# IAM-based domains and projects
IAM-based domains in Amazon SageMaker Unified Studio provide another configuration option to setup and manage your data and AI development environment. IAM-based domains automate creation of a Amazon SageMaker Unified Studio domain using AWS Identity and Access Management (IAM) roles, and also use IAM roles to access data and resources for a project within an IAM-based domain.
**Note**
A project in Amazon SageMaker Unified Studio is a boundary within a domain where you can collaborate with other users to work on a business use case. In projects, you can create and share data and resources. For more details, see [Projects](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/projects.html).
By default, Amazon SageMaker Unified Studio will create a domain configured with an AWS IAM role. You can use an existing IAM role or choose to create a new IAM role for the domain setup. Projects within this IAM-based domain also use an IAM role to access data and infrastructure within Amazon SageMaker Unified Studio. In addition, each project is assigned an IAM role for login, this federated IAM role is used to authenticate and access the assigned IAM project. Only one IAM-based domain is available per AWS Account per region. Each IAM-based domain supports multiple projects, and each project can be assigned to only one IAM-role for authentication and execution.
Amazon SageMaker Unified Studio also supports domains configured with AWS IAM Identity Center (IdC). Projects within this Identity Center-based domain use the project role to access data and resources, or Identity-based data authorization using AWS IAM Trusted Identity Propagation. End users login using their identity provided directly by Identity Center or through SSO to an identity provider. Additional details to setup an Identity Center based domain are available in [Identity Center-based domains](identity-center-based-domains.md).
**Topics**
+ [Overview of IAM-based domains](iam-based-domains-overview.md)
+ [Set up IAM-based domains in Amazon SageMaker Unified Studio](setup-iam-based-domains.md)
+ [Manage data encryption in IAM-based domains](manage-data-encryption-iam-based-domains.md)
+ [Access the Domain Administration Page](access-domain-administration-page.md)
+ [Configure VPC Networking for Amazon SageMaker Unified Studio Domain](vpc-networking-iam-based-domains.md)
+ [Manage Projects from Domain Administration](manage-projects-domain-administration.md)
+ [Configure Domain Settings](configure-domain-settings-iam-based.md)
+ [Projects in IAM-based domains](projects-iam-based-domains.md)
# Overview of IAM-based domains
IAM-based domains provide the following capabilities:
+ Setup using existing IAM roles and resources
+ Authentication through federated IAM roles used for login
+ Project creation and management interface within Amazon SageMaker Unified Studio
IAM-based domains require two IAM roles to function properly:
Login IAM role
This role authenticates users and provides access to Amazon SageMaker Unified Studio. The login role must have specific managed policies attached and inline policies configured to enable domain and project operations. Users use this role to access the project assigned to that IAM role when accessing the Amazon SageMaker Unified Studio interface.
Execution IAM role
This role defines the AWS services and data that can be accessed through Amazon SageMaker Unified Studio projects. The execution role determines which tools, compute resources, data sources, and AI/ML assets project members can access. Amazon SageMaker Unified Studio assumes this role to make service calls on behalf of users within projects.
**Note**
The Execution IAM role can be the same IAM role as the Login IAM role.
Both roles require specific policy attachments and trust relationships to function correctly within the IAM-based domain architecture. The system validates these permissions during setup and provides guidance for any missing configurations.
Considerations:
+ For the role used as the admin Login IAM role, consider a role with a smaller population of users who will be responsible for administering the domain.
+ For the role used as the admin Execution IAM role, again consider a role with a smaller population of users because the role will grant access to a broader set of data within the account. A default project will be created for this Execution IAM role. Consider a role that has access to the appropriate data resources (Glue, Athena, etc.). This role will automatically be assigned AWS Lake Formation administrator permission enabling further data access.
# Set up IAM-based domains in Amazon SageMaker Unified Studio
Setting up an IAM-based domain in Amazon SageMaker Unified Studio requires an IAM roles used for domain administration tasks. The setup process validates your IAM role configurations and guides you through any necessary policy attachments. You can choose to create new execution IAM role with default permissions or use existing roles that meet the service requirements.
In addition, you must choose encryption settings before you can complete setup. The setup typically completes in minutes and automatically provisions the required AWS resources.
**Prepare the Login IAM role for your IAM-based domain:**
1. Login to the IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md)) with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose **Add permission** followed by **Attach policy** and search for the managed policy `SageMakerStudioAdminIAMConsolePolicy`. Select it to add it to your existing role.
