authorized associated accounts and regions. This allows you to create project profiles that can be used to create projects across multiple accounts and regions, while controlling which accounts and regions are available for use.
There are two ways to create project profiles with account pools that you configure for validation of authorized accounts at the time of project creation.
+ Static list of account and region pairs
+ Custom Lambda handler to authorize account and region pair information
The custom handler accesses customer information and then dynamically generates a list of authorized associated account and region pairs based on a set of rules in the Lambda function. Amazon SageMaker Unified Studio then resolves the list of account and region pairs in the account pool at project creation time.
For more information about associated accounts in Amazon SageMaker Unified Studio, see [Associated accounts in Amazon SageMaker Unified Studio](associated-accounts.md).
**Topics**
+ [Considerations](account-pools-considerations.md)
+ [Use cases](account-pools-usecases.md)
+ [Create an account pool](account-pools-create.md)
+ [View an account pool](account-pools-view.md)
+ [List account pools for a domain](account-pools-list.md)
+ [View the list of accounts in an account pool](account-pools-list-accounts.md)
+ [Delete an account pool](account-pools-delete.md)
+ [Create a project profile with an account pool](account-pools-create-profile.md)
# Considerations
The following considerations apply for account pools in Amazon SageMaker Unified Studio.
+ Account pools contain a list of accounts where each account has an associated region.
+ You can have up to 100 account pools per domain. For details, see [Quotas and limits for Amazon SageMaker Unified Studio](quotas.md).
+ Account pools are not supported by Amazon Datazone domains.
+ You can configure custom project profiles to use account pools using either the console or the CLI. Steps for the creation, update, and deletion of account pools are only supported in the AWS CLI.
For more information about creating a custom project profile with an account pool, see [Project profiles in Amazon SageMaker Unified Studio](project-profiles.md).
# Use cases
Account pools allow administrators to perform the following tasks.
+ Create project profiles that are agnostic of AWS account and AWS Region information.
+ Define a subset of associated account and region pairs that the profile can use (compared with specifying all accounts)
# Create an account pool
To use the AWS CLI to create an account pool, you run the **create-account-pool** command and provide the source.
+ **For Lambda handler sources**: Provide the Lambda function and an IAM role with permissions to invoke the lambda, and trusts the `datazone.amazonaws.com` service principal.
+ **For static account sources**: Provide a list of account and region pairs as key-value pairs in the command.
Once configured in your domain, account pools automatically provide account and region information when creating new projects.
**Topics**
+ [Create an account pool with a custom handler source](account-pools-create-handler.md)
+ [Create an account pool with a static list of account and region pairs](account-pools-create-static.md)
# Create an account pool with a custom handler source
You can create an account pool where the account authentication is provided by a custom Lambda handler. Use these steps to create a sample custom handler and provide it when creating the account pool.
**To create example custom Lambda handler**
+ Create a function in Lambda that provides authorization for Amazon SageMaker Unified Studio to use when authenticating accounts for the account pool.
The following example provides sample handler code for a python function.
```
import json
def lambda_handler(event, context):
print(f'Received Event {event}')
if event['operationRequest']['listAuthorizedAccountsRequest'] is not None:
print("ListAuthorizedAccountsRequest Received...")
return list_authorized_accounts()
elif event['operationRequest']['validateAccountAuthorizationRequest'] is not None:
print("ValidateAccountAuthorizationRequest Received...")
return validate_account_authorization()
else:
raise Exception(f'Operation type {operation_type} not supported')
def list_authorized_accounts():
account1 = {"awsAccountId": "111122223333", "awsAccountName": "Acct1", "supportedRegions": ["us-east-1", "us-west-2", "eu-west-1"]}
account2 = {"awsAccountId": "892325846722", "awsAccountName": "Acct2", "supportedRegions": ["us-east-1", "us-west-2", "us-east-2"]}
return {
'operationResponse': {
'listAuthorizedAccountsResponse': {
'items': [account1, account2]
}
}
}
def validate_account_authorization():
return {
'operationResponse': {
'validateAccountAuthorizationResponse': {
'authResult': 'GRANT'
}
}
}
```
After you create your account pool, you can create a project in your domain that uses the account pool. For more information about associated accounts, see [Associated accounts in Amazon SageMaker Unified Studio](associated-accounts.md).
**To create an account pool with a custom handler source (CLI)**
+ Open a terminal (Linux, macOS, or Unix) or command prompt (Windows) and use the AWS CLI to run the `create-account-pool` command with the following format, where the following are required arguments:
+ `--domain-identifier` - the domain ID in SageMaker Unified Studio
+ `--name` - the account pool name
+ `--account-source` - the method for providing account information (custom handler or static list)
+ `--resolution-strategy` - the manual option is shown in this example
domain ID, account pool name, and the Lambda handler ARN and IAM role ARN are required arguments.
