# Identity Center-based domains
Identity Center-based domains use AWS IAM Identity Center for user authentication and management. These domains support single sign-on (SSO) through identity providers and provide centralized user management capabilities. You can use the Amazon SageMaker management console to create either Amazon SageMaker unified domains or Amazon DataZone domains using either quick setup or manual setup options.
Once your domain is created, you can navigate to the Amazon SageMaker Unified Studio (a browser-based web application) where you can use all your data and configured tools for analytics and AI.
**Topics**
+ [Create a Amazon SageMaker Unified Studio domain - quick setup](create-domain-sagemaker-unified-studio-quick.md)
+ [Create a Amazon SageMaker Unified Studio domain - manual setup](create-domain-sagemaker-unified-studio-manual.md)
+ [Create an Amazon DataZone domain](create-domain-datazone.md)
+ [Edit domains](edit-domain.md)
+ [Delete domains](delete-domain.md)
+ [Upgrade Amazon DataZone domains to Amazon SageMaker unified domains](upgrade-domain.md)
+ [Trusted identity propagation](trusted-identity-propagation.md)
# Create a Amazon SageMaker Unified Studio domain - quick setup
Complete the following procedure to create an Amazon SageMaker unified domain with the Quick setup option.
**Important**
Note that there is an additional charge for any VPC or resources that AWS sets up if you chose the Quick setup option for domain creation. The Quick setup option is intended for testing purposes and we recommend deleting the domain after initial tests.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **Create a Unified Studio domain** and then choose **Quick setup**.
With this option, you're choosing to create an Amazon SageMaker unified domain and you're letting Amazon SageMaker Unified Studio configure your domain with the following default capabilities that you can customize later:
+ Data analytics, machine learning, SQL, and generative AI
+ Data and AI governance
+ Generative AI app development using Amazon Bedrock serverless models
+ Amazon Q - Free tier
+ Authentication via AWS IAM or AWS IAM Identity Center
1. If you see the following note **No VPC has been specifically set up for use with Amazon SageMaker Unified Studio**, you can use the **Choose VPC** or **Create VPC** buttons to **Create a new VPC (recommended)** or choose an existing properly-configured VPC.
If you plan to choose your own VPC, Amazon SageMaker Unified Studio enables you to choose VPCs within the same account as well as shared VPCs from other member accounts of the AWS organization. For more information, see [Share your VPC subnets with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html).
**Note**
If you choose to create a new VPC, note that the VPC template with which it is created is not intended for production use. You can use this template as a start and modify it for your organization's purposes.
If you see the following note **No models accessible**, you can use the **Grant model access** button to grant access to Amazon Bedrock serverless models for use in Amazon SageMaker Unified Studio.
1. Expand the **Quick setup settings** section and review the selected configurations, including domain name, domain execution role, domain service role, and domain data encryption information under **Domain resources**, user role policy, provisioning role, manage access role, Amazon S3 bucket for projects, and Virtual private cloud (VPC) information under **Data analytics, machine learning, and SQL analytics resources**, and the model provisioning role and model consumption role under **Generative AI resources**. Modify as needed or leave the defaults, and then choose **Continue**.
1. Expand the **Onboard your data - optional** section and review the selected configuration. This allows you to make your existing AWS data available and ready for use in Amazon SageMaker Unified Studio. You can specify where you data is stored - in the current release, AWS Glue (SageMaker Lakehouse) is supported, make your data discoverable by other users in the domain, and note the owner project that is auto-created for you and where this onboarded data will be accessible in Amazon SageMaker Unified Studio. For more information, see [Onboarding data in Amazon SageMaker Unified Studio](data-onboarding.md).
1. On the** Create IAM Identity Center user** page, create an SSO user (account with IAM Identity Center) or select an existing SSO user to log in to the Amazon SageMaker Unified Studio. IAM roles that create the Amazon SageMaker unified domains cannot log in to the Amazon SageMaker Unified Studio. The SSO selected here is used as the administrator in the Amazon SageMaker Unified Studio.
1. Choose **Create domain**.
# Create a Amazon SageMaker Unified Studio domain - manual setup
Complete the following procedure to create a Amazon SageMaker Unified Studio domain with the quick setup option.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **Create a Unified Studio domain** and then choose **Manual setup**.