1. Do one of the following:
+ Add the following inline policy to your Login IAM role if you are choosing to use a new role as the Execution IAM role:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateRoleStatement",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::*:policy/service-role/AmazonSageMaker*",
"arn:aws:iam::*:role/service-role/AmazonSageMaker*"
]
},
{
"Sid": "AttachRolePolicyStatement",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": "arn:aws:iam::*:role/service-role/AmazonSageMaker*",
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/SageMakerStudio*",
"arn:aws:iam::*:policy/service-role/AmazonSageMaker*"
]
}
}
}
]
}
```
+ Add the following inline policy to your Login IAM role if you are choosing to use an existing role as the Execution IAM role:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMPassRoleStatement",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"datazone.amazonaws.com"
]
}
}
}
]
}
```
1. Add the following inline policy to your Login and Execution IAM roles to enable KMS key usage.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMSDescribePermissions",
"Effect": "Allow",
"Action": "kms:DescribeKey",
"Resource": [
""
]
},
{
"Sid": "KMSPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
""
],
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:datazone:domainId"
}
}
}
]
}
```
**Prepare the Execution IAM role for your IAM-based domain:**
Amazon SageMaker Unified Studio provides two methods to configure the Execution IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md)), first you can choose to create a new Execution IAM role for your IAM-based domain. Choosing this option will create a new role with default permissions and policies to administer your IAM-based domain. This auto-created role will contain the following permission details:
1. Managed policy: Data access and permission will be defined by `SageMakerStudioAdminIAMPermissiveExecutionPolicy`. It will not have the data access of the login
1. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"datazone.amazonaws.com",
"sagemaker.amazonaws.com",
"glue.amazonaws.com",
"bedrock.amazonaws.com",
"scheduler.amazonaws.com",
"lakeformation.amazonaws.com",
"airflow-serverless.amazonaws.com",
"athena.amazonaws.com",
"redshift.amazonaws.com",
"emr-serverless.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetContext",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": ""
}
}
}
]
}
```
1. AWS Lake Formation administrator: This role will be assigned as an administrator to enable data discovery and access management.
Alternatively, Amazon SageMaker Unified Studio can use an existing IAM role as the Execution IAM role for your IAM-based domain. Choosing this option will require additional permissions and policies to be added to your existing IAM role to administer your IAM-based domain
1. Login to the IAM role with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose **Add permission** followed by **Attach policy** and search for the managed policy `SageMakerStudioAdminIAMDefaultExecutionPolicy`. Select it to add it to your existing role.
1. Add the following inline policy to allow this role to pass itself to other services.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PassRoleSelf",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"sagemaker.amazonaws.com",
"glue.amazonaws.com",
"lakeformation.amazonaws.com",
"bedrock.amazonaws.com",
"scheduler.amazonaws.com",
"airflow-serverless.amazonaws.com",
"athena.amazonaws.com",
"redshift.amazonaws.com",
"emr-serverless.amazonaws.com"
]
}
}
}
]
}
```
1. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"datazone.amazonaws.com",
"sagemaker.amazonaws.com",
"glue.amazonaws.com",
"bedrock.amazonaws.com",
"scheduler.amazonaws.com",
"lakeformation.amazonaws.com",
"airflow-serverless.amazonaws.com",
"athena.amazonaws.com",
"redshift.amazonaws.com",
"emr-serverless.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetContext",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": ""
}
}
}
]
}
```
1. Recommended: Navigate to AWS Lake Formation and grant this role AWS Lake Formation administrator permission to enable data discovery and access management within the domain.
**Create Your Domain:**
1. Login to the AWS Management Console and choose the Login IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md)) you created for the Administrator.
1. Navigate to the Amazon SageMaker console and use the region selector to choose your desired AWS Region.
1. Choose **Get started** from the Amazon SageMaker Unified Studio section.
1. You should see a screen with the title **Set up Amazon SageMaker Unified Studio**.
1. Choose and select the Execution IAM Role for the Admin
1. **Setup S3 table integration with AWS analytics services**. This option is enabled by default, and will allow Amazon SageMaker Unified Studio to access table buckets and integrate the table buckets with AWS analytics services using AWS Glue. If S3 Tables analytics integration has already been configured in your account and Region (that is, the `s3tablescatalog` already exists in the AWS Glue Data Catalog), this option will not be shown. [Learn more](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html).