```
aws datazone create-account-pool --domain-identifier DOMAIN_ID --name ACCOUNT_POOL_ID --resolution-strategy MANUAL --account-source
```
Example command:
```
aws datazone create-account-pool --domain-identifier dzd_dkqsou2EXAMPLE --name my-accountpool --resolution-strategy MANUAL --account-source '{"customAccountPoolHandler": {"lambdaFunctionArn": "arn:aws:lambda:us-east-1:111122223333:function:MyAccountPoolResolver", "lambdaExecutionRoleArn": "arn:aws:iam::111122223333:role/AccountResolutionRole"}}'
```
This command returns output with the account pool details.
```
{
"domainId": "dzd_dkqsou2EXAMPLE",
"name": "my-accountpool",
"id": "cln5qjqEXAMPLE",
"resolutionStrategy": "MANUAL",
"accountSource": {
"customAccountPoolHandler": {
"lambdaFunctionArn": "arn:aws:lambda:us-east-1:111122223333:function:MyAccountPoolResolver",
"lambdaExecutionRoleArn": "arn:aws:iam::111122223333:role/AccountResolutionRole"
}
},
"createdAt": "2025-08-12T00:26:27.017118+00:00",
"lastUpdatedAt": "2025-08-12T00:26:27.017118+00:00",
"domainUnitId": "4njnngous3oyw7"
}
```
# Create an account pool with a static list of account and region pairs
You can create an account pool where the accounts are provided as a list of static accounts. Use these steps when your account pool source is a static list and not provided by the custom Lambda function.
+ Open a terminal (Linux, macOS, or Unix) or command prompt (Windows) and use the AWS CLI to run the `get-account-pool` command with the following format, where the domain ID, account pool name, and source of accounts are required arguments.
```
aws datazone create-account-pool --domain-identifier DOMAIN_ID --name ACCOUNT_POOL_ID --resolution-strategy MANUAL --account-source
```
Example command:
```
aws datazone create-account-pool --domain-identifier dzd_dkqsou2EXAMPLE --name my-accountpool --resolution-strategy MANUAL --account-source '{"accounts": [{"awsAccountId": "111122223333", "supportedRegions": ["us-east-1"], "awsAccountName": "ExampleAccount"}]}'
```
This command returns output with the account pool details.
```
{
"domainId": "dzd_dkqsou2EXAMPLE",
"name": "my-accountpool",
"id": "cln5qjqEXAMPLE",
"resolutionStrategy": "MANUAL",
"accountSource": {
"accounts": [
{
"awsAccountId": "111122223333",
"supportedRegions": [
"us-east-1"
],
"awsAccountName": "ExampleAccount"
}
]
},
"createdAt": "2025-08-08T00:34:48.946606+00:00",
"lastUpdatedAt": "2025-08-08T00:34:48.946606+00:00",
"domainUnitId": "4njnngous3oyw7"
}
```
# View an account pool
To use the AWS CLI to view the accounts in an account pool, use the `get-account-pool` command.
+ Open a terminal (Linux, macOS, or Unix) or command prompt (Windows) and use the AWS CLI to run the `get-account-pool` command with the following format, where the domain ID and account pool ID are required arguments.
```
aws datazone get-account-pool --domain-identifier DOMAIN_ID --identifier ACCOUNT_POOL_ID
```
Example command:
```
aws datazone get-account-pool --domain-identifier dzd_dkqsou2EXAMPLE --identifier cln5qjqEXAMPLE
```
This command returns output with the account pool details.
```
{
"domainId": "dzd_dkqsou2EXAMPLE",
"name": "my-accountpool",
"id": "cln5qjqEXAMPLE",
"resolutionStrategy": "MANUAL",
"accountSource": {
"accounts": [
{
"awsAccountId": "111122223333",
"supportedRegions": [
"us-east-1"
],
"awsAccountName": "ExampleAccount"
}
]
},
"createdBy": "",
"createdAt": "2025-08-08T00:34:48.946606+00:00",
"lastUpdatedAt": "2025-08-08T00:34:48.946606+00:00",
"updatedBy": "",
"domainUnitId": "4njnngous3oyw7"
}
```
# List account pools for a domain
To use the AWS CLI to view the account pools in a domain, use the `list-account-pools` command.
+ Open a terminal (Linux, macOS, or Unix) or command prompt (Windows) and use the AWS CLI to run the `list-account-pools` command with the following format, where the domain ID is a required argument.
