# Domains in Amazon SageMaker Unified Studio
In Amazon SageMaker Unified Studio, a domain is the organizing entity for connecting together your assets, users, and their projects. With Amazon SageMaker unified domains, you have the flexibility to reflect the data and analytics needs of your organizational structure, whether it's creating a single Amazon SageMaker unified domain for your enterprise or multiple domains for different business units.
Amazon SageMaker Unified Studio supports two distinct domain types to accommodate different organizational needs and authentication approaches:
+ **Identity Center-based domains** - Use AWS IAM Identity Center for user authentication and management. These domains support single sign-on (SSO) through identity providers and provide centralized user management capabilities. You can create these domains using either quick setup or manual setup options through the Amazon SageMaker management console.
+ **IAM-based domains** - Use AWS Identity and Access Management (IAM) roles for authentication and access control. These domains provide an additional path to setup and manage your data and AI development environment using federated IAM roles for login and execution. Only one IAM-based domain is available per AWS Account.
Both domain types provide access to the same core Amazon SageMaker Unified Studio capabilities for data analytics, machine learning, and AI development, but use different authentication mechanisms and setup processes. Choose the domain type that best fits your organization's identity management strategy and security requirements.
**Topics**
+ [Identity Center-based domains](identity-center-based-domains.md)
+ [IAM-based domains and projects](iam-based-domains.md)
# Identity Center-based domains
Identity Center-based domains use AWS IAM Identity Center for user authentication and management. These domains support single sign-on (SSO) through identity providers and provide centralized user management capabilities. You can use the Amazon SageMaker management console to create either Amazon SageMaker unified domains or Amazon DataZone domains using either quick setup or manual setup options.
Once your domain is created, you can navigate to the Amazon SageMaker Unified Studio (a browser-based web application) where you can use all your data and configured tools for analytics and AI.
**Topics**
+ [Create a Amazon SageMaker Unified Studio domain - quick setup](create-domain-sagemaker-unified-studio-quick.md)
+ [Create a Amazon SageMaker Unified Studio domain - manual setup](create-domain-sagemaker-unified-studio-manual.md)
+ [Create an Amazon DataZone domain](create-domain-datazone.md)
+ [Edit domains](edit-domain.md)
+ [Delete domains](delete-domain.md)
+ [Upgrade Amazon DataZone domains to Amazon SageMaker unified domains](upgrade-domain.md)
+ [Trusted identity propagation](trusted-identity-propagation.md)
# Create a Amazon SageMaker Unified Studio domain - quick setup
Complete the following procedure to create an Amazon SageMaker unified domain with the Quick setup option.
**Important**
Note that there is an additional charge for any VPC or resources that AWS sets up if you chose the Quick setup option for domain creation. The Quick setup option is intended for testing purposes and we recommend deleting the domain after initial tests.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **Create a Unified Studio domain** and then choose **Quick setup**.
With this option, you're choosing to create an Amazon SageMaker unified domain and you're letting Amazon SageMaker Unified Studio configure your domain with the following default capabilities that you can customize later:
+ Data analytics, machine learning, SQL, and generative AI
+ Data and AI governance
+ Generative AI app development using Amazon Bedrock serverless models
+ Amazon Q - Free tier
+ Authentication via AWS IAM or AWS IAM Identity Center
1. If you see the following note **No VPC has been specifically set up for use with Amazon SageMaker Unified Studio**, you can use the **Choose VPC** or **Create VPC** buttons to **Create a new VPC (recommended)** or choose an existing properly-configured VPC.
If you plan to choose your own VPC, Amazon SageMaker Unified Studio enables you to choose VPCs within the same account as well as shared VPCs from other member accounts of the AWS organization. For more information, see [Share your VPC subnets with other accounts](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html).
**Note**
If you choose to create a new VPC, note that the VPC template with which it is created is not intended for production use. You can use this template as a start and modify it for your organization's purposes.
If you see the following note **No models accessible**, you can use the **Grant model access** button to grant access to Amazon Bedrock serverless models for use in Amazon SageMaker Unified Studio.
1. Expand the **Quick setup settings** section and review the selected configurations, including domain name, domain execution role, domain service role, and domain data encryption information under **Domain resources**, user role policy, provisioning role, manage access role, Amazon S3 bucket for projects, and Virtual private cloud (VPC) information under **Data analytics, machine learning, and SQL analytics resources**, and the model provisioning role and model consumption role under **Generative AI resources**. Modify as needed or leave the defaults, and then choose **Continue**.
1. Expand the **Onboard your data - optional** section and review the selected configuration. This allows you to make your existing AWS data available and ready for use in Amazon SageMaker Unified Studio. You can specify where you data is stored - in the current release, AWS Glue (SageMaker Lakehouse) is supported, make your data discoverable by other users in the domain, and note the owner project that is auto-created for you and where this onboarded data will be accessible in Amazon SageMaker Unified Studio. For more information, see [Onboarding data in Amazon SageMaker Unified Studio](data-onboarding.md).
1. On the** Create IAM Identity Center user** page, create an SSO user (account with IAM Identity Center) or select an existing SSO user to log in to the Amazon SageMaker Unified Studio. IAM roles that create the Amazon SageMaker unified domains cannot log in to the Amazon SageMaker Unified Studio. The SSO selected here is used as the administrator in the Amazon SageMaker Unified Studio.
1. Choose **Create domain**.
# Create a Amazon SageMaker Unified Studio domain - manual setup
Complete the following procedure to create a Amazon SageMaker Unified Studio domain with the quick setup option.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **Create a Unified Studio domain** and then choose **Manual setup**.