With this option, you're choosing to create an Amazon SageMaker unified domain and your'e claiming full control over customizing your domain settings, including the following:
+ Customize data analytics, machine learning, SQL, Generative AI, and more
+ Data and AI governance
+ Configure Amazon Bedrock generative AI playgrounds and application development
+ Amazon Q - Free tier
+ Authentication via AWS IAM, AWS IAM Identity Center, or SAML
1. In **Name**, specify the domain name.
1. In **Description**, specify the domain description.
1. Under **Permissions**, specify the domain execution role. For more information, see [AmazonSageMakerDomainExecution role](AmazonSageMakerDomainExecution.md).
1. Under **Permissions**, specify the domain service role. For more information, see [AmazonSageMakerDomainService role](AmazonSageMakerDomainService.md).
1. Under **Data encryption**, specify the data encryption settings. Your data is encrypted by default with a key that AWS owns and manages for you. To choose a different key, customize your encryption settings.
1. Under **Tags**, specify the tags for your domian.
1. Choose **Create domain**.
Once your domain is created, you can proceed to customizing your domain settings, including [SSO](user-management.md), [project profiles](project-profiles.md), [blueprints](blueprints.md), [account associations](associated-accounts.md), [Amazon Bedrock models](amazon-bedrock.md), [connections](git-connections.md), and [AmazonQ](amazonq.md).
# Create an Amazon DataZone domain
Complete the following procedure to create a Amazon SageMaker Unified Studio domain with the quick setup option.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **Create domain** and then choose **Create an Amazon DataZone domain** - choose this option if you want to create a new Amazon DataZone domain. For detailed steps on working with Amazon DataZone domains, including how to create Amazon DataZone domains, see [Domains and user access in Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/working-with-domains-users.html).
# Edit domains
After you create a domain, you can edit its description or further customize your domain settings, including [SSO](user-management.md), [project profiles](project-profiles.md), [blueprints](blueprints.md), [account associations](associated-accounts.md), [Amazon Bedrock models](amazon-bedrock.md), [connections](git-connections.md), and [AmazonQ](amazonq.md).
To edit a domain, complete the following steps:
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **View domains** and choose the domain's name from the list. The name is a hyperlink.
1. On the details page for the domain, Expand **Actions** and then choose **Edit**. You can use the **Edit domain** page to change the description or manage tags. Once you've made your edits, choose **Update domain**.
1. You can use the domain's details page to further customize your domain settings, including [SSO](user-management.md), [project profiles](project-profiles.md), [blueprints](blueprints.md), [account associations](associated-accounts.md), [Amazon Bedrock models](amazon-bedrock.md), [connections](git-connections.md), and [AmazonQ](amazonq.md).
# Delete domains
When deleting a domain, note that the act of deleting a domain is final. Another important note to remember is that not all items created by Amazon SageMaker Unified Studio are deleted. The following items can only be deleted in their service consoles:
+ AWS resources - except for this domain - will NOT be deleted.
+ Subscription grants will NOT be removed.
+ Resource shares of this domain to associated accounts will NOT be deleted.
To prevent someone from deleting a domain maliciously, deleting a domain requires administrative IAM permissions for Amazon SageMaker Unified Studio, which you can configure with IAM.
To delete a domain, complete the following procedure:
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **View domains** and choose the domain's name from the list. The name is a hyperlink.
1. On the details page for the domain, expand **Actions** and then choose **Delete**.
1. Note that deleting a domain cannot be undone and if you want to proceed, confirm the deletion by typing in the domain name in the text field, and then choose **Delete**.
# Upgrade Amazon DataZone domains to Amazon SageMaker unified domains
## Considerations before you upgrade your domain
Before upgrading your Amazon DataZone domain to an Amazon SageMaker unified domain, review these important considerations to ensure a smooth upgrade process.
+ The upgrade process is available only through the AWS management console. Currently, no API support is offered for upgrading your domain. You can initialize the upgrade process from the domain details page of your Amazon DataZone domain.