```
aws datazone list-account-pools --domain-identifier DOMAIN_ID
```
Example command:
```
aws datazone list-account-pools --domain-identifier dzd_dkqsou2EXAMPLE
```
This command returns output with the account pool details.
```
{
"items": [
{
"domainId": "dzd_dkqsou2EXAMPLE",
"id": "5htvndro7wd89z",
"name": "my-accountpool",
"resolutionStrategy": "MANUAL",
"domainUnitId": "4njnngous3oyw7",
"createdBy": "",
"updatedBy": ""
}
]
}
```
# View the list of accounts in an account pool
To use the AWS CLI to view the accounts in an account pool where the source is a list of static accounts, use the `list-accounts-in-account-pool` command.
+ Open a terminal (Linux, macOS, or Unix) or command prompt (Windows) and use the AWS CLI to run the `list-accounts-in-account-pool` command with the following format, where the domain ID is a required argument.
```
aws datazone list-accounts-in-account-pool --domain-identifier DOMAIN_ID --identifier ACCOUNT_POOL_ID
```
Example command:
```
aws datazone list-accounts-in-account-pool --domain-identifier dzd_dkqsou2EXAMPLE --identifier cln5qjqEXAMPLE
```
This command returns output with the account pool account list details.
```
{
"items": [
{
"awsAccountId": "111122223333",
"supportedRegions": [
"us-east-1"
],
"awsAccountName": "ExampleAccount"
}
]
}
```
# Delete an account pool
To use the AWS CLI to delete an account pool, use the `delete-account-pool` command.
**Important**
This operation will delete the account pool for the domain. This operation cannot be undone.
+ Open a terminal (Linux, macOS, or Unix) or command prompt (Windows) and use the AWS CLI to run the `delete-account-pool` command with the following format, where the domain ID and account pool ID are required arguments.
```
aws datazone delete-account-pool --domain-identifier DOMAIN_ID --identifier ACCOUNT_POOL_ID
```
Example command:
```
aws datazone delete-account-pool --domain-identifier dzd_dkqsou2EXAMPLE --identifier 5htvndro7wd89z
```
This command performs the deletion and does not return any output.
# Create a project profile with an account pool
You can create a project profile that has your account pool associated such that you can choose accounts and regions from it when creating a project with the profile.
Use the console or the CLI to set up your account pool-associated project profile.
## Create a project profile with an account pool (Console)
To configure a custom project profile using the console, see the steps in [Custom project profile](custom.md).
## Create a project profile with an account pool (CLI)
Use the `create-project-profile` command to set up your account pool-associated project profile.
+ Open a terminal (Linux, macOS, or Unix) or command prompt (Windows) and use the AWS CLI to run the `create-project-profile` command with the following format, where the domain ID and name of the project profile are required arguments, along with the environment configuration for blueprints, which is provided as JSON with account pool details. The status is disabled by default, so the following command also enables the environment configuration.
```
aws datazone create-project-profile --domain-identifier DOMAIN_ID --name PROFILE_NAME --status ENABLED --environment-configuration
```
Example command:
```
aws datazone create-project-profile --domain-identifier dzd_dkqsou2EXAMPLE --name NAME --status ENABLED --environment-configuration '[{"name": "Tooling", "environmentBlueprintId": "4son14jdv5dq7b", "deploymentOrder": 0, "accountPools": ["cln5qjqEXAMPLE"]}, {"name": "DataLake", "environmentBlueprintId": "BLUEPRINT_ID", "accountPools": ["cln5qjqEXAMPLE"]}]'
```
This command returns output with the project profile details.
```
{
"domainId": "dzd_dkqsou2EXAMPLE",
"id": "aipopwr7db0rzb",
"name": "NAME",
"status": "ENABLED",
"allowCustomProjectResourceTags": false,
"environmentConfigurations": [
{
"name": "Tooling",
"id": "948f994d-ed81-496a-8e1f-2f0e1288dcec",
"environmentBlueprintId": "4son14jdv5dq7b",
"deploymentMode": "ON_CREATE",
"accountPools": [
"cln5qjqEXAMPLE"
],
"deploymentOrder": 0
},
{
"name": "DataLake",
"id": "3210351a-111c-476b-a66d-64d88a99a567",
"environmentBlueprintId": "BLUEPRINT_ID",
"deploymentMode": "ON_CREATE",
"accountPools": [
"cln5qjqEXAMPLE"
]
}
],
"createdAt": "2025-08-08T00:57:39.358016+00:00",
"lastUpdatedAt": "2025-08-08T00:57:39.358016+00:00",
"domainUnitId": "4njnngous3oyw7"
}
```