# Projects in IAM-based domains
<a name="projects-iam-based-domains"></a>

Projects in IAM-based domains provide isolated environments for data analytics and AI/ML development work. Each project has one IAM role for login, one IAM role for accessing data and resources, and storage configurations that determine what resources and data project members can access from within the project. All members for a project within an IAM-based domain have the same access to data and compute, this is managed through the execution IAM role for the project.

Projects can be created in the following ways:

1. The Amazon SageMaker Unified Studio admin creates the project on behalf of users from the Domain administration page.

1. The Amazon SageMaker Unified Studio admin prepares IAM roles for self-setup of projects created directly from AWS services - Amazon Athena, Amazon S3 Tables, and Amazon Redshift.

Projects within IAM-based domains require two IAM roles:
+ **Member IAM role or user** – Authenticates users and provides access to the Amazon SageMaker Unified Studio project. This role or user must have the SageMakerStudioUserIAMConsolePolicy managed policy attached, or equivalent permissions through another policy. Use this role to access your assigned project from the Amazon SageMaker Unified Studio interface.
+ **Execution IAM role** – Defines which AWS analytics, AI, and ML service data the project can access. This role determines available data and resources in the portal. Amazon SageMaker Unified Studio assumes this role to make service calls on behalf of project users. The execution IAM role requires the SageMakerStudioUserIAMDefaultExecutionPolicy managed policy (or equivalent permissions) and a trust policy that allows Amazon SageMaker Unified Studio and related AWS services to assume the role.

**Note**  
The Execution IAM role can be the same IAM role as the Member IAM role. Both roles require specific policy attachments and trust relationships to function correctly within the IAM-based domain architecture. The system validates these permissions during setup and provides guidance for any missing configurations.

# Set up projects within an IAM-based domain
<a name="setup-projects-iam-based-domains"></a>

To create a project within an IAM-based domain you assign Member IAM role or user and Execution IAM role, configure execution permissions for the execution role, and set up storage options. By default, projects can access resources within the domain's AWS account. You can configure the project execution IAM role to access data and resources across AWS accounts and regions.

## Preparing IAM roles
<a name="preparing-iam-roles-projects"></a>

**Member IAM role:**
+ [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html) must be attached or have the same permissions added via another policy.

**Execution IAM role:**
+ When Amazon SageMaker Unified Studio creates this role for you, this policy will be attached, [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy.html).
+ When you provide your own role, [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html) must be attached. An inline policy is needed to allow this role to pass itself to other services. A trust policy is needed to allow Amazon SageMaker Unified Studio and related services to assume this execution IAM role.

## Create new project from domain administration page
<a name="create-project-domain-admin"></a>

1. From the domain administration page, choose Projects in the left navigation pane.

1. Choose Create project. This will open up the create project panel.

1. Give the project a name and choose Next.

1. Select a Member role or user.

1. Select an Execution role, choose either to Auto-create a new role with permissions or Use an existing role.

1. Choose Create.

1. You should see a Creating project notification.

1. Once the project is successfully created, you should see an entry in the projects table with the project name.

## Prepare other IAM roles for other users to self-service setup projects
<a name="prepare-iam-roles-self-service"></a>

You can configure other IAM roles in your account to self-setup their Amazon SageMaker Unified Studio project within your IAM-based domain. You must add additional permissions and policies to the existing IAM roles to allow them to setup their own project using the Member IAM role for login and Execution IAM role for accessing data and resources within the project. This enables users from AWS console to create projects using these roles from AWS Services - Amazon Athena, Amazon S3 Tables, and Amazon Redshift.

**Member IAM role:**

1. Login to the IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md) ) with AWS IAM administrator privileges defined in the pre-requisites.

1. Navigate to the IAM console.

1. Choose Add permission followed by Attach policy and search for the managed policy [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html). Select it to add it to your existing role.

**Execution IAM role:**

1. Login to the IAM role with AWS IAM administrator privileges defined in the pre-requisites.

1. Navigate to the IAM console.

1. Choose Add permission followed by Attach policy and search for the managed policy [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy.html). Select it to add it to your existing role.