+ The upgrade process requires the following roles to be configured (you can select existing roles or have Amazon SageMaker Unified Studio create the roles on your behalf):
+ Domain Execution role - for an Amazon DataZone domain, you're using the [AmazonDataZoneDomainExecutionRole](https://docs.aws.amazon.com/datazone/latest/userguide/AmazonDataZoneDomainExecutionRole.html) that is required by Amazon DataZone to catalog, discover, govern, share, and analyze data in your domain. With an Amazon SageMaker unified domain, you must either use the existing of create a new [AmazonSageMakerDomainExecution](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerDomainExecution.html) role.
+ Domain Service role - Amazon DataZone does not require a Domain Service role. With an Amazon SageMaker unified domain, you must either use the existing of create a new [AmazonSageMakerDomainService](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerDomainService.html) role. This is a service role for domain level actions performed by Amazon SageMaker Unified Studio.
+ Root domain ownership considerations:
+ IAM users or SSO users/groups can be optionally assigned as root domain owners during the upgrade process.
+ If the root domain unit only has IAM roles assigned as owners, it is recommended that you add an IAM user or an SSO user/group as owner. For more information, see [User management](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/user-management.html) in the Amazon SageMaker Unified Studio Administrator Guide.
+ **Important**: IAM roles cannot log in to the Amazon SageMaker Unified Studio.
+ Associated accounts and AWS Resource Access Manager (AWS RAM) changes:
+ Associated accounts use resource shares from AWS RAM to permit API actions from the root domain account.
+ The upgrade process changes the underlying managed permissions for the AWS RAM share that is created and managed by Amazon DataZone. The affected managed permissions are `AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceAccess` and `AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceWithPortalAccess`.
+ Amazon Q subscription changes - the upgraded domain will have Amazon Q subscription defaulted to the free-tier. Domain administrators can change this after the domain upgrade is complete.
+ After the upgrade, the domain's `domainVersion` attribute changes from `V1` to `V2`.
## Upgrade your Amazon DataZone domain to an Amazon SageMaker unified domain
For detailed steps on now to initialize the domain upgrade process, see [Upgrade Amazon DataZone domains to Amazon SageMaker unified domains](https://docs.aws.amazon.com/datazone/latest/userguide/upgrade-domain.html).
## Frequently asked questions about upgrading Amazon DataZone domains to Amazon SageMaker unified domains
+ **Which properties and configurations carry over with the domain after the upgrade?**
All properties configured on the Amazon DataZone domain carry over to the upgraded Amazon SageMaker unified domain. This includes data encryption properties, authentication application properties, etc.
+ **Do I need to set up single sign-on (SSO) access again for my users?**
No. Your IAM Identity Center SSO application associated to the domain will carry over to the upgraded Amazon SageMaker unified domain. Additionally, any IAM user or role assigned to the domain will be available in the upgraded Amazon SageMaker unified domain.
+ **Can I still use the Amazon DataZone portal after the upgrade?**
Yes. After the upgrade both Amazon DataZone portal and Amazon SageMaker Unified Studio will be available for end users to interact with. Both portals will remain open until a domain administrator deactivates the Amazon DataZone portal from the Amazon SageMaker management console.
+ **Will I see the projects and other entities that were created in the Amazon DataZone portal in Amazon SageMaker Unified Studio?**
Yes. Most entities (projects, metadata forms, glossaries, domain units) created through the Amazon DataZone portal will be visible in Amazon SageMaker Unified Studio. Projects will carry over all assets, metadata forms and glossaries associated to assets, subscriptions to assets, members, etc. These projects require querying the data from AWS Athena or Amazon Redshift query editors. Metadata forms and glossaries will appear in Amazon SageMaker Unified Studio and they can be edited from Amazon SageMaker and assigned to assets from projects created through Amazon SageMaker. Environments and environment profiles from Amazon DataZone will not show in Amazon SageMaker Unified Studio - these entities have been replaced by Amazon SageMaker project profiles. Projects created in the Amazon SageMaker Unified Studio will not be visible through the Amazon DataZone portal.
+ **What happens to the domain identifier and the project identifiers after the upgrade to Amazon SageMaker unified domain?**
All entity identifiers, including the domain and projects, will remain the same after the upgrade.