With this option, you're choosing to create an Amazon SageMaker unified domain and your'e claiming full control over customizing your domain settings, including the following:
+ Customize data analytics, machine learning, SQL, Generative AI, and more
+ Data and AI governance
+ Configure Amazon Bedrock generative AI playgrounds and application development
+ Amazon Q - Free tier
+ Authentication via AWS IAM, AWS IAM Identity Center, or SAML
1. In **Name**, specify the domain name.
1. In **Description**, specify the domain description.
1. Under **Permissions**, specify the domain execution role. For more information, see [AmazonSageMakerDomainExecution role](AmazonSageMakerDomainExecution.md).
1. Under **Permissions**, specify the domain service role. For more information, see [AmazonSageMakerDomainService role](AmazonSageMakerDomainService.md).
1. Under **Data encryption**, specify the data encryption settings. Your data is encrypted by default with a key that AWS owns and manages for you. To choose a different key, customize your encryption settings.
1. Under **Tags**, specify the tags for your domian.
1. Choose **Create domain**.
Once your domain is created, you can proceed to customizing your domain settings, including [SSO](user-management.md), [project profiles](project-profiles.md), [blueprints](blueprints.md), [account associations](associated-accounts.md), [Amazon Bedrock models](amazon-bedrock.md), [connections](git-connections.md), and [AmazonQ](amazonq.md).
# Create an Amazon DataZone domain
Complete the following procedure to create a Amazon SageMaker Unified Studio domain with the quick setup option.
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **Create domain** and then choose **Create an Amazon DataZone domain** - choose this option if you want to create a new Amazon DataZone domain. For detailed steps on working with Amazon DataZone domains, including how to create Amazon DataZone domains, see [Domains and user access in Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/working-with-domains-users.html).
# Edit domains
After you create a domain, you can edit its description or further customize your domain settings, including [SSO](user-management.md), [project profiles](project-profiles.md), [blueprints](blueprints.md), [account associations](associated-accounts.md), [Amazon Bedrock models](amazon-bedrock.md), [connections](git-connections.md), and [AmazonQ](amazonq.md).
To edit a domain, complete the following steps:
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **View domains** and choose the domain's name from the list. The name is a hyperlink.
1. On the details page for the domain, Expand **Actions** and then choose **Edit**. You can use the **Edit domain** page to change the description or manage tags. Once you've made your edits, choose **Update domain**.
1. You can use the domain's details page to further customize your domain settings, including [SSO](user-management.md), [project profiles](project-profiles.md), [blueprints](blueprints.md), [account associations](associated-accounts.md), [Amazon Bedrock models](amazon-bedrock.md), [connections](git-connections.md), and [AmazonQ](amazonq.md).
# Delete domains
When deleting a domain, note that the act of deleting a domain is final. Another important note to remember is that not all items created by Amazon SageMaker Unified Studio are deleted. The following items can only be deleted in their service consoles:
+ AWS resources - except for this domain - will NOT be deleted.
+ Subscription grants will NOT be removed.
+ Resource shares of this domain to associated accounts will NOT be deleted.
To prevent someone from deleting a domain maliciously, deleting a domain requires administrative IAM permissions for Amazon SageMaker Unified Studio, which you can configure with IAM.
To delete a domain, complete the following procedure:
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose **View domains** and choose the domain's name from the list. The name is a hyperlink.
1. On the details page for the domain, expand **Actions** and then choose **Delete**.
1. Note that deleting a domain cannot be undone and if you want to proceed, confirm the deletion by typing in the domain name in the text field, and then choose **Delete**.
# Upgrade Amazon DataZone domains to Amazon SageMaker unified domains
## Considerations before you upgrade your domain
Before upgrading your Amazon DataZone domain to an Amazon SageMaker unified domain, review these important considerations to ensure a smooth upgrade process.
+ The upgrade process is available only through the AWS management console. Currently, no API support is offered for upgrading your domain. You can initialize the upgrade process from the domain details page of your Amazon DataZone domain.
+ The upgrade process requires the following roles to be configured (you can select existing roles or have Amazon SageMaker Unified Studio create the roles on your behalf):
+ Domain Execution role - for an Amazon DataZone domain, you're using the [AmazonDataZoneDomainExecutionRole](https://docs.aws.amazon.com/datazone/latest/userguide/AmazonDataZoneDomainExecutionRole.html) that is required by Amazon DataZone to catalog, discover, govern, share, and analyze data in your domain. With an Amazon SageMaker unified domain, you must either use the existing of create a new [AmazonSageMakerDomainExecution](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerDomainExecution.html) role.
+ Domain Service role - Amazon DataZone does not require a Domain Service role. With an Amazon SageMaker unified domain, you must either use the existing of create a new [AmazonSageMakerDomainService](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerDomainService.html) role. This is a service role for domain level actions performed by Amazon SageMaker Unified Studio.
+ Root domain ownership considerations:
+ IAM users or SSO users/groups can be optionally assigned as root domain owners during the upgrade process.
+ If the root domain unit only has IAM roles assigned as owners, it is recommended that you add an IAM user or an SSO user/group as owner. For more information, see [User management](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/user-management.html) in the Amazon SageMaker Unified Studio Administrator Guide.
+ **Important**: IAM roles cannot log in to the Amazon SageMaker Unified Studio.
+ Associated accounts and AWS Resource Access Manager (AWS RAM) changes:
+ Associated accounts use resource shares from AWS RAM to permit API actions from the root domain account.
+ The upgrade process changes the underlying managed permissions for the AWS RAM share that is created and managed by Amazon DataZone. The affected managed permissions are `AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceAccess` and `AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceWithPortalAccess`.
+ Amazon Q subscription changes - the upgraded domain will have Amazon Q subscription defaulted to the free-tier. Domain administrators can change this after the domain upgrade is complete.
+ After the upgrade, the domain's `domainVersion` attribute changes from `V1` to `V2`.