1. In the **Data encryption** section, configure your encryption preferences:
+ Leave **Customize encryption settings (advanced)** unchecked to use AWS-managed encryption
+ Check **Customize encryption settings (advanced)** to specify a custom AWS KMS key
If using custom encryption, see [Manage data encryption in IAM-based domains](manage-data-encryption-iam-based-domains.md)
1. Choose **Set up** to begin the domain creation process.
1. Monitor the setup progress in the **Setting up Amazon SageMaker Unified Studio** dialog. The process typically takes 1-2 minutes to complete.
1. Once the setup is completed, project will automatically be created using the same Execution role. Then you will be redirected to the Administrative pages for managing the domain. See [Access the Domain Administration Page](access-domain-administration-page.md) for details.
1. You can also access the project associated with your Login IAM role by choosing on the first project. See **Navigating within Amazon SageMaker Unified Studio** for details.
**Note**
To add more IAM roles to the IAM based domain, you can create new projects using the IAM role as the Login IAM role. See additional details to setup [Projects in IAM-based domains](projects-iam-based-domains.md) .
Amazon SageMaker Unified Studio also supports domains configured with AWS IAM Identity Center (IdC). Additional details to setup an Identity Center based domain are available in [Identity Center-based domains](identity-center-based-domains.md).
# Manage data encryption in IAM-based domains
Data encryption in IAM-based domains protects your data at rest and in transit within Amazon SageMaker Unified Studio. You can choose between AWS-managed encryption keys for simplified management or customer-managed AWS KMS keys for enhanced control over encryption operations. Encryption settings are configured during domain setup and cannot be changed after domain creation.
AWS-managed encryption provides automatic key management with no additional configuration required. Customer-managed encryption enables you to control key policies, rotation schedules, and access permissions while requiring additional IAM policy configuration for your roles.
All data stored in the default Amazon S3 bucket created by Amazon SageMaker Unified Studio is encrypted according to your chosen encryption configuration. The encryption settings apply to all projects and resources within the domain.
Prerequisites:
+ Understanding of AWS KMS key management concepts
+ Appropriate IAM permissions to use or create KMS keys
+ Decision on encryption approach based on your security requirements
Configure AWS-managed encryption (default):
1. During domain setup, leave the **Customize encryption settings (advanced)** option unchecked.
1. The system automatically configures encryption using AWS-owned and managed keys.
1. No additional IAM policy configuration is required for AWS-managed encryption.
Configure customer-managed encryption:
1. During domain setup, check **Customize encryption settings (advanced)**.
1. Choose **Choose an AWS KMS key** and select one of the following options:
+ Select an existing KMS key from the dropdown menu
+ Enter a KMS key ARN directly in the text field
+ Choose **Create new KMS Key** to create a new key
1. If creating a new key, configure the key policy to allow access from your IAM roles.
1. Add the following inline policy to your Login and Execution IAM roles to enable KMS key usage.
```
{
"Version": "2012-10-17",
"Id": "key-consolepolicy",
"Statement": [
{
"Sid": "ListAndDescribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListGrants"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Principal": { "Service": "logs..amazonaws.com" },
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:*:*:log-group:/aws/mwaa-serverless/*"
}
}
},
{
"Sid": "S3Table",
"Effect": "Allow",
"Principal": {
"Service": "maintenance.s3tables.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "DataZone",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:datazone:domainId"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/:root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContext:aws:s3:arn": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SchedulerKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"Null": {
"kms:EncryptionContext:aws:scheduler:schedule:arn": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SecretsKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "secretsmanager.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContext:SecretARN": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SageMakerKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sagemaker.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContextKeys": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SageMakerCreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sagemaker.*.amazonaws.com"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "DataZoneCreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "datazone.*.amazonaws.com"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"Encrypt",
"Decrypt",
"ReEncryptFrom",
"ReEncryptTo",
"GenerateDataKeyWithoutPlaintext",
"GenerateDataKey",
"DescribeKey",
"RetireGrant",
"CreateGrant"
]
}
}
},
{
"Sid": "GlueKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "glue.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContextKeys": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "BedrockKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "bedrock.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContextKeys": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "WorkflowsCreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "airflow-serverless.*.amazonaws.com"
},
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:airflow-serverless:workflow-arn"
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"RetireGrant"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "WorkflowsKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:airflow-serverless:workflow-arn"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
}
]
}
```
1. Replace the resource ARN with your actual KMS key ARN.
1. Complete the domain setup process with your encryption configuration.
**Warning**
Encryption settings cannot be modified after domain creation. Choose your encryption approach carefully based on your long-term security requirements.
