# Enabling cross account discoverability
<a name="feature-store-cross-account-discoverability"></a>

With AWS Resource Access Manager (AWS RAM) you can securely share the feature group catalog, which contains all of your feature group and feature resources, with other AWS accounts. This lets members of your team search and discover feature groups and features that span multiple accounts, promoting data consistency, streamlining collaboration, and reducing duplication of effort.

The resource owner account can share resources with other individual AWS accounts by granting permissions using AWS RAM. The resource consumer account is the AWS account with whom a resource is shared, limited by the permissions granted from the resource owner account. If you are an organization, you may want to take advantage of AWS Organizations, with which you can share resources with individual AWS accounts, with all accounts in your organization, or in an Organization Unit (OU), without having to apply permissions to each account. For instructional videos and more information about AWS RAM concepts and benefits, see [What is AWS Resource Access Manager?](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) in the AWS RAM User Guide.

This section covers how the resource owner account can choose the feature group catalog and grant discoverability privilege to resource consumer accounts, and then how the resource consumer accounts with the discoverability privilege can use search and discover the feature groups within the resource owner account. The discoverability permission does not grant access permissions (read-only, read-write, or admin). Access permissions are granted at a resource level and not at the account level. For information about granting access permissions, see [Enabling cross account access](feature-store-cross-account-access.md).

The following topics discuss how to share the feature group catalog and how to search for shared resources with discoverability permissions applied.

**Topics**
+ [Share your feature group catalog](feature-store-cross-account-discoverability-share-feature-group-catalog.md)
+ [Search discoverable resources](feature-store-cross-account-discoverability-use.md)

# Share your feature group catalog
<a name="feature-store-cross-account-discoverability-share-feature-group-catalog"></a>

The feature group catalog, `DefaultFeatureGroupCatalog`, contains *all* feature group entities owned by the resource owner account. The catalog can be shared by the resource owner account to grant discoverability to a single or multiple resource consumer accounts. This is done by creating a resource share in AWS Resource Access Manager (AWS RAM). A feature group is the main resource in Amazon SageMaker Feature Store and is composed of feature definitions and records that are managed by Feature Store. For more information about feature groups, see [Feature Store concepts](feature-store-concepts.md).

Discoverability means that the resource consumer accounts can search for the discoverable resources. The discoverable resources are viewed as if they were in their own account (excluding tags). When allowing the feature group catalog to be discoverable, the resource consumer accounts by default are not granted access permissions (read-only, read-write, or admin). Access permissions are granted at a resource level and not at the account level. For information about granting access permissions, see [Enabling cross account access](feature-store-cross-account-access.md).

In order to enable cross account discoverability you will need to specify the SageMaker AI Resource Catalog and the feature group catalog while using the [AWS RAM Create a resources share](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-create) instructions in the AWS RAM developer guide. In the following we give the specifications for using the AWS RAM console instructions.

1. **Specify resource share details**: 
   + Resource type: Choose **SageMaker AI Resource Catalogs**.
   + ARN: Choose the feature group catalog ARN with the format: `arn:aws:sagemaker:us-east-1:111122223333:sagemaker-catalog/DefaultFeatureGroupCatalog`

     *`us-east-1`* is the region of the resource and *`111122223333`* is the resource owner account ID.
   + Resource ID: Choose `DefaultFeatureGroupCatalog`.

1. **Associate managed permissions**: 
   + Managed permission: Choose `AWSRAMPermissionSageMakerCatalogResourceSearch`.

1. **Grant access to principals**:
   + Choose the principal types (AWS account, Organization, or Organizational unit) and enter the appropriate ID.

     If you are an organization, you may want to take advantage of AWS Organizations. With Organizations you can share resources with individual AWS accounts, all accounts in your organization, or with an Organization Unit (OU). This simplifies applying permissions, without having to apply permissions to each account. For more information about sharing your resources and granting permissions within AWS, see [Enable resource sharing within AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the AWS Resource Access Manager Developer Guide.

1. **Review and create**: 
   + Review then choose **Create resource share**.

It may take a few minutes for the resource share and principal, or resource consumer account, associations to complete. Once the resource share and principal associations are set, the specified resource consumer accounts receive an invitation to join the resource share. The resource consumer accounts can view and accept the invitations by opening the [Shared with me: Resource shares](https://console.aws.amazon.com/ram/home#SharedResourceShares) page in the AWS RAM console. For more information on accepting and viewing resources in AWS RAM, see [Access AWS resources shared with you](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared.html). Invitations are not sent in these cases:
+ If you are part of an organization in AWS Organizations and sharing in your organization is enabled. In this case principals in the organization automatically get access to the shared resources without invitations.
+ If you share with the AWS account that owns the resource, then the principals in that account automatically get access to the shared resources without invitations.