+ **Will my AWS CloudFormation (CFN) stacks continue to work for the newly upgrade Amazon SageMaker unified domain?**
Amazon SageMaker Unified Studio uses the same APIs as Amazon DataZone. However, some modifications to the logic within CFN templates will be needed. For example, domains from Amazon DataZone are distinguished from Amazon SageMaker unified domains by an attribute named domainVersion (values V1 \$1 V2).
+ **What happens when the upgrade is rolled back?**
+ Rolling back the upgrade changes the domain version from V2 to V1. Amazon SageMaker Unified Studio will no longer be accessible. The console view for the domain will return to the Amazon DataZone view. Resources created before the roll back will remain so long as they are not tied to a project that was created from Amazon SageMaker Unified Studio - rolling back is only permitted when no projects that were created from within Amazon SageMaker Unified Studio are present.
+ Settings such as AWS Q subscription will also persist after the roll back.
+ If VPCs were created for the use of Amazon SageMaker, these will persist after the roll back. VPC's created by the SageMaker service will have tag: Name = SageMakerUnifiedStudioVPC
+ The managed permission under the RAM resource share will not be rolled back. The managed permission is a superset of both Amazon DataZone and Amazon SageMaker Unified Studio.
+ A domain that had been rolled back can again be upgraded to Amazon SageMaker unified domain.
# Trusted identity propagation
Trusted identity propagation in IAM Identity Center enables administrators of AWS services to grant permissions based on user attributes, such as user ID or group associations. With trusted identity propagation, identity context is added to an IAM role to identify the user requesting access to AWS resources. This context is propagated to other AWS services.
Starting on 9/30/2025, Amazon SageMaker Unified Studio supports trusted identity propagation for tasks that include Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless. To enable trusted identity propagation within your Amazon SageMaker unified domains, you can do either of the following:
+ [Create a new Amazon SageMaker unified domain](create-domain-sagemaker-unified-studio-manual.md) - from 9/30/2025 and beyond, all newly created Amazon SageMaker unified domains support trusted identity propagation with IdC for tasks that include Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless. Other than creating a new domain, no further action is required from the administrator to configure trusted identity propagation for their new domain.
+ Update your existing Amazon SageMaker unified domain - if your domain was created prior to 9/30/2025, navigate to your domain's details page and locate the update notification banner. To update your domain to support Trusted Identity Propagation in AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless as well as Amazon Athena and Amazon Redshift, choose the **Update now** button.
Once this update is complete, you must set the `enableTrustedIdentityPropagationPermissions` property in your project profile's default Tooling blueprint To do this, complete the following procedure:
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose the domain that contains the project profile whose Tooling blueprint you want to update.
1. Choose the **Project profiles** tab and then choose the project profile that you want to update.
1. In the project profile details page, choose **Edit**.
1. On the project profile's edit page, in the **Tooling blueprint parameters** section, choose the **enableTrustedIdentityPropagationPermissions** parameter and then choose **Edit**.
1. On the **Edit blueprint parameter** page, set the **enableTrustedIdentityPropagationPermissions** parameter value to **True**.
1. Optional - to enforce authorization based on trusted identity propagation identity, you can make the **enableTrustedIdentityPropagationPermissions** parameter non-editable by unchecking the **Editable** checkbox under **Editable value**.
1. Choose **Save** in the **Edit blueprint parameter** page.
**Important**
In the current release, trusted identity propagation within Amazon SageMaker unified domains is only supported for SQL analytics, interactive Spark sessions, and end-to-end machine learning lifecycle tasks with Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless. Therefore, even though you can set the "enableTrustedIdentityPropagationPermissions" parameter value to "True" in the Tooling blueprint of any of your project profiles, such as All capabilities, Generative AI application development, SQL analytics, or any custom project profile, trusted identity propagation and authorization based on Trusted Identity Propagation is only supported for the Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless tools within the chosen project profile.
We recommend creating a dedicated project profile for trusted identity propagation supported tools and setting enableTrustedIdentityPropagationPermissions to True. This approach clearly establishes trusted identity propagation as the data authorization method for all projects using this profile.