# Access the Domain Administration Page
The domain administration page in Amazon SageMaker Unified Studio provides administrators with centralized management capabilities for domains, projects, and settings. Domain administrators can create and manage projects, configure domain-level settings including networking, and oversee the overall domain configuration.
Access to the domain administration page is restricted to the IAM role, specified as the domain login role, used to create the domain. This IAM role is the project member in the default admin project created for the domain.
1. Log in to your Amazon SageMaker Unified Studio IAM-based domain.
1. From the Amazon SageMaker Unified Studio left navigation, click **Domain management**.
1. Alternatively, from the Amazon SageMaker Unified Studio header, locate the project dropdown menu and choose **Manage projects**.
From the domain administration page, you can access:
+ Projects - Manage existing projects and create new projects
+ Settings - Configure network settings
# Configure VPC Networking for Amazon SageMaker Unified Studio Domain
**Topics**
+ [Network settings in IAM-based domains](configure-vpc-networking-iam-based-domains.md)
+ [Update Individual Projects with VPC Configuration](update-individual-projects-vpc.md)
+ [View VPC Networking Details for Your Domain](view-vpc-networking-details.md)
# Network settings in IAM-based domains
Amazon Virtual Private Cloud (Amazon VPC) networking with subnets is required when using certain compute services within Amazon SageMaker Unified Studio. You configure VPC networking at the domain level to provide network isolation and connectivity for compute resources, database connections, and other AWS services.
When you configure VPC networking for your domain, all projects created after the configuration will automatically use the specified VPC. You can choose to update existing projects immediately or update them individually at a later time.
VPC configuration is permanent once applied to a domain and cannot be changed or removed after it is saved.
Prerequisites:
+ Domain administrator permissions for Amazon SageMaker Unified Studio
+ An existing VPC that meets the following requirements:
+ At least 2 private subnets in different Availability Zones
+ DNS hostname and DNS support enabled
+ At least 5 free IP addresses per Amazon SageMaker Unified Studio project
+ Appropriate IAM permissions to access VPC resources
1. From the domain administration page, choose **Settings** in the left navigation pane.
1. In the **Networking** section, choose **Add VPC**.
1. In the **Add VPC** dialog, review the warning message that VPC configuration cannot be changed after it is added.
1. In the **VPC** section, choose **Select** and select the VPC where your compute resources will be housed.
**Note**
If no VPC has been set up for use with Amazon SageMaker Unified Studio, you can choose **Create VPC** to create a new VPC using AWS CloudFormation.
1. In the **Subnets** section, choose **Select** and select at least two subnets in different Availability Zones.
**Warning**
Your subnets must be private or some functionality will not be available. Select subnets configured with the required VPC endpoints to establish connectivity to AWS services.
1. In the **Project update option** section, choose one of the following:
+ Update all projects immediately - All existing projects will be updated automatically after saving. This may take a few minutes for domains with more than 20 projects.
+ Update projects separately - Go to each project detail page and manually update projects with the VPC configuration.
1. Choose **Save & Update**.
You can now view the configured VPC details in the **Networking** section of the Settings tab. All new projects created in the domain will use this VPC configuration.
# Update Individual Projects with VPC Configuration
When you configure VPC networking for your domain with the "Update projects separately" option, existing projects are not automatically updated with the VPC configuration. You must manually update each project to apply the domain's VPC settings.
This approach allows you to control when projects are updated and ensures that active workloads are not disrupted during the VPC configuration process.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. From the projects list, choose the project you want to update.
1. On the project detail page, you will see a banner at the top indicating "Configurations have changed. Please update this project to access the latest configuration."
1. In the banner, choose **Update**.
1. Confirm the update when prompted.
# View VPC Networking Details for Your Domain
After configuring VPC networking for your Amazon SageMaker Unified Studio domain, you can view the VPC and subnet details from the domain settings. This information shows the current networking configuration that will be used by projects and compute resources.
1. From the domain administration page, choose **Settings** in the left navigation pane.
1. In the **Networking** section, review the configured VPC details:
+ VPC - Shows the VPC ID and provides a link to view the VPC in the Amazon VPC console
+ Subnets - Lists all configured subnets with links to view each subnet in the Amazon VPC console
1. To view additional VPC configuration details, choose the VPC ID link to open the Amazon VPC console.
1. To view subnet configuration details, choose any subnet ID link to open the specific subnet in the Amazon VPC console.
# Manage Projects from Domain Administration
The Projects section in domain administration provides centralized management of all projects within your Amazon SageMaker Unified Studio domain. Domain administrators can view project details, monitor project status, create new projects, and manage project configurations.