For more information about accepting and using a resource share, see [Search discoverable resources](feature-store-cross-account-discoverability-use.md).

## Share the feature group catalog using the AWS SDK for Python (Boto3)
<a name="feature-store-cross-account-discoverability-sagemaker-catalog-resource-type-python-sdk-example"></a>

You can use the AWS SDK for Python (Boto3) for AWS RAM APIs to create a resource share. The following code is an example of a resource owner account ID *`111122223333`* within the region *us-east-1*. The resource owner is creating a resource share named *`test-cross-account-catalog`*. They are sharing the feature group catalog with the resource consumer account ID *`444455556666`*. To use the Python SDK for AWS RAM APIs, attach the `AWSRAMPermissionSageMakerCatalogResourceSearch` policy with the execution role. See [AWS RAM APIs](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ram/client/create_resource_share.html) for more details.

```
#Call list resource catalogs as a prerequisite for RAM share
sagemaker_client.list_resource_catalogs()

# Share DefaultFeatureGroupCatalog with other account
ram_client = boto3.client("ram")
response = ram_client.create_resource_share(
    name='test-cross-account-catalog', # Change to your custom resource share name
    resourceArns=[
        'arn:aws:sagemaker:us-east-1:111122223333:sagemaker-catalog/' + 'DefaultFeatureGroupCatalog', # Change 111122223333 to the resource owner account ID
    ],
    principals=[
        '444455556666', # Change 444455556666 to the resource consumer account ID
    ],
    permissionArns = ["arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerCatalogResourceSearch"] # AWSRAMPermissionSageMakerCatalogResourceSearch is the only policy allowed for SageMaker Catalog
)
```

Principals are actors in a security system. In a resource-based policy, the allowed principals are IAM users, IAM roles, the root account, or another AWS service.

# Search discoverable resources
<a name="feature-store-cross-account-discoverability-use"></a>

The resource owner account must grant permissions to resource consumer accounts to allow for discoverability or access (read-only, read-write, or admin) privileges with a shared resource. In the following sections, we provide instructions on how to accept an invitation to shared resources and examples showing how to search for discoverable feature groups.

**Accept an invitation to shared resources**

As the resource consumer account, you receive an invitation to join a resource share once the resource owner account has granted permission. To accept the invitation to any shared resources, open the [Shared with me: Resource shares](https://console.aws.amazon.com/ram/home#SharedResourceShares) page in the AWS RAM console to view and respond to invitations. Invitations are not sent in these cases:
+ If you are part of an organization in AWS Organizations and sharing in your organization is enabled, then principals in the organization automatically get access to the shared resources without invitations.
+ If you share with the AWS account that owns the resource, then the principals in that account automatically get access to the shared resources without invitations.

For more information about accepting and using a resource share in AWS RAM, see [Respond to the resource share invitation](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-shared.html).

## Search discoverable feature groups example
<a name="feature-store-cross-account-discoverability-use-search"></a>

Once resources are shared with a resource consumer account with the discoverability permission applied, the resource consumer account can search for and discover the shared resources in Amazon SageMaker Feature Store using the console UI and the Feature Store SDK. Note that you cannot search on tags for cross account resources. The maximum number of feature group catalogs viewable is 1000. For more information about granting discoverability permissions, see [Enabling cross account discoverability](feature-store-cross-account-discoverability.md).

For details about viewing shared feature groups in the console, see [Find feature groups in your Feature Store](feature-store-search-feature-group-metadata.md).

In the following example, the resource consumer account uses SageMaker AI search to search for resources made discoverable to them when `CrossAccountFilterOption` is set to `"CrossAccount"`:

```
from sagemaker.session import Session

sagemaker_session = Session(boto_session=boto_session)

sagemaker_session.search(
    resource="FeatureGroup",
    search_expression={
        "Filters": [
            {
                "Name": "FeatureGroupName",
                "Value": "MyFeatureGroup",
                "Operator": "Contains",
            }
        ],
        "Operator": "And",
    },
    sort_by="Name",
    sort_order="Ascending",
    next_token="token",
    max_results=50,
    CrossAccountFilterOption="CrossAccount"
)
```

For more information about SageMaker AI search and the request parameters, see [Search](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_Search.html) in the Amazon SageMaker API Reference.