## Upgrade your Amazon DataZone domain to an Amazon SageMaker unified domain
For detailed steps on now to initialize the domain upgrade process, see [Upgrade Amazon DataZone domains to Amazon SageMaker unified domains](https://docs.aws.amazon.com/datazone/latest/userguide/upgrade-domain.html).
## Frequently asked questions about upgrading Amazon DataZone domains to Amazon SageMaker unified domains
+ **Which properties and configurations carry over with the domain after the upgrade?**
All properties configured on the Amazon DataZone domain carry over to the upgraded Amazon SageMaker unified domain. This includes data encryption properties, authentication application properties, etc.
+ **Do I need to set up single sign-on (SSO) access again for my users?**
No. Your IAM Identity Center SSO application associated to the domain will carry over to the upgraded Amazon SageMaker unified domain. Additionally, any IAM user or role assigned to the domain will be available in the upgraded Amazon SageMaker unified domain.
+ **Can I still use the Amazon DataZone portal after the upgrade?**
Yes. After the upgrade both Amazon DataZone portal and Amazon SageMaker Unified Studio will be available for end users to interact with. Both portals will remain open until a domain administrator deactivates the Amazon DataZone portal from the Amazon SageMaker management console.
+ **Will I see the projects and other entities that were created in the Amazon DataZone portal in Amazon SageMaker Unified Studio?**
Yes. Most entities (projects, metadata forms, glossaries, domain units) created through the Amazon DataZone portal will be visible in Amazon SageMaker Unified Studio. Projects will carry over all assets, metadata forms and glossaries associated to assets, subscriptions to assets, members, etc. These projects require querying the data from AWS Athena or Amazon Redshift query editors. Metadata forms and glossaries will appear in Amazon SageMaker Unified Studio and they can be edited from Amazon SageMaker and assigned to assets from projects created through Amazon SageMaker. Environments and environment profiles from Amazon DataZone will not show in Amazon SageMaker Unified Studio - these entities have been replaced by Amazon SageMaker project profiles. Projects created in the Amazon SageMaker Unified Studio will not be visible through the Amazon DataZone portal.
+ **What happens to the domain identifier and the project identifiers after the upgrade to Amazon SageMaker unified domain?**
All entity identifiers, including the domain and projects, will remain the same after the upgrade.
+ **Will my AWS CloudFormation (CFN) stacks continue to work for the newly upgrade Amazon SageMaker unified domain?**
Amazon SageMaker Unified Studio uses the same APIs as Amazon DataZone. However, some modifications to the logic within CFN templates will be needed. For example, domains from Amazon DataZone are distinguished from Amazon SageMaker unified domains by an attribute named domainVersion (values V1 \$1 V2).
+ **What happens when the upgrade is rolled back?**
+ Rolling back the upgrade changes the domain version from V2 to V1. Amazon SageMaker Unified Studio will no longer be accessible. The console view for the domain will return to the Amazon DataZone view. Resources created before the roll back will remain so long as they are not tied to a project that was created from Amazon SageMaker Unified Studio - rolling back is only permitted when no projects that were created from within Amazon SageMaker Unified Studio are present.
+ Settings such as AWS Q subscription will also persist after the roll back.
+ If VPCs were created for the use of Amazon SageMaker, these will persist after the roll back. VPC's created by the SageMaker service will have tag: Name = SageMakerUnifiedStudioVPC
+ The managed permission under the RAM resource share will not be rolled back. The managed permission is a superset of both Amazon DataZone and Amazon SageMaker Unified Studio.
+ A domain that had been rolled back can again be upgraded to Amazon SageMaker unified domain.
# Trusted identity propagation
Trusted identity propagation in IAM Identity Center enables administrators of AWS services to grant permissions based on user attributes, such as user ID or group associations. With trusted identity propagation, identity context is added to an IAM role to identify the user requesting access to AWS resources. This context is propagated to other AWS services.
Starting on 9/30/2025, Amazon SageMaker Unified Studio supports trusted identity propagation for tasks that include Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless. To enable trusted identity propagation within your Amazon SageMaker unified domains, you can do either of the following:
+ [Create a new Amazon SageMaker unified domain](create-domain-sagemaker-unified-studio-manual.md) - from 9/30/2025 and beyond, all newly created Amazon SageMaker unified domains support trusted identity propagation with IdC for tasks that include Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless. Other than creating a new domain, no further action is required from the administrator to configure trusted identity propagation for their new domain.
+ Update your existing Amazon SageMaker unified domain - if your domain was created prior to 9/30/2025, navigate to your domain's details page and locate the update notification banner. To update your domain to support Trusted Identity Propagation in AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless as well as Amazon Athena and Amazon Redshift, choose the **Update now** button.
Once this update is complete, you must set the `enableTrustedIdentityPropagationPermissions` property in your project profile's default Tooling blueprint To do this, complete the following procedure:
1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.
1. Choose the domain that contains the project profile whose Tooling blueprint you want to update.
1. Choose the **Project profiles** tab and then choose the project profile that you want to update.
1. In the project profile details page, choose **Edit**.
1. On the project profile's edit page, in the **Tooling blueprint parameters** section, choose the **enableTrustedIdentityPropagationPermissions** parameter and then choose **Edit**.
1. On the **Edit blueprint parameter** page, set the **enableTrustedIdentityPropagationPermissions** parameter value to **True**.
1. Optional - to enforce authorization based on trusted identity propagation identity, you can make the **enableTrustedIdentityPropagationPermissions** parameter non-editable by unchecking the **Editable** checkbox under **Editable value**.
1. Choose **Save** in the **Edit blueprint parameter** page.
**Important**
In the current release, trusted identity propagation within Amazon SageMaker unified domains is only supported for SQL analytics, interactive Spark sessions, and end-to-end machine learning lifecycle tasks with Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless. Therefore, even though you can set the "enableTrustedIdentityPropagationPermissions" parameter value to "True" in the Tooling blueprint of any of your project profiles, such as All capabilities, Generative AI application development, SQL analytics, or any custom project profile, trusted identity propagation and authorization based on Trusted Identity Propagation is only supported for the Amazon Athena, Amazon Redshift, AWS Glue, Amazon EMR on EC2, and Amazon EMR Serverless tools within the chosen project profile.
We recommend creating a dedicated project profile for trusted identity propagation supported tools and setting enableTrustedIdentityPropagationPermissions to True. This approach clearly establishes trusted identity propagation as the data authorization method for all projects using this profile.
# IAM-based domains and projects
IAM-based domains in Amazon SageMaker Unified Studio provide another configuration option to setup and manage your data and AI development environment. IAM-based domains automate creation of a Amazon SageMaker Unified Studio domain using AWS Identity and Access Management (IAM) roles, and also use IAM roles to access data and resources for a project within an IAM-based domain.
**Note**
A project in Amazon SageMaker Unified Studio is a boundary within a domain where you can collaborate with other users to work on a business use case. In projects, you can create and share data and resources. For more details, see [Projects](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/projects.html).
By default, Amazon SageMaker Unified Studio will create a domain configured with an AWS IAM role. You can use an existing IAM role or choose to create a new IAM role for the domain setup. Projects within this IAM-based domain also use an IAM role to access data and infrastructure within Amazon SageMaker Unified Studio. In addition, each project is assigned an IAM role for login, this federated IAM role is used to authenticate and access the assigned IAM project. Only one IAM-based domain is available per AWS Account per region. Each IAM-based domain supports multiple projects, and each project can be assigned to only one IAM-role for authentication and execution.
Amazon SageMaker Unified Studio also supports domains configured with AWS IAM Identity Center (IdC). Projects within this Identity Center-based domain use the project role to access data and resources, or Identity-based data authorization using AWS IAM Trusted Identity Propagation. End users login using their identity provided directly by Identity Center or through SSO to an identity provider. Additional details to setup an Identity Center based domain are available in [Identity Center-based domains](identity-center-based-domains.md).
**Topics**
+ [Overview of IAM-based domains](iam-based-domains-overview.md)
+ [Set up IAM-based domains in Amazon SageMaker Unified Studio](setup-iam-based-domains.md)
+ [Manage data encryption in IAM-based domains](manage-data-encryption-iam-based-domains.md)
+ [Access the Domain Administration Page](access-domain-administration-page.md)
+ [Configure VPC Networking for Amazon SageMaker Unified Studio Domain](vpc-networking-iam-based-domains.md)
+ [Manage Projects from Domain Administration](manage-projects-domain-administration.md)
+ [Configure Domain Settings](configure-domain-settings-iam-based.md)
+ [Projects in IAM-based domains](projects-iam-based-domains.md)
# Overview of IAM-based domains
IAM-based domains provide the following capabilities:
+ Setup using existing IAM roles and resources
+ Authentication through federated IAM roles used for login
+ Project creation and management interface within Amazon SageMaker Unified Studio
IAM-based domains require two IAM roles to function properly:
Login IAM role
This role authenticates users and provides access to Amazon SageMaker Unified Studio. The login role must have specific managed policies attached and inline policies configured to enable domain and project operations. Users use this role to access the project assigned to that IAM role when accessing the Amazon SageMaker Unified Studio interface.
Execution IAM role
This role defines the AWS services and data that can be accessed through Amazon SageMaker Unified Studio projects. The execution role determines which tools, compute resources, data sources, and AI/ML assets project members can access. Amazon SageMaker Unified Studio assumes this role to make service calls on behalf of users within projects.
**Note**
The Execution IAM role can be the same IAM role as the Login IAM role.
Both roles require specific policy attachments and trust relationships to function correctly within the IAM-based domain architecture. The system validates these permissions during setup and provides guidance for any missing configurations.
Considerations:
+ For the role used as the admin Login IAM role, consider a role with a smaller population of users who will be responsible for administering the domain.
+ For the role used as the admin Execution IAM role, again consider a role with a smaller population of users because the role will grant access to a broader set of data within the account. A default project will be created for this Execution IAM role. Consider a role that has access to the appropriate data resources (Glue, Athena, etc.). This role will automatically be assigned AWS Lake Formation administrator permission enabling further data access.
# Set up IAM-based domains in Amazon SageMaker Unified Studio
Setting up an IAM-based domain in Amazon SageMaker Unified Studio requires an IAM roles used for domain administration tasks. The setup process validates your IAM role configurations and guides you through any necessary policy attachments. You can choose to create new execution IAM role with default permissions or use existing roles that meet the service requirements.
In addition, you must choose encryption settings before you can complete setup. The setup typically completes in minutes and automatically provisions the required AWS resources.
**Prepare the Login IAM role for your IAM-based domain:**
1. Login to the IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md)) with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose **Add permission** followed by **Attach policy** and search for the managed policy `SageMakerStudioAdminIAMConsolePolicy`. Select it to add it to your existing role.
1. Do one of the following:
+ Add the following inline policy to your Login IAM role if you are choosing to use a new role as the Execution IAM role:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateRoleStatement",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::*:policy/service-role/AmazonSageMaker*",
"arn:aws:iam::*:role/service-role/AmazonSageMaker*"
]
},
{
"Sid": "AttachRolePolicyStatement",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": "arn:aws:iam::*:role/service-role/AmazonSageMaker*",
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/SageMakerStudio*",
"arn:aws:iam::*:policy/service-role/AmazonSageMaker*"
]
}
}
}
]
}
```
+ Add the following inline policy to your Login IAM role if you are choosing to use an existing role as the Execution IAM role:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMPassRoleStatement",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"datazone.amazonaws.com"
]
}
}
}
]
}
```
1. Add the following inline policy to your Login and Execution IAM roles to enable KMS key usage.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMSDescribePermissions",
"Effect": "Allow",
"Action": "kms:DescribeKey",
"Resource": [
""
]
},
{
"Sid": "KMSPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
""
],
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:datazone:domainId"
}
}
}
]
}
```
**Prepare the Execution IAM role for your IAM-based domain:**
Amazon SageMaker Unified Studio provides two methods to configure the Execution IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md)), first you can choose to create a new Execution IAM role for your IAM-based domain. Choosing this option will create a new role with default permissions and policies to administer your IAM-based domain. This auto-created role will contain the following permission details:
1. Managed policy: Data access and permission will be defined by `SageMakerStudioAdminIAMPermissiveExecutionPolicy`. It will not have the data access of the login
1. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"datazone.amazonaws.com",
"sagemaker.amazonaws.com",
"glue.amazonaws.com",
"bedrock.amazonaws.com",
"scheduler.amazonaws.com",
"lakeformation.amazonaws.com",
"airflow-serverless.amazonaws.com",
"athena.amazonaws.com",
"redshift.amazonaws.com",
"emr-serverless.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetContext",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": ""
}
}
}
]
}
```
1. AWS Lake Formation administrator: This role will be assigned as an administrator to enable data discovery and access management.
Alternatively, Amazon SageMaker Unified Studio can use an existing IAM role as the Execution IAM role for your IAM-based domain. Choosing this option will require additional permissions and policies to be added to your existing IAM role to administer your IAM-based domain
1. Login to the IAM role with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose **Add permission** followed by **Attach policy** and search for the managed policy `SageMakerStudioAdminIAMDefaultExecutionPolicy`. Select it to add it to your existing role.
1. Add the following inline policy to allow this role to pass itself to other services.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PassRoleSelf",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"sagemaker.amazonaws.com",
"glue.amazonaws.com",
"lakeformation.amazonaws.com",
"bedrock.amazonaws.com",
"scheduler.amazonaws.com",
"airflow-serverless.amazonaws.com",
"athena.amazonaws.com",
"redshift.amazonaws.com",
"emr-serverless.amazonaws.com"
]
}
}
}
]
}
```
1. Add the following trust policy to allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"datazone.amazonaws.com",
"sagemaker.amazonaws.com",
"glue.amazonaws.com",
"bedrock.amazonaws.com",
"scheduler.amazonaws.com",
"lakeformation.amazonaws.com",
"airflow-serverless.amazonaws.com",
"athena.amazonaws.com",
"redshift.amazonaws.com",
"emr-serverless.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetContext",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": ""
}
}
}
]
}
```
1. Recommended: Navigate to AWS Lake Formation and grant this role AWS Lake Formation administrator permission to enable data discovery and access management within the domain.
**Create Your Domain:**
1. Login to the AWS Management Console and choose the Login IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md)) you created for the Administrator.
1. Navigate to the Amazon SageMaker console and use the region selector to choose your desired AWS Region.
1. Choose **Get started** from the Amazon SageMaker Unified Studio section.
1. You should see a screen with the title **Set up Amazon SageMaker Unified Studio**.
1. Choose and select the Execution IAM Role for the Admin
1. **Setup S3 table integration with AWS analytics services**. This option is enabled by default, and will allow Amazon SageMaker Unified Studio to access table buckets and integrate the table buckets with AWS analytics services using AWS Glue. If S3 Tables analytics integration has already been configured in your account and Region (that is, the `s3tablescatalog` already exists in the AWS Glue Data Catalog), this option will not be shown. [Learn more](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html).
1. In the **Data encryption** section, configure your encryption preferences:
+ Leave **Customize encryption settings (advanced)** unchecked to use AWS-managed encryption
+ Check **Customize encryption settings (advanced)** to specify a custom AWS KMS key
If using custom encryption, see [Manage data encryption in IAM-based domains](manage-data-encryption-iam-based-domains.md)
1. Choose **Set up** to begin the domain creation process.
1. Monitor the setup progress in the **Setting up Amazon SageMaker Unified Studio** dialog. The process typically takes 1-2 minutes to complete.
1. Once the setup is completed, project will automatically be created using the same Execution role. Then you will be redirected to the Administrative pages for managing the domain. See [Access the Domain Administration Page](access-domain-administration-page.md) for details.
1. You can also access the project associated with your Login IAM role by choosing on the first project. See **Navigating within Amazon SageMaker Unified Studio** for details.
**Note**
To add more IAM roles to the IAM based domain, you can create new projects using the IAM role as the Login IAM role. See additional details to setup [Projects in IAM-based domains](projects-iam-based-domains.md) .
Amazon SageMaker Unified Studio also supports domains configured with AWS IAM Identity Center (IdC). Additional details to setup an Identity Center based domain are available in [Identity Center-based domains](identity-center-based-domains.md).
# Manage data encryption in IAM-based domains
Data encryption in IAM-based domains protects your data at rest and in transit within Amazon SageMaker Unified Studio. You can choose between AWS-managed encryption keys for simplified management or customer-managed AWS KMS keys for enhanced control over encryption operations. Encryption settings are configured during domain setup and cannot be changed after domain creation.
AWS-managed encryption provides automatic key management with no additional configuration required. Customer-managed encryption enables you to control key policies, rotation schedules, and access permissions while requiring additional IAM policy configuration for your roles.
All data stored in the default Amazon S3 bucket created by Amazon SageMaker Unified Studio is encrypted according to your chosen encryption configuration. The encryption settings apply to all projects and resources within the domain.
Prerequisites:
+ Understanding of AWS KMS key management concepts
+ Appropriate IAM permissions to use or create KMS keys
+ Decision on encryption approach based on your security requirements
Configure AWS-managed encryption (default):
1. During domain setup, leave the **Customize encryption settings (advanced)** option unchecked.
1. The system automatically configures encryption using AWS-owned and managed keys.
1. No additional IAM policy configuration is required for AWS-managed encryption.
Configure customer-managed encryption:
1. During domain setup, check **Customize encryption settings (advanced)**.
1. Choose **Choose an AWS KMS key** and select one of the following options:
+ Select an existing KMS key from the dropdown menu
+ Enter a KMS key ARN directly in the text field
+ Choose **Create new KMS Key** to create a new key
1. If creating a new key, configure the key policy to allow access from your IAM roles.
1. Add the following inline policy to your Login and Execution IAM roles to enable KMS key usage.
```
{
"Version": "2012-10-17",
"Id": "key-consolepolicy",
"Statement": [
{
"Sid": "ListAndDescribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListGrants"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Principal": { "Service": "logs..amazonaws.com" },
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:*:*:log-group:/aws/mwaa-serverless/*"
}
}
},
{
"Sid": "S3Table",
"Effect": "Allow",
"Principal": {
"Service": "maintenance.s3tables.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
},
{
"Sid": "DataZone",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:datazone:domainId"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/:root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContext:aws:s3:arn": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SchedulerKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"Null": {
"kms:EncryptionContext:aws:scheduler:schedule:arn": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SecretsKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "secretsmanager.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContext:SecretARN": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SageMakerKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ReEncryptTo",
"kms:ReEncryptFrom"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sagemaker.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContextKeys": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "SageMakerCreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "sagemaker.*.amazonaws.com"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "DataZoneCreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "datazone.*.amazonaws.com"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"Encrypt",
"Decrypt",
"ReEncryptFrom",
"ReEncryptTo",
"GenerateDataKeyWithoutPlaintext",
"GenerateDataKey",
"DescribeKey",
"RetireGrant",
"CreateGrant"
]
}
}
},
{
"Sid": "GlueKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "glue.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContextKeys": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "BedrockKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "bedrock.*.amazonaws.com"
},
"Null": {
"kms:EncryptionContextKeys": "false"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "WorkflowsCreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "airflow-serverless.*.amazonaws.com"
},
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:airflow-serverless:workflow-arn"
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"RetireGrant"
]
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
},
{
"Sid": "WorkflowsKms",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::root"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContextKeys": "aws:airflow-serverless:workflow-arn"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam:::role/service-role/AmazonSageMaker*",
"arn:aws:iam:::role/"
]
}
}
}
]
}
```
1. Replace the resource ARN with your actual KMS key ARN.
1. Complete the domain setup process with your encryption configuration.
**Warning**
Encryption settings cannot be modified after domain creation. Choose your encryption approach carefully based on your long-term security requirements.
# Access the Domain Administration Page
The domain administration page in Amazon SageMaker Unified Studio provides administrators with centralized management capabilities for domains, projects, and settings. Domain administrators can create and manage projects, configure domain-level settings including networking, and oversee the overall domain configuration.
Access to the domain administration page is restricted to the IAM role, specified as the domain login role, used to create the domain. This IAM role is the project member in the default admin project created for the domain.
1. Log in to your Amazon SageMaker Unified Studio IAM-based domain.
1. From the Amazon SageMaker Unified Studio left navigation, click **Domain management**.
1. Alternatively, from the Amazon SageMaker Unified Studio header, locate the project dropdown menu and choose **Manage projects**.
From the domain administration page, you can access:
+ Projects - Manage existing projects and create new projects
+ Settings - Configure network settings
# Configure VPC Networking for Amazon SageMaker Unified Studio Domain
**Topics**
+ [Network settings in IAM-based domains](configure-vpc-networking-iam-based-domains.md)
+ [Update Individual Projects with VPC Configuration](update-individual-projects-vpc.md)
+ [View VPC Networking Details for Your Domain](view-vpc-networking-details.md)
# Network settings in IAM-based domains
Amazon Virtual Private Cloud (Amazon VPC) networking with subnets is required when using certain compute services within Amazon SageMaker Unified Studio. You configure VPC networking at the domain level to provide network isolation and connectivity for compute resources, database connections, and other AWS services.
When you configure VPC networking for your domain, all projects created after the configuration will automatically use the specified VPC. You can choose to update existing projects immediately or update them individually at a later time.
VPC configuration is permanent once applied to a domain and cannot be changed or removed after it is saved.
Prerequisites:
+ Domain administrator permissions for Amazon SageMaker Unified Studio
+ An existing VPC that meets the following requirements:
+ At least 2 private subnets in different Availability Zones
+ DNS hostname and DNS support enabled
+ At least 5 free IP addresses per Amazon SageMaker Unified Studio project
+ Appropriate IAM permissions to access VPC resources
1. From the domain administration page, choose **Settings** in the left navigation pane.
1. In the **Networking** section, choose **Add VPC**.
1. In the **Add VPC** dialog, review the warning message that VPC configuration cannot be changed after it is added.
1. In the **VPC** section, choose **Select** and select the VPC where your compute resources will be housed.
**Note**
If no VPC has been set up for use with Amazon SageMaker Unified Studio, you can choose **Create VPC** to create a new VPC using AWS CloudFormation.
1. In the **Subnets** section, choose **Select** and select at least two subnets in different Availability Zones.
**Warning**
Your subnets must be private or some functionality will not be available. Select subnets configured with the required VPC endpoints to establish connectivity to AWS services.
1. In the **Project update option** section, choose one of the following:
+ Update all projects immediately - All existing projects will be updated automatically after saving. This may take a few minutes for domains with more than 20 projects.
+ Update projects separately - Go to each project detail page and manually update projects with the VPC configuration.
1. Choose **Save & Update**.
You can now view the configured VPC details in the **Networking** section of the Settings tab. All new projects created in the domain will use this VPC configuration.
# Update Individual Projects with VPC Configuration
When you configure VPC networking for your domain with the "Update projects separately" option, existing projects are not automatically updated with the VPC configuration. You must manually update each project to apply the domain's VPC settings.
This approach allows you to control when projects are updated and ensures that active workloads are not disrupted during the VPC configuration process.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. From the projects list, choose the project you want to update.
1. On the project detail page, you will see a banner at the top indicating "Configurations have changed. Please update this project to access the latest configuration."
1. In the banner, choose **Update**.
1. Confirm the update when prompted.
# View VPC Networking Details for Your Domain
After configuring VPC networking for your Amazon SageMaker Unified Studio domain, you can view the VPC and subnet details from the domain settings. This information shows the current networking configuration that will be used by projects and compute resources.
1. From the domain administration page, choose **Settings** in the left navigation pane.
1. In the **Networking** section, review the configured VPC details:
+ VPC - Shows the VPC ID and provides a link to view the VPC in the Amazon VPC console
+ Subnets - Lists all configured subnets with links to view each subnet in the Amazon VPC console
1. To view additional VPC configuration details, choose the VPC ID link to open the Amazon VPC console.
1. To view subnet configuration details, choose any subnet ID link to open the specific subnet in the Amazon VPC console.
# Manage Projects from Domain Administration
The Projects section in domain administration provides centralized management of all projects within your Amazon SageMaker Unified Studio domain. Domain administrators can view project details, monitor project status, create new projects, and manage project configurations.
Projects in Amazon SageMaker Unified Studio enable users to collaborate on various business use cases. Within projects, users can manage data assets, perform data analysis, organize workflows, and develop machine learning models.
From the domain administration perspective, you can oversee all projects in the domain and ensure proper configuration.
Prerequisites:
+ Domain administrator permissions for Amazon SageMaker Unified Studio
+ IAM role or user with the `SageMakerStudioAdminIAMDefaultExecutionPolicy` policy attached
Perform the following procedure:
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. The Projects page displays:
+ Domain details section showing account information, region, domain ID, admin roles, and creation date
+ Projects section listing all projects in the domain with details including:
+ Project name
+ Creation date (UTC-08:00)
+ Status (Active, Creating, Deleting)
+ Project URL
+ Actions menu
1. To view project details, choose the project name from the list.
1. To create a new project, choose **Create project** in the upper right corner of the Projects section.
1. Use the search functionality by entering terms in the **Find** search box to locate specific projects.
1. To perform actions on a project, choose the **Actions** menu (three dots) next to the project name for available options.
1. Monitor project status in the Status column to track project lifecycle states.
# Configure Domain Settings
The Settings section in domain administration provides access to domain-level configuration options that apply across all projects in your Amazon SageMaker Unified Studio domain. Domain administrators can view domain details and configure networking settings.
1. From the domain administration page, choose **Settings** in the left navigation pane.
1. The Settings page displays the **Domain details** section with the following information:
+ Account - AWS account ID where the domain is hosted
+ Region - AWS region where the domain is deployed
+ Domain ID - Unique identifier for the Amazon SageMaker Unified Studio domain
+ Admin login role - IAM role ARN for domain administrator login
+ Admin execution role - IAM role ARN for domain administrator execution
+ Creation date - When the domain was created
+ KMS key ARN - AWS KMS key used for domain encryption
1. Review the **Networking** section to view or configure:
+ VPC configuration settings
+ Subnet assignments
+ Network security parameters
# Projects in IAM-based domains
Projects in IAM-based domains provide isolated environments for data analytics and AI/ML development work. Each project has one IAM role for login, one IAM role for accessing data and resources, and storage configurations that determine what resources and data project members can access from within the project. All members for a project within an IAM-based domain have the same access to data and compute, this is managed through the execution IAM role for the project.
Projects can be created in the following ways:
1. The Amazon SageMaker Unified Studio admin creates the project on behalf of users from the Domain administration page.
1. The Amazon SageMaker Unified Studio admin prepares IAM roles for self-setup of projects created directly from AWS services - Amazon Athena, Amazon S3 Tables, and Amazon Redshift.
Projects within IAM-based domains require two IAM roles:
+ **Member IAM role or user** – Authenticates users and provides access to the Amazon SageMaker Unified Studio project. This role or user must have the SageMakerStudioUserIAMConsolePolicy managed policy attached, or equivalent permissions through another policy. Use this role to access your assigned project from the Amazon SageMaker Unified Studio interface.
+ **Execution IAM role** – Defines which AWS analytics, AI, and ML service data the project can access. This role determines available data and resources in the portal. Amazon SageMaker Unified Studio assumes this role to make service calls on behalf of project users. The execution IAM role requires the SageMakerStudioUserIAMDefaultExecutionPolicy managed policy (or equivalent permissions) and a trust policy that allows Amazon SageMaker Unified Studio and related AWS services to assume the role.
**Note**
The Execution IAM role can be the same IAM role as the Member IAM role. Both roles require specific policy attachments and trust relationships to function correctly within the IAM-based domain architecture. The system validates these permissions during setup and provides guidance for any missing configurations.
# Set up projects within an IAM-based domain
To create a project within an IAM-based domain you assign Member IAM role or user and Execution IAM role, configure execution permissions for the execution role, and set up storage options. By default, projects can access resources within the domain's AWS account. You can configure the project execution IAM role to access data and resources across AWS accounts and regions.
## Preparing IAM roles
**Member IAM role:**
+ [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html) must be attached or have the same permissions added via another policy.
**Execution IAM role:**
+ When Amazon SageMaker Unified Studio creates this role for you, this policy will be attached, [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy.html).
+ When you provide your own role, [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html) must be attached. An inline policy is needed to allow this role to pass itself to other services. A trust policy is needed to allow Amazon SageMaker Unified Studio and related services to assume this execution IAM role.
## Create new project from domain administration page
1. From the domain administration page, choose Projects in the left navigation pane.
1. Choose Create project. This will open up the create project panel.
1. Give the project a name and choose Next.
1. Select a Member role or user.
1. Select an Execution role, choose either to Auto-create a new role with permissions or Use an existing role.
1. Choose Create.
1. You should see a Creating project notification.
1. Once the project is successfully created, you should see an entry in the projects table with the project name.
## Prepare other IAM roles for other users to self-service setup projects
You can configure other IAM roles in your account to self-setup their Amazon SageMaker Unified Studio project within your IAM-based domain. You must add additional permissions and policies to the existing IAM roles to allow them to setup their own project using the Member IAM role for login and Execution IAM role for accessing data and resources within the project. This enables users from AWS console to create projects using these roles from AWS Services - Amazon Athena, Amazon S3 Tables, and Amazon Redshift.
**Member IAM role:**
1. Login to the IAM role (defined in [Overview of IAM-based domains](iam-based-domains-overview.md) ) with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose Add permission followed by Attach policy and search for the managed policy [SageMakerStudioUserIAMConsolePolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMConsolePolicy.html). Select it to add it to your existing role.
**Execution IAM role:**
1. Login to the IAM role with AWS IAM administrator privileges defined in the pre-requisites.
1. Navigate to the IAM console.
1. Choose Add permission followed by Attach policy and search for the managed policy [SageMakerStudioUserIAMDefaultExecutionPolicy](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/security-iam-awsmanpol-SageMakerStudioUserIAMDefaultExecutionPolicy.html). Select it to add it to your existing role.
1. Add the inline policy to allow this role to pass itself to other services.
1. Add a trust policy: Allow Amazon SageMaker Unified Studio and related services to assume this Execution IAM role.
# View and Manage Project Details
Project details include storage configuration, execution role assignments, member information, and networking settings that determine how resources within the project operate.
**Viewing Project Details**
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. In the Projects list, choose the project name you want to view.
1. The project details page displays the following information:
1. **Project Header:**
+ Project name and status (Active, Creating, Deleting)
+ Project description
+ Action buttons: Delete, Edit, Share info
1. **Details Section:**
+ Project URL - Link to access the project portal
+ Project ARN - Amazon Resource Name for the project
+ Storage - Amazon S3 bucket location for project files
+ Execution role ARN - IAM role that defines data access permissions
1. **Members Section:**
+ Member ARN - IAM role or user that can login and access the project
+ Description of member access capabilities
1. **Networking Section:**
+ VPC - Virtual Private Cloud configuration status
+ Network settings that apply to resources created in the project
1. To perform actions on the project, use the buttons in the project header:
+ Choose **Edit** to modify project settings
+ Choose **Share info** to generate welcome message for users
+ Choose **Delete** to remove the project
1. To return to the Projects list, choose **Projects** in the breadcrumb navigation.
# Edit Project Configuration
You can edit the project description to reflect changes in business context or project scope and update the member role to change project access permissions.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. Choose the project name you want to edit from the Projects list.
1. On the project details page, choose **Edit**.
1. In the Edit Project dialog, modify the available settings:
1. **Details Section:**
+ Description - Update the project description (optional, up to 2048 characters)
1. **Member Section:**
+ IAM role - Update the IAM role or user that can login and access the project
1. Review the information note about required permissions (SageMakerStudioUserIAMConsolePolicy must be attached or have the same permissions added via another policy)
1. Choose **Save** to apply your changes.
1. The project details page refreshes with the updated information.
Your changes are applied immediately. If you updated the member role, the new IAM role or user will have access to the project, and the previous role will no longer have access.
# Share Project Information
This feature simplifies user onboarding by providing all necessary access information in a formatted message that can be copied and shared via email or other communication channels.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. Choose the project name from the Projects list.
1. On the project details page, choose **Share info**.
1. In the Share project information dialog, review the generated welcome message that includes:
+ Welcome text explaining the project setup
+ URL - Direct link to the Amazon SageMaker Unified Studio portal
+ IAM role - The specific IAM role the user should use to access the project
1. Choose **Copy message** to copy the entire welcome message to your clipboard.
1. Choose **Close** to close the dialog.
1. Paste the copied message into your preferred communication method (email, chat, documentation) to share with project members.
The welcome message provides users with complete information needed to access their project, including login instructions and the specific IAM role they should use.
# Delete a Project
Before deleting a project, ensure that all important data and resources have been backed up or migrated, as the deletion process removes all project content permanently.
1. From the domain administration page, choose **Projects** in the left navigation pane.
1. Choose the project name you want to delete from the Projects list.
1. On the project details page, choose **Delete**.
1. In the Delete project confirmation dialog:
1. Review the warning message: "Deleting a project is final and removes all resources and assets created in the project"
1. In the confirmation field, type **confirm** to acknowledge the deletion
1. Choose **Delete** to permanently delete the project.
1. The project status changes to "Deleting" and the project is removed from the domain.
**Warning**
Deleting a project is final and removes all resources and assets created in the project. This action cannot be undone by you or by AWS.
The project and all associated resources are permanently removed from your Amazon SageMaker Unified Studio domain.