Projects in Amazon SageMaker Unified Studio enable users to collaborate on various business use cases. Within projects, users can manage data assets, perform data analysis, organize workflows, and develop machine learning models.
From the domain administration perspective, you can oversee all projects in the domain and ensure proper configuration.
Prerequisites:
+ Domain administrator permissions for Amazon SageMaker Unified Studio
+ IAM role or user with the `SageMakerStudioAdminIAMDefaultExecutionPolicy` policy attached
Perform the following procedure:
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. The Projects page displays:
+ Domain details section showing account information, region, domain ID, admin roles, and creation date
+ Projects section listing all projects in the domain with details including:
+ Project name
+ Creation date (UTC-08:00)
+ Status (Active, Creating, Deleting)
+ Project URL
+ Actions menu
1. To view project details, choose the project name from the list.
1. To create a new project, choose **Create project** in the upper right corner of the Projects section.
1. Use the search functionality by entering terms in the **Find** search box to locate specific projects.
1. To perform actions on a project, choose the **Actions** menu (three dots) next to the project name for available options.
1. Monitor project status in the Status column to track project lifecycle states.
# Configure Domain Settings
The Settings section in domain administration provides access to domain-level configuration options that apply across all projects in your Amazon SageMaker Unified Studio domain. Domain administrators can view domain details and configure networking settings.
1. From the domain administration page, choose **Settings** in the left navigation pane.
1. The Settings page displays the **Domain details** section with the following information:
+ Account - AWS account ID where the domain is hosted
+ Region - AWS region where the domain is deployed
+ Domain ID - Unique identifier for the Amazon SageMaker Unified Studio domain
+ Admin login role - IAM role ARN for domain administrator login
+ Admin execution role - IAM role ARN for domain administrator execution
+ Creation date - When the domain was created
+ KMS key ARN - AWS KMS key used for domain encryption
1. Review the **Networking** section to view or configure:
+ VPC configuration settings
+ Subnet assignments
+ Network security parameters
# Projects in IAM-based domains
Projects in IAM-based domains provide isolated environments for data analytics and AI/ML development work. Each project has one IAM role for login, one IAM role for accessing data and resources, and storage configurations that determine what resources and data project members can access from within the project. All members for a project within an IAM-based domain have the same access to data and compute, this is managed through the execution IAM role for the project.
Projects can be created in the following ways:
1. The Amazon SageMaker Unified Studio admin creates the project on behalf of users from the Domain administration page.
1. The Amazon SageMaker Unified Studio admin prepares IAM roles for self-setup of projects created directly from AWS services - Amazon Athena, Amazon S3 Tables, and Amazon Redshift.
Projects within IAM-based domains require two IAM roles:
+ **Member IAM role or user** – Authenticates users and provides access to the Amazon SageMaker Unified Studio project. This role or user must have the SageMakerStudioUserIAMConsolePolicy managed policy attached, or equivalent permissions through another policy. Use this role to access your assigned project from the Amazon SageMaker Unified Studio interface.
+ **Execution IAM role** – Defines which AWS analytics, AI, and ML service data the project can access. This role determines available data and resources in the portal. Amazon SageMaker Unified Studio assumes this role to make service calls on behalf of project users. The execution IAM role requires the SageMakerStudioUserIAMDefaultExecutionPolicy managed policy (or equivalent permissions) and a trust policy that allows Amazon SageMaker Unified Studio and related AWS services to assume the role.
**Note**
The Execution IAM role can be the same IAM role as the Member IAM role. Both roles require specific policy attachments and trust relationships to function correctly within the IAM-based domain architecture. The system validates these permissions during setup and provides guidance for any missing configurations.
# Set up projects within an IAM-based domain
To create a project within an IAM-based domain you assign Member IAM role or user and Execution IAM role, configure execution permissions for the execution role, and set up storage options. By default, projects can access resources within the domain's AWS account. You can configure the project execution IAM role to access data and resources across AWS accounts and regions.
## Preparing IAM roles
**Member IAM role:**
+ [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html) must be attached or have the same permissions added via another policy.
**Execution IAM role:**
+ When Amazon SageMaker Unified Studio creates this role for you, this policy will be attached, [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy.html).
+ When you provide your own role, [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html) must be attached. An inline policy is needed to allow this role to pass itself to other services. A trust policy is needed to allow Amazon SageMaker Unified Studio and related services to assume this execution IAM role.
## Create new project from domain administration page
1. From the domain administration page, choose Projects in the left navigation pane.
1. Choose Create project. This will open up the create project panel.
1. Give the project a name and choose Next.
1. Select a Member role or user.
1. Select an Execution role, choose either to Auto-create a new role with permissions or Use an existing role.
1. Choose Create.
1. You should see a Creating project notification.
1. Once the project is successfully created, you should see an entry in the projects table with the project name.
## Prepare other IAM roles for other users to self-service setup projects
You can configure other IAM roles in your account to self-setup their Amazon SageMaker Unified Studio project within your IAM-based domain. You must add additional permissions and policies to the existing IAM roles to allow them to setup their own project using the Member IAM role for login and Execution IAM role for accessing data and resources within the project. This enables users from AWS console to create projects using these roles from AWS Services - Amazon Athena, Amazon S3 Tables, and Amazon Redshift.
**Member IAM role:**
1. Login to the IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md) ) with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose Add permission followed by Attach policy and search for the managed policy [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html). Select it to add it to your existing role.
**Execution IAM role:**
1. Login to the IAM role with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose Add permission followed by Attach policy and search for the managed policy [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy.html). Select it to add it to your existing role.
1. Add the inline policy to allow this role to pass itself to other services.
1. Add a trust policy: Allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
# View and Manage Project Details
Project details include storage configuration, execution role assignments, member information, and networking settings that determine how resources within the project operate.
**Viewing Project Details**
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. In the Projects list, choose the project name you want to view.
1. The project details page displays the following information:
1. **Project Header:**
+ Project name and status (Active, Creating, Deleting)
+ Project description
+ Action buttons: Delete, Edit, Share info
1. **Details Section:**
+ Project URL - Link to access the project portal
+ Project ARN - Amazon Resource Name for the project
+ Storage - Amazon S3 bucket location for project files
+ Execution role ARN - IAM role that defines data access permissions
1. **Members Section:**
+ Member ARN - IAM role or user that can login and access the project
+ Description of member access capabilities
1. **Networking Section:**
+ VPC - Virtual Private Cloud configuration status
+ Network settings that apply to resources created in the project
1. To perform actions on the project, use the buttons in the project header:
+ Choose **Edit** to modify project settings
+ Choose **Share info** to generate welcome message for users
+ Choose **Delete** to remove the project
1. To return to the Projects list, choose **Projects** in the breadcrumb navigation.
# Edit Project Configuration
You can edit the project description to reflect changes in business context or project scope and update the member role to change project access permissions.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. Choose the project name you want to edit from the Projects list.
1. On the project details page, choose **Edit**.
1. In the Edit Project dialog, modify the available settings:
1. **Details Section:**
+ Description - Update the project description (optional, up to 2048 characters)
1. **Member Section:**
+ IAM role - Update the IAM role or user that can login and access the project
1. Review the information note about required permissions (SageMakerStudioUserIAMConsolePolicy must be attached or have the same permissions added via another policy)
1. Choose **Save** to apply your changes.
1. The project details page refreshes with the updated information.
Your changes are applied immediately. If you updated the member role, the new IAM role or user will have access to the project, and the previous role will no longer have access.
# Share Project Information
This feature simplifies user onboarding by providing all necessary access information in a formatted message that can be copied and shared via email or other communication channels.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. Choose the project name from the Projects list.
1. On the project details page, choose **Share info**.
1. In the Share project information dialog, review the generated welcome message that includes:
+ Welcome text explaining the project setup
+ URL - Direct link to the Amazon SageMaker Unified Studio portal
+ IAM role - The specific IAM role the user should use to access the project
1. Choose **Copy message** to copy the entire welcome message to your clipboard.
1. Choose **Close** to close the dialog.
1. Paste the copied message into your preferred communication method (email, chat, documentation) to share with project members.
The welcome message provides users with complete information needed to access their project, including login instructions and the specific IAM role they should use.
# Delete a Project
Before deleting a project, ensure that all important data and resources have been backed up or migrated, as the deletion process removes all project content permanently.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. Choose the project name you want to delete from the Projects list.
1. On the project details page, choose **Delete**.
1. In the Delete project confirmation dialog:
1. Review the warning message: "Deleting a project is final and removes all resources and assets created in the project"
1. In the confirmation field, type **confirm** to acknowledge the deletion
1. Choose **Delete** to permanently delete the project.
1. The project status changes to "Deleting" and the project is removed from the domain.
**Warning**
Deleting a project is final and removes all resources and assets created in the project. This action cannot be undone by you or by AWS.
The project and all associated resources are permanently removed from your Amazon SageMaker Unified Studio domain.