# Cross-account sharing for private model hubs with AWS Resource Access Manager
<a name="jumpstart-curated-hubs-ram"></a>

After creating a private model hub, you can share the hub to the necessary accounts using AWS Resource Access Manager (AWS RAM). For more information on creating a private hub, see [Create a private model hub](jumpstart-curated-hubs-admin-guide-create.md). The following page gives in-depth information about managed permissions related to private hubs within AWS RAM. For information about how to create a resource share within AWS RAM, see [Set up cross-account hub sharing](jumpstart-curated-hubs-ram-setup.md).

## Managed permissions for curated private hubs
<a name="jumpstart-curated-hubs-ram-permissions"></a>

The available access permissions are read, read and use, and full access permissions. The permission name, description, and list of specific APIs available for each permission are listed in the following:
+ Read permission (`AWSRAMPermissionSageMaker AIHubRead`): The read privilege allows resource consumer accounts to read contents in the shared hubs and view details and metadata. 
  + `DescribeHub`: Retrieves details about a hub and its configuration
  + `DescribeHubContent`: Retrieves details about a model available in a specific hub
  + `ListHubContent`: Lists all models available in a hub
  + `ListHubContentVersions`: Lists the version of all models available in a hub
+ Read and use permission (`AWSRAMPermissionSageMaker AIHubReadAndUse`): The read and use privilege allows resource consumer accounts to read contents in the shared hubs and deploy available models for inference. 
  + `DescribeHub`: Retrieves details about a hub and its configuration
  + `DescribeHubContent`: Retrieves details about a model available in a specific hub
  + `ListHubContent`: Lists all models available in a hub
  + `ListHubContentVersions`: Lists the version of all models available in a hub
  + `DeployHubModel`: Allows access to deploy available open-weight hub models for inference
+ Full access permission (`AWSRAMPermissionSageMaker AIHubFullAccessPolicy`): The full access privilege allows resource consumer accounts to read contents in the shared hubs, add and remove hub content, and deploy available models for inference. 
  + `DescribeHub`: Retrieves details about a hub and its configuration
  + `DescribeHubContent`: Retrieves details about a model available in a specific hub
  + `ListHubContent`: Lists all models available in a hub
  + `ListHubContentVersions`: