# Project profiles in Amazon SageMaker Unified Studio
In Amazon SageMaker Unified Studio, a project profile defines an uber template for projects in your Amazon SageMaker unified domains. A project profile is a collection of [blueprints](blueprints.md) which are configurations used to create projects. A project profile can define if a particular blueprint is enabled during the creation of the project, or available later for the project users to enable on-demand.
You must be an administrator of an Amazon SageMaker unified domain to create and manage project profiles. In the current release of Amazon SageMaker Unified Studio, you can create a set of template project profiles. These templates serve as pre-defined configurations that include specific combinations of capabilities. When you select a template, Amazon SageMaker creates the corresponding project profile in your domain based on that template's definition. Additionally, you can create custom project profiles that include any combination of capabilities tailored to your specific needs. In Amazon SageMaker Unified Studio, you can create the following template project profiles:
+ [All capabilities project profile](all-capabilities.md)
+ [SQL analytics project profile](sql-analytics.md)
+ [Generative AI application development project profile](genai-application-development.md)
+ [Custom project profile](custom.md)
# All capabilities project profile
The All capabilities project profile enables your Amazon SageMaker Unified Studio users to analyze data and build machine learning and generative AI models and applications powered by Amazon Bedrock, Amazon EMR, AWS Glue, Amazon Athena, Amazon SageMaker AI, and Amazon SageMaker Lakehouse.
You can use the following procedures to create an all capabilities project profile.
**Topics**
+ [Configure all capabilities for your Amazon SageMaker unified domain](#configure-all-capabilities)
+ [Create an All capabilities project profile](#create-all-capabilities-project-profile)
## Configure all capabilities for your Amazon SageMaker unified domain
Complete the following procedure to configure all capabilities for your Amazon SageMaker unified domain.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Either create a new domain or choose an existing domain where you want to configure all capabilities.
1. On the domain's details page, under the **Next steps for your domain** section, choose the **Configure** button next to the **All capabilities**.
1. On the **Create project profile: All capabilities** page, in the **All capabilities** section, review the on-create and on-demand capabilities for this project profile. On-create capabilities are configured and ready to use when the project is created. On-demand capabilities can be configured when needed after project creation to control cost.
1. On the **Create project profile: All capabilities**, expand the **Default tooling blueprint deployment settings** section and review the settings, including the Tooling blueprint deployment account and region.
**Important**
Note that by configuring all capabilities for your domain (this procedure), you can only enable the Tooling blueprint in the same AWS account and region as your domain. To enable the Tooling blueprint in an account or region that's different from that of your domain's, see [Create an All capabilities project profile](#create-all-capabilities-project-profile) or [Custom project profile](custom.md).
1. On the **Create project profile: All capabilities**, in the **Enable blueprints** section, review the following blueprints that will be enabled for this project profile.
**Important**
Note that by configuring all capabilities for your domain (this procedure), you can only enable these blueprints in the same AWS account and region as your domain. To enable these blueprints in an account or region that's different from that of your domain's, see [Create an All capabilities project profile](#create-all-capabilities-project-profile) or [Custom project profile](custom.md).
+ MLExperiments
+ Workflows
+ LakehouseCatalog
+ EmrOnEc2
+ Tooling
+ RedshiftServerless
+ LakeHouseDatabase
+ EmrServerless
+ AmazonBedrockGenerativeAI
1. On the **Create project profile: All capabilities** page, in the **Manage access role** section, specify a service role that gives Amazon SageMaker Unified Studio authorization to ingest and manage access to datashares, tables and views in Amazon Redshift. You can create a new or using an existing role.
1. On the **Create project profile: All capabilities** page, in the **Provisioning role** section, specify a service role that gives Amazon SageMaker Unified Studio authorization to ingest and manage access to datashares, tables and views in Amazon Redshift.
1. On the **Create project profile: All capabilities** page, in the **Amazon S3 bucket for blueprints** section, specify an Amazon S3 bucket for blueprints in your AWS account.
1. On the **Create project profile: All capabilities ** page, in the **Networking section**, specify a VPC in which to provision your Amazon SageMaker unified domain. VPCs tagged with Amazon SageMaker Unified Studio should be correctly configured. In the **Subnets** section, select at least 3 subnets in different **Availability Zones** that contain required VPC Endpoints. Private subnets are recommended, not all functionality is available when selecting public subnets.
1. In the **Data encryption** section, specify the encryption settings. Your data is encrypted by default with a key that AWS owns and manages for you. To choose a different key, customize your encryption settings.
1. In the **User role policy** section, you have the option to specify your own user role policy. Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, AI, and ML actions. You can attach your own AWS IAM policies to the role rather than using the default system-managed policy. This provides more granular control over permissions but requires knowledge of IAM policy configuration. The IAM policy must include all necessary permissions required for the service to function properly.
1. On the **Create project profile: All capabilities ** page, in the **Authorization - optional** section, specify who can use this project profile to create projects in all domain units. This can also be done per domain unit in Amazon SageMaker Unified Studio. Choose either **Selected users and groups** (select which users and groups are authorized to use this project profile) or **Allow all users and groups** (allow any user to use this project profile).
**Note**
Projects do not provide strong security isolation. To limit cross-domain and cross-project resource discovery you can consider creating projects in separate accounts.
1. Choose **Create project profile**.
After you complete this procedure, your All capabilities project profile for this domain is created and all the supported blueprints for it are enabled. Your domain users can then proceed to use this project profile to create projects in Amazon SageMaker Unified Studio.
## Create an All capabilities project profile
Complete the following procedure to create a All capabilities project profile for your Amazon SageMaker unified domain. Once this procedure is complete, your All capabilities project profile will only include the capabilities defined in the [Tooling blueprint](blueprints.md). To complete configuring all capabilities for your Amazon SageMaker unified domain, you must then use the **Blueprints** tab and configure the following blueprints for this project profile:
+ MLExperiments
+ Workflows
+ LakehouseCatalog
+ EmrOnEc2
+ RedshiftServerless
+ LakeHouseDatabase
+ EmrServerless
+ AmazonBedrockGenerativeAI
**Important**
Note that when you enable a blueprint, by default, you are enabling it in the same region as your domain. When you are enabling blueprints for a project profile that is created and enabled in a different region from your domain, you must enable these blueprints in same region where this project profile is enabled (in addition to enabling this blueprint in the same region as your domain). You can do this via the **Regions** tab in the blueprint details page. This applies to all blueprints, including the Tooling blueprint.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Either create a new domain or choose an existing domain where you want to create a All capabilities project profile.
1. On the domain's details page, choose the **Project profiles** tab and then choose **Create**.
1. On the **Create project profile** page, in the **Project profile name and description** section, specify the name of the project profile and the description.
1. On the **Create project profile** page, in the **Project profile creation options** section, choose **Create from a template**, and then under **Project profile templates**, choose **All capabilities**.
1. On the **Create project profile** page, in the **Default tooling blueprint deployment settings** section, review the selections for the default deployment settings for the Tooling blueprint.
1. On the **Create project profile** page, in the **Project files storage** section, choose a storage configuration type from Amazon S3 - new and Git repository. For more information on storage types, see [._unified-storage.xml](._unified-storage.xml)
**Important**
Note that by creating this project profile from a template, you can either enable the Tooling blueprint in the same AWS account and region as your domain (prepopulated by default) or you can enable the Tooling blueprint in a different AWS account and region from this domain (an associated account).
1. On the **Create project profile** page, in the **Authorization - optional** section, specify who can use this project profile to create projects in all domain units. This can also be done per domain unit in the Amazon SageMaker Unified Studio. You can specify **Selected users and groups** or **Allow all users and groups** options.
**Note**
Projects do not provide strong security isolation. To limit cross-domain and cross-project resource discovery you can consider creating projects in separate accounts.
1. On the **Create project profile** page, in the **Project profile readiness** section, specify whether you want to enable this project profile on creation. Unless you check the **Enable project profile on creation** checkbox, your project profile is disabled and not available to use for Amazon SageMaker Unified Studio projects after its creation. Leaving a project profile in a disabled state upon creation gives you the opportunity to customize your blueprints before making the project profile available.
1. Choose **Create project profile**.
**Important**
After you complete this procedure, your All capabilities project profile will only include the capabilities defined in the [Tooling blueprint](blueprints.md). You can further customize this project profile and configure it to include all capabilities by using the **Blueprints** tab to enable the rest of its required blueprints. They are the following:
MLExperiments
Workflows
LakehouseCatalog
EmrOnEc2
RedshiftServerless
LakeHouseDatabase
EmrServerless
AmazonBedrockGenerativeAI
# Generative AI application development project profile
A Generative AI application development project profile enables generative AI solutions from Amazon Bedrock for your Amazon SageMaker unified domains. It provides project users in Amazon SageMaker Unified Studio with the access to the following generative AI tools: Bedrock Chat Agents, Bedrock Knowledge Bases, Bedrock Guardrails, Bedrock Functions, Bedrock Flows, Bedrock Prompts, and Bedrock Evaluations.
You can complete either of the following procedures to create a Generative API application development project profile in an Amazon Sagemaker unified domain.
**Topics**
+ [Configure Amazon Bedrock in SageMaker Unified Studio for your domain](#configure-bedrock-ide)
+ [Create a generative AI application development project profile](#create-genai-application-development-project-profile)
## Configure Amazon Bedrock in SageMaker Unified Studio for your domain
Complete the following procedure to configure Amazon Bedrock in SageMaker Unified Studio for your domain.
**Important**
In the current release of Amazon SageMaker Unified Studio, project profiles for the domain can be created only by a domain administrator from the AWS account that owns the domain. Completing this procedure as a user from an associated account only enables the generative AI blueprints but it doesn't create the Generative AI application development project profile. A domain administrator from the AWS account that owns the domain must create the Generative AI application development project profile in the domain for the associated accounts.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Either create a new domain or choose an existing domain where you want to configure Amazon Bedrock in SageMaker Unified Studio.
1. On the domain's details page, under the **Next steps for your domain** section, choose the **Configure** button next to the **Generative AI** domain capability.
1. On the **Create project profile: Amazon Bedrock generative AI** page, locate the **Generative AI blueprints** section and review the settings.
As part of configuring Amazon Bedrock in SageMaker Unified Studio for your domain (this procedure) you are creating the Generative AI application development project profile and therefore you must enable the blueprints that contain the tools, resources, and parameters that this project profile requires. The following blueprints are enabled when you create this project profile as part of this procedure:
+ AmazonBedrockChatAgent
+ AmazonBedrockKnowledgeBase
+ AmazonBedrockGuardrail
+ AmazonBedrockFunction
+ AmazonBedrockFlow
+ AmazonBedrockPrompt
+ AmazonBedrockEvaluation
**Important**
Note that by configuring Amazon Bedrock in SageMaker Unified Studio for your domain (this procedure), you can only enable the generative AI blueprints for this project profile in this domain's AWS account and Region. To enable these blueprints in an associated account, see [Configure Amazon Bedrock in SageMaker Unified Studio in an associated account](associated-accounts.md#configure-generative-ai).
Under **Provisioning role**, specify a new or existing service role that is to be used by Amazon SageMaker Unified Studio to provision and manage resources defined in the selected blueprints in your account.
1. On the **Create project profile: Amazon Bedrock generative AI** page, locate the **Default tooling blueprint deployment settings** section that contains the Tooling blueprint deployment settings used to create projects from this project profile and review them and modify the following as needed. Note that if you have already enabled the Tooling blueprint, you cannot use this procedure to modify any of the Tooling blueprint settings.
+ Under **Manage access** role, specify a service role that gives Amazon SageMaker Unified Studio the authorization to create and configure project resources using AWS CloudFormation in the project account and region. If this service role already exists in this AWS account, it is selected by default.
+ For the Tooling blueprint deployment account and region, note that by configuring Amazon Bedrock in SageMaker Unified Studio capability for your domain (this procedure), you can only enable the Tooling blueprint in the same AWS account and region as your domain. To enable the Tooling blueprint in an associated account, see [Configure Amazon Bedrock in SageMaker Unified Studio in an associated account](associated-accounts.md#configure-generative-ai).
+ In the **Amazon S3 bucket for blueprints** section, specify an Amazon S3 bucket for blueprints in your AWS account.
+ In the **Networking** section, in the **Virtual private cloud (VPC) setting**, choose a VPC in which to provision your Amazon SageManker unified domain. VPCs tagged with Amazon SageMaker Unified Studio should be correctly configured.
In the **Subnets** section, select at least 3 subnets in different **Availability Zones** that contain required VPC Endpoints. Private subnets are recommended, not all functionality is available when selecting public subnets.
+ In the **Data encryption** section, your data is encrypted by default with a key that AWS owns and manages for you. Encryption cannot be changed after the domain is created. Choose either **Use AWS owned key** (a key that AWS owns and manages for you) or the **Choose a different AWS KMS key (advanced)** (a key that you have permissions to use, or create a new one) and then specify an existing or create a new AWS KMS key.
+ In the **User role policy** section, you have the option to specify your own user role policy. Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, AI, and ML actions. You can attach your own AWS IAM policies to the role rather than using the default system-managed policy. This provides more granular control over permissions but requires knowledge of IAM policy configuration. The IAM policy must include all necessary permissions required for the service to function properly.
1. On the **Create project profile: Amazon Bedrock generative AI** page, in the **Authorization - optional** section, specify who can use this project profile to create projects in all domain units. This can also be done per domain unit in the Amazon SageMaker Unified Studio. Choose either **Selected users and groups** (select which users and groups are authorized to use this project profile) or **Allow all users and groups** (allow any user to use this project profile).
**Note**
Projects do not provide strong security isolation. To limit cross-domain and cross-project resource discovery you can consider creating projects in separate accounts.
1. On the **Create project profile: Amazon Bedrock generative AI** page, in the **Permissions for Bedrock model access** section, specify the permissions for users to interact with the enabled Amazon Bedrock models. The system can automatically create roles to control user access and interactions with these models or you can specify existing roles.
For the **Model provisioning** role, you can create a new or use an existing role. The system uses the role you specify as the provisioning role to create an inference profile that has access to an Amazon Bedrock model in a project. The role you specify here is used as the provisioning role for all the Amazon Bedrock models enabled for this domain.
For the **Model consumption** role, you can create a new or use an existing role. The system uses a consumption role to grant users access to Amazon Bedrock models in the playground in Amazon SageMaker Unified Studio.
1. Choose **Next** to advance to the **Configure model access** page.
1. On the **Configure model access** page, in the **Models** section, you can configure access to your Amazon Bedrock serverless models by enabling or disabling them for this domain.
The system queries Amazon Bedrock and displays a list of Amazon Bedrock serverless models to which you have access. If no models are listed or if a specific model is missing, visit the Amazon Bedrock management console for the appropriate account and Region to grant access. If you have updated model access in Amazon Bedrock, choose the refresh icon in the **Amazon Bedrock Models** tab to refresh the updated list of accessible models
The following are important elements to consider as you review the generated list of models:
+ Every model in the list is prepopulated with certain details, including modality, inference type, whether it's enabled in projects and playground, and roles for model access. A model's modality indicates the type of output data it can generate. Amazon Bedrock in SageMaker Unified Studio supports Amazon Bedrock foundation models with on-demand throughput and on-demand cross-region inference. If a model supports both on-demand and on-demand cross-region inference, it appears in the list twice with the appropriate value listed in the **Inference** column. Amazon Bedrock in SageMaker Unified Studio does NOT support provisioned throughput, custom models, or imported models.
+ For easy setup, the system pre-selects accessible models that support on-demand throughput, excluding legacy models, to enable in projects and playground. Review and adjust the list to enable models for projects and playgrounds based on your specific requirements.
+ If the model that you want to manage for your Amazon SageMaker Unified Studio users is not present in the list, make sure that it has been enabled for access in Amazon SageMaker Unified Studio. This is done in the Amazon Bedrock management console. For more information, see [Amazon Bedrock Documentation](https://docs.aws.amazon.com/bedrock/).
1. On the **Configure model access** page, in the **Default models - optional** section, you can set default models for the generative AI playgrounds in Amazon SageMaker Unified Studio.
Amazon Bedrock in SageMaker Unified Studio supports generative AI playgrounds that enable Amazon SageMaker unified domain users to easily experiment with Amazon Bedrock models. Users can send prompt requests to various models and view the responses. There are two types of playgrounds in the Amazon Bedrock in SageMaker Unified Studio: the chat playground and the image and video playground.
For the **Chat playground - optional**, select a default model from the drop-down menu. The drop-down menu includes only the models that support **Text** as the output modality and are enabled for playground use.
For the **Image and video playground - optional**, select a default model from the drop-down menu. The drop-down menu will include only the models that support either **Image** or **Video** as the output modality and are enabled for playground use.
1. Choose **Finish** to complete configuring Amazon Bedrock in SageMaker Unified Studio for this domain.
Once the action is successfully completed and you've finished configuring Amazon Bedrock in SageMaker Unified Studio for this domain, you are redirected to the domain's details page where you can find the enabled generative AI blueprints under the **Blueprints** tab, a Generative AI project profile under the **Project profiles** tab, and the enabled models listed in the **Amazon Bedrock models** tab. Note, that you can manage model access directly from **Amazon Bedrock models** tab. For more information, see [Amazon Bedrock in SageMaker Unified Studio](amazon-bedrock.md)
## Create a generative AI application development project profile
Complete the following procedure to create a Generative AI application development project profile for your Amazon SageMaker unified domain. Once this procedure is complete, your Generative AI application development project profile will only include the capabilities defined in the [Tooling blueprint](blueprints.md). To configure the full generative AI application development capability for your Amazon SageMaker unified domain, you must then use the **Blueprints** tab and configure the **AmazonBedrockGenerativeAI** blueprint for this project profile. The **AmazonBedrockGenerativeAI** blueprint contains the following generative AI blueprints:
+ AmazonBedrockChatAgent
+ AmazonBedrockKnowledgeBase
+ AmazonBedrockGuardrail
+ AmazonBedrockFunction
+ AmazonBedrockFlow
+ AmazonBedrockPrompt
+ AmazonBedrockEvaluation
**Important**
Note that when you enable a blueprint, by default, you are enabling it in the same region as your domain. When you are enabling blueprints for a project profile that is created and enabled in a different region from your domain, you must enable these blueprints in same region where this project profile is enabled (in addition to enabling this blueprint in the same region as your domain). You can do this via the **Regions** tab in the blueprint details page. This applies to all blueprints, including the Tooling blueprint.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Either create a new domain or choose an existing domain where you want to create a generative AI application development project profile.
1. On the domain's details page, choose the **Project profiles tab** and then choose **Create**.
1. On the **Create project profile** page, in the **Project profile name and description** section, specify the name of the project profile and the description.
1. On the **Create project profile** page, in the **Project profile creation options** section, choose **Create from a template**, and then under **Project profile templates**, choose **Generative AI application development**.
1. On the **Create project profile** page, in the **Default tooling blueprint deployment settings** section, review the selections for the default deployment settings for the Tooling blueprint.
1. On the **Create project profile** page, in the **Project files storage** section, choose a storage configuration type from Amazon S3 - new and Git repository. For more information on storage types, see [._unified-storage.xml](._unified-storage.xml)
**Important**
Note that by creating this project profile from a template, you can either enable the Tooling blueprint in the same AWS account and region as your domain (prepopulated by default) or you can enable the Tooling blueprint in a different AWS account and region from this domain (an associated account).
1. On the **Create project profile** page, in the** Authorization - optional** section, specify who can use this project profile to create projects in all domain units. This can also be done per domain unit in the Amazon SageMaker Unified Studio. You can specify **Selected users and groups** or **Allow all users and groups** options.
**Note**
Projects do not provide strong security isolation. To limit cross-domain and cross-project resource discovery you can consider creating projects in separate accounts.
1. On the **Create project profile** page, in the **Project profile readiness** section, specify whether you want to enable this project profile on creation. Unless you check the **Enable project profile on creation** checkbox, your project profile is disabled and not available to use for Amazon SageMaker Unified Studio projects after its creation. Leaving a project profile in a disabled state upon creation gives you the opportunity to customize your blueprints before making the project profile available.
1. Choose **Create project profile**.
# SQL analytics project profile
The SQL analytics project profiles enables your users to query Amazon SageMaker Lakehouse, Amazon Redshift and Amazon Athena data in their Amazon SageMaker Unified Studio projects. Amazon SageMaker Unified Studio project members can analyze their data in Amazon SageMaker Lakehouse using SQL.
You can complete the following procedures to create a SQL analytics project profile for your Amazon SageMaker unified domain.
**Topics**
+ [Configure SQL analytics for your Amazon SageMaker unified domain](#configure-sql-analytics)
+ [Create a SQL analytics project profile](#create-sql-analytics-project-profile)
## Configure SQL analytics for your Amazon SageMaker unified domain
Complete the following procedure to configure SQL analytics capability for your Amazon SageMaker unified domain.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Either create a new domain or choose an existing domain where you want to configure SQL analytics.
1. On the domain's details page, under the **Next steps for your domain** section, choose the **Configure** button next to the **SQL** capability.
1. On the **Create project profile - SQL analytics** page, in the **SQL analytics** section, review the capabilities, tools, and functionalities that are enabled for this project profile.
1. On the **Create project profile: SQL analytics**, expand the **Default tooling blueprint deployment settings** section and review the settings, including the Tooling blueprint deployment account and region.
**Important**
Note that by configuring the SQL analytics capability for your domain (this procedure), you can only enable the Tooling blueprint in the same AWS account and region as your domain. To enable the Tooling blueprint in an account or region that's different from that of your domain's, see [Create a SQL analytics project profile](#create-sql-analytics-project-profile) or [Custom project profile](custom.md).
1. On the **Create project profile: SQL analytics** page, in the **Enable blueprints** section, review the following blueprints that will be enabled for this project profile.
**Important**
Note that by configuring SQL analytics for your domain (this procedure), you can only enable these blueprints in the same AWS account and region as your domain. To enable these blueprints in an account or region that's different from that of your domain's, see [Create a SQL analytics project profile](#create-sql-analytics-project-profile) and [Custom project profile](custom.md).
+ LakehouseCatalog
+ RedshiftServerless
+ DataLake
1. On the **Create project profile: SQL analytics** page, in the **Manage access role** section, specify a service role that gives Amazon SageMaker Unified Studio authorization to ingest and manage access to datashares, tables and views in Amazon Redshift. You can create a new or using an existing role.
1. On the **Create project profil: SQL analytics** page, in the **Provisioning role** section, specify a service role that gives Amazon SageMaker Unified Studio authorization to ingest and manage access to datashares, tables and views in Amazon Redshift.
1. On the **Create project profile: SQL analytics** page, in the **Amazon S3 bucket for blueprints** section, specify an Amazon S3 bucket for blueprints in your AWS account.
1. On the **Create project profile: SQL analytics** page, in the **Networking** section, specify a VPC in which to provision your Amazon SageMaker unified domain. VPCs tagged with Amazon SageMaker Unified Studio should be correctly configured. In the **Subnets** section, select at least 3 subnets in different **Availability Zones** that contain required VPC Endpoints. Private subnets are recommended, not all functionality is available when selecting public subnets.
1. In the **Data encryption** section, specify the encryption settings. Your data is encrypted by default with a key that AWS owns and manages for you. To choose a different key, customize your encryption settings.
1. In the **User role policy** section, you have the option to specify your own user role policy. Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, AI, and ML actions. You can attach your own AWS IAM policies to the role rather than using the default system-managed policy. This provides more granular control over permissions but requires knowledge of IAM policy configuration. The IAM policy must include all necessary permissions required for the service to function properly.
1. On the **Create project profile: SQL analytics** page, in the **Authorization - optional** section, specify who can use this project profile to create projects in all domain units. This can also be done per domain unit in the Amazon SageMaker Unified Studio. Choose either **Selected users and groups** (select which users and groups are authorized to use this project profile) or **Allow all users and groups** (allow any user to use this project profile).
**Note**
Projects do not provide strong security isolation. To limit cross-domain and cross-project resource discovery you can consider creating projects in separate accounts.
1. Choose **Create project profile**.
## Create a SQL analytics project profile
Complete the following procedure to create a SQL analytics project profile for your Amazon SageMaker unified domain. Once this procedure is complete, your SQL analytics project profile will only include the capabilities defined in the [Tooling blueprint](blueprints.md). To configure the full data analytics and SQL analytics capability for your Amazon SageMaker unified domain, you must then use the **Blueprints** tab and configure the following blueprints for this project profile:
+ LakehouseCatalog
+ RedshiftServerless
+ DataLake
**Important**
Note that when you enable a blueprint, by default, you are enabling it in the same region as your domain. When you are enabling blueprints for a project profile that is created and enabled in a different region from your domain, you must enable these blueprints in same region where this project profile is enabled (in addition to enabling this blueprint in the same region as your domain). You can do this via the **Regions** tab in the blueprint details page. This applies to all blueprints, including the Tooling blueprint.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Either create a new domain or choose an existing domain where you want to create a SQL analytics project profile.
1. On the domain's details page, choose the **Project profiles** tab and then choose **Create**.
1. On the **Create project profile** page, in the **Project profile name and description** section, specify the name of the project profile and the description.
1. On the **Create project profile** page, in the **Project profile creation options** section, choose **Create from a template**, and then under **Project profile templates**, choose **SQL analytics**.
1. On the **Create project profile** page, in the **Default tooling blueprint deployment settings** section, review the selections for the default deployment settings for the Tooling blueprint and update them as needed.
1. On the **Create project profile** page, in the **Project files storage** section, choose a storage configuration type from Amazon S3 - new and Git repository. For more information on storage types, see [._unified-storage.xml](._unified-storage.xml)
**Important**
Note that by creating this project profile from a template, you can either enable the Tooling blueprint in the same AWS account and region as your domain (prepopulated by default) or you can enable the Tooling blueprint in a different AWS account and region from this domain (an associated account).
1. On the **Create project profile** page, in the **Authorization - optional** section, specify who can use this project profile to create projects in all domain units. This can also be done per domain unit in Amazon SageMaker Unified Studio. You can specify **Selected users and groups** or **Allow all users and groups** options.
**Note**
Projects do not provide strong security isolation. To limit cross-domain and cross-project resource discovery you can consider creating projects in separate accounts.
1. On the **Create project profile** page, in the **Project profile readiness** section, specify whether you want to enable this project profile on creation. Unless you check the **Enable project profile on creation** checkbox, your project profile is disabled and not available to use for Amazon SageMaker Unified Studio projects after its creation. Leaving a project profile in a disabled state upon creation gives you the opportunity to customize your blueprints before making the project profile available.
1. Choose **Create project profile**.
**Important**
After you complete this procedure, your SQL project profile will only include the capabilities defined in the [Tooling blueprint](blueprints.md). You can further customize this project profile and configure it to include the full supported SQL analytics capability by using the **Bluerpints** tab to enable the rest of its required bluerpints. They are the following:
LakehouseCatalog
RedshiftServerless
DataLake
# Custom project profile
Complete the following procedure to create a custom project profile for your Amazon SageMaker unified domain. With the Custom creation option, you can create a project profile from scratch with your own profile settings and a selection of blueprints.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Either create a new domain or choose an existing domain where you want to create a custom project profile.
1. On the domain's details page, choose the **Project profiles** tab and then choose **Create**.
1. On the **Create project profile** page, in the **Project profile name and description** section, specify the name of the project profile and the description.
1. On the **Create project profile** page, in the **Project profile creation options** section, choose **Custom create**.
1. On the **Create project profile** page, in **Blueprints**, specify the Amazon SageMaker Unified Studio blueprints to use in your project. You can customize each blueprint configuration after this custom project profile is created. This is where you can choose built-in blueprints or your own [custom blueprints](custom-blueprint.md).
1. To configure the project account and Region information you want the profile to use, you can either provide account and Region information that projects will use each time, or you can configure your project profile to allow specifying accounts during project creation. Under **Account and region**, choose one of the following.
+ To create a project profile that will use the same account and region for each project created, select **Choose account and region**. Projects created with this profile will use the specified account and region and cannot specify otherwise at project creation.
+ To create a project profile that will choose from accounts available at project creation, select **Choose account and region during project creation**.
+ Under **Accounts available during project creation**, you can choose to create a project profile that will provide a list of all AWS accounts associated to the domain for selection at project creation. To choose this option, choose **All associated accounts**. For more information about associated accounts in Amazon SageMaker Unified Studio, see [Associated accounts in Amazon SageMaker Unified Studio](associated-accounts.md).
+ Under **Accounts available during project creation**, you can choose to create a project profile that will provide account pools to be selected at project creation. An account pool is a list of authorized associated accounts and regions. To choose this option, select **Choose account pool(s)**. Next, under **Account pools**, choose the account pool or pools that you want to be available for the project profile to use at project creation. For information about creating and updating account pools, see [Account pools in Amazon SageMaker Unified Studio](account-pools.md).
1. On the **Create project profile** page, in the **Default tooling blueprint deployment settings** section, review the selections for the default deployment settings for the Tooling blueprint.
1. On the **Create project profile** page, in the **Project files storage** section, specify the storage configuration for project code artifacts. You can choose one of the following:
+ Amazon S3
+ Git repository
For more information, see [Unified storage in Amazon SageMaker Unified Studio](smus-admin-storage-guide.md).
1. On the **Create project profile** page, in the **Authorization - optional** section, specify who can use this project profile to create projects in all domain units. This can also be done per domain unit in Amazon SageMaker Unified Studio. You can specify **Selected users and groups** or **Allow all users and groups** options.
**Note**
Projects do not provide strong security isolation. To limit cross-domain and cross-project resource discovery you can consider creating projects in separate accounts.
1. On the **Create project profile** page, in the **Project profile readiness** section, specify whether you want to enable this project profile on creation. Unless you check the **Enable project profile on creation** checkbox, your project profile is disabled and not available to use for Amazon SageMaker Unified Studio projects after its creation. Leaving a project profile in a disabled state upon creation gives you the opportunity to customize your blueprints before making the project profile available.
1. Choose **Create project profile**.
# Update project profiles
Complete the following procedure to update a project profile for your domain.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose an existing domain where you want to update a project profile.
1. Choose the **Project profiles** tab and then choose the project profile that you want to update. You can choose the All capabilities project profile, the Generative AI application development project profile, the SQL analytics project profile, or your custom project profile.
1. In the project profile details page, choose **Edit**.
1. You can make changes to the project profile description, default Tooling blueprint deployment settings, including systems manager configuration parameters, the Tooling blueprint parameters, and notes for project owners. Here you can also choose between default storage and Git storage.
Once you're done making updates, choose **Save**.
# Disable or enable project profiles
Complete the following procedure to disable or enable a project profile for your domain.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose an existing domain where you want to disable or enable a project profile.
1. Choose the **Project profiles** tab and then choose a project profile. You can choose the All capabilities project profile, the Generative AI application development project profile, the SQL analytics project profile, or your custom project profile.
1. In the project profile details page, choose either **Disable** or **Enable**.
When enabling a project profile, confirm the action in the pop up window by choosing **Enable**.
# Delete project profiles
Complete the following procedure to delete a project profile for your domain.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose an existing domain where you want to delete a project profile.
1. Choose the **Project profiles** tab and then choose the project profile that you want to delete. You can choose the All capabilities project profile, the Generative AI application development project profile, the SQL analytics project profile, or your custom project profile.
1. In the project profile details page, choose **Delete**.
Confirm the action in the D**elete project profile** pop up window by typing the project profile name in the text field and choosing **Delete**.
**Note**
Deleting a project profile is final. Deletion removes the project profile and its blueprint deployment settings from Amazon SageMaker Unified Studio. It does not delete the blueprints used to create the blueprint deployment settings which make up this project profile.
# Edit blueprint deployment settings
Blueprint deployment settings contain parameters used to create project profiles for Amazon SageMaker Unified Studio projects. Complete the following procedure to edit deployment settings for any of the supported blueprints.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.
1. Choose the **Project profiles** tab and then choose the project profile that contains the blueprint the deployment settings of which you want to modify.
1. From the **Blueprint deployment settings** list, choose the blueprint the deployment settings of which you want to modify. The blueprint name is a hyperlink.
1. On the chose blueprint's **Blueprint deployment settings summary** page, choose **Edit**.
You can make changes to the following:
+ The blueprint deployment settings description.
+ The AWS SSM Parameter Store path that contains parameters definition.
+ The blueprint parameters. You can use the table on this page to inspect and edit parameter values that will be used during project creation. To edit a parameter value, choose the parameter's radio button and choose **Edit**. You can override values that are set as blueprint or SSM values and check the **Editable** box if you want the values to be provided during project creation.
+ Notes for project owners - let project owners know why you made these changes and anything else they need to know about how this will impact their projects that use this project profile.
# Add blueprint deployment settings
Blueprint deployment settings contain parameters used to create project profiles for Amazon SageMaker Unified Studio projects. Complete the following procedure to add deployment settings for any of the supported blueprints.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.
1. Choose the **Project profiles** tab and then choose the project profile that contains the blueprint to which you want to add a new deployment setting.
1. Choose the **Blueprints Deployment Settings** tab, and choose Add blueprint deployment settings.
1. On the **Add blueprint deployment settings** page, specify the following:
+ Blueprint deployment settings name.
+ The blueprint deployment settings description.
+ The blueprint to which these deployment settings will apply.
+ Deployment properties - the account and region where you want this blueprint deployment settings to be created. Note that the corresponding blueprint should be enabled in this account and region so that the blueprint deployment settings could be created successfully.
+ AWS SSM Parameter Store path in AWS Systems Manager Parameters Store that contains parameters definition.
+ Blueprint parameters - these parameter values that will be used during project creation. You can override values that are set as blueprint or SSM values and check the Editable box if you want the values to be provided during project creation.
+ Notes for project owners - let project owners know why you made these changes and anything else they need to know about how this will impact their projects that use this project profile.
# Project resource tags
Project resource tags in Amazon SageMaker Unified Studio are custom key-value pairs that you assign to projects to help organize, categorize, and manage your resources. You can use tags for cost allocation, access control, and resource organization across your Amazon SageMaker Unified Studio projects.
Tags are configured through a Project Profile, applied at the project level and inherited by resources created through the create project and update project actions.
The following considerations apply for project resource tags in Amazon SageMaker Unified Studio:
+ Configure project profiles with project resource tags using AWS CLI or API only.
+ You can add up to 25 tags per project profile.
+ Tag keys must conform to the IAM policy permissions of the domain provisioning role.
+ Tag keys must be unique within a project and can contain up to 128 characters.
+ Tag values are optional and can contain up to 256 characters.
+ Tag keys and values can contain letters, numbers, spaces, and the following characters: \$1 - = . \$1 : / @
+ Tag keys and values are case-sensitive.
## IAM permissions for project resource tags
By default, the tag Key must begin with the string "AmazonDataZone". This condition is set in the domain provisioning role. If Amazon SageMaker Unified Studio created the provisioning role for you it will be the AmazonSageMakerProvisioning-AccountId role. To create tags with a different string pattern (i.e. begins with, contains, etc.), a policy with appropriate permissions must be attached to the domain provisioning role.
**To configure IAM policy for project resource tags**
1. Navigate to the Identity and Access Management (IAM) console.
1. In the navigation pane, choose **Roles**.
1. In the list, search for AmazonSageMakerProvisioning-accountId or your custom domain provisioning role.
1. Choose the **Permissions** tab.
1. Choose **Add permissions**, and then choose **Create inline policy**.
1. Under **Policy editor**, choose **JSON**.
1. Enter the policy.
1. Save to attach the policy to the role.
The following is an example policy allowing tag Keys to begin with "AmazonDataZone" or "SageMaker". Modify aws:TagKeys within the condition to meet your tag Key name requirements.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CustomTagsUnTagPermissions",
"Effect": "Allow",
"Action": [
"codecommit:UntagResource",
"iam:UntagRole",
"logs:UntagResource",
"athena:UntagResource",
"redshift-serverless:UntagResource",
"scheduler:UntagResource",
"bedrock:UntagResource",
"neptune-graph:UntagResource",
"quicksight:UntagResource",
"glue:UntagResource",
"airflow:UntagResource",
"secretsmanager:UntagResource",
"lambda:UntagResource",
"emr-serverless:UntagResource",
"elasticmapreduce:RemoveTags",
"sagemaker:DeleteTags",
"ec2:DeleteTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
},
"ForAllValues:StringLike": {
"aws:TagKeys": [
"AmazonDataZone*",
"SageMaker*"
]
},
"Null": {
"aws:ResourceTag/AmazonDataZoneProject": "false"
}
}
},
{
"Sid": "CustomTagsTaggingPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:TagResource",
"codecommit:TagResource",
"iam:TagRole",
"glue:TagResource",
"athena:TagResource",
"lambda:TagResource",
"redshift-serverless:TagResource",
"logs:TagResource",
"secretsmanager:TagResource",
"sagemaker:AddTags",
"emr-serverless:TagResource",
"neptune-graph:TagResource",
"bedrock:TagResource",
"elasticmapreduce:AddTags",
"airflow:TagResource",
"scheduler:TagResource",
"quicksight:TagResource",
"emr-containers:TagResource",
"logs:CreateLogGroup",
"athena:CreateWorkGroup",
"scheduler:CreateScheduleGroup",
"cloudformation:CreateStack",
"ec2:*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:TagKeys": [
"AmazonDataZone*",
"SageMaker*"
]
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
**Note**
it is possible to scope down the specific AWS service tag and un-tag permissions based on which blueprints / capabilities are used.
## Configure project resource tags
Project resource tags are configured in the project profile. The project profile sets the key/value tag pairs, whether the value can be modified by the project creator, and whether projects using the project profile can create their own project resource tags at the time of project creation. Once configured, project resource tags will be applied to all projects using the project profile.
To use the AWS CLI to create a project profile with project resource tags, use the create-project-profile command.
Parameter --project-resource-tags sets tags within the project profile. Each tag is composed of a key (string), value (string), and isValueEditable (boolean). IsValueEditable set to true means the value can be changed during project creation or update.
The following example shows the parameter project-resource-tags with tags configured.
```
--project-resource-tags '[
{
"key": "SageMaker",
"value": "application",
"isValueEditable": false
},
{
"key": "AmazonDataZone-CostCenter",
"value": "123",
"isValueEditable": true
}
]'
```
Parameter --allow-custom-project-resource-tags true \$1 false permits the project creator to create additional key/value pairings. The key needs to conform to the policy of the domain provisioning role.
Parameter --project-resource-tags-description is a description field for project resource tags. The max character limit is 2048. The description needs to be passed in every time create-project-profile or update-project-profile is called.
## Update project resource tags
Updates to project resource tags in the project profile apply automatically to new projects created from that point forward. For existing projects using the project profile, an update notification will be triggered in the project and the changes will be applied when the project is updated. Existing resources retain their current tags until they are recreated or manually updated.
To use the AWS CLI to update a project profile with project resource tags, use the update-project-profile command. Parameters --project-resource-tags and --allow-custom-project-resource-tags can be updated.
There are three ways to work with the project-resource-tags parameter when updating the project profile.
+ Passing a non-empty list of project resource tags will replace the tags currently configured on the project profile. Updating project resource tags in the project profile is not an additive action - include the exhaustive set of tags.
+ Passing an empty list of project resource tags will clear out all previously configured tags:
--project-resource-tags '[]'
+ Not including the project resource tag parameter will keep previously configured tags as-is.
## Update the project
Projects need to be updated when:
1. Project resource tags are updated in the project profile.
1. The project, when permitted by the project profile, updates existing tag values or adds new tags.
To use the AWS CLI to update a project with project resource tags, use the update-project command.
Parameter --resource-tags updates tags in the project. Tag values can be updated when their property isValueEditable is set to true. New tags can be added if parameter --allow-custom-project-resource-tags from the project profile is set to true.
The following example shows the parameter --resource-tags in the update project call.
```
--resource-tags '[
{
"key": "AmazonDataZone-CostCenter ",
"value": "456"
]'
```
Project level tags (those not configured from the project profile) need to be passed during project update in order to be preserved. For tags with isValueEditable = true configured from the project profile, any override previously set needs to be applied or the value will revert to the default from the project profile.
## Delete project resource tags
To delete project resource tags set from the project profile use the update-project-profile command followed by the update-project command.
1. Call the update-project-profile command with an empty list for parameter --project-resource-tags to remove project resource tags from the project profile. Existing project resources that already have these tags will retain them. New projects created using this project profile will not inherit the deleted tags.
--project-resource-tags '[]'
1. Call the update-project command to remove project resource tags from the project resources. This removes the project resource tags set from the project profile. This will not remove the project resource tags set directly from the project.
To delete project resource tags set from the project use the update-project command with an empty list for parameter --resource-tags.
--resource-tags '[]'