1. Add the inline policy to allow this role to pass itself to other services.

1. Add a trust policy: Allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.

# View and Manage Project Details
<a name="view-manage-project-details-iam-based"></a>

Project details include storage configuration, execution role assignments, member information, and networking settings that determine how resources within the project operate.

**Viewing Project Details**

1. From the domain administration page, choose **Projects** in the left navigation pane.

1. In the Projects list, choose the project name you want to view.

1. The project details page displays the following information:

   1. **Project Header:**
      + Project name and status (Active, Creating, Deleting)
      + Project description
      + Action buttons: Delete, Edit, Share info

   1. **Details Section:**
      + Project URL - Link to access the project portal
      + Project ARN - Amazon Resource Name for the project
      + Storage - Amazon S3 bucket location for project files
      + Execution role ARN - IAM role that defines data access permissions

   1. **Members Section:**
      + Member ARN - IAM role or user that can login and access the project
      + Description of member access capabilities

   1. **Networking Section:**
      + VPC - Virtual Private Cloud configuration status
      + Network settings that apply to resources created in the project

1. To perform actions on the project, use the buttons in the project header:
   + Choose **Edit** to modify project settings
   + Choose **Share info** to generate welcome message for users
   + Choose **Delete** to remove the project

1. To return to the Projects list, choose **Projects** in the breadcrumb navigation.

# Edit Project Configuration
<a name="edit-project-configuration-iam-based"></a>

You can edit the project description to reflect changes in business context or project scope and update the member role to change project access permissions.

1. From the domain administration page, choose **Projects** in the left navigation pane.

1. Choose the project name you want to edit from the Projects list.

1. On the project details page, choose **Edit**.

1. In the Edit Project dialog, modify the available settings:

   1. **Details Section:**
      + Description - Update the project description (optional, up to 2048 characters)

   1. **Member Section:**
      + IAM role - Update the IAM role or user that can login and access the project

1. Review the information note about required permissions (SageMakerStudioUserIAMConsolePolicy must be attached or have the same permissions added via another policy)

1. Choose **Save** to apply your changes.

1. The project details page refreshes with the updated information.

Your changes are applied immediately. If you updated the member role, the new IAM role or user will have access to the project, and the previous role will no longer have access.

# Share Project Information
<a name="share-project-information-iam-based"></a>

This feature simplifies user onboarding by providing all necessary access information in a formatted message that can be copied and shared via email or other communication channels.

1. From the domain administration page, choose **Projects** in the left navigation pane.

1. Choose the project name from the Projects list.

1. On the project details page, choose **Share info**.

1. In the Share project information dialog, review the generated welcome message that includes:
   + Welcome text explaining the project setup
   + URL - Direct link to the Amazon SageMaker Unified Studio portal
   + IAM role - The specific IAM role the user should use to access the project

1. Choose **Copy message** to copy the entire welcome message to your clipboard.

1. Choose **Close** to close the dialog.

1. Paste the copied message into your preferred communication method (email, chat, documentation) to share with project members.

The welcome message provides users with complete information needed to access their project, including login instructions and the specific IAM role they should use.

# Delete a Project
<a name="delete-project-iam-based"></a>

Before deleting a project, ensure that all important data and resources have been backed up or migrated, as the deletion process removes all project content permanently.

1. From the domain administration page, choose **Projects** in the left navigation pane.

1. Choose the project name you want to delete from the Projects list.

1. On the project details page, choose **Delete**.

1. In the Delete project confirmation dialog:

   1. Review the warning message: "Deleting a project is final and removes all resources and assets created in the project"

   1. In the confirmation field, type **confirm** to acknowledge the deletion

   1. Choose **Delete** to permanently delete the project.

1. The project status changes to "Deleting" and the project is removed from the domain.

**Warning**  
Deleting a project is final and removes all resources and assets created in the project. This action cannot be undone by you or by AWS.

The project and all associated resources are permanently removed from your Amazon SageMaker Unified Studio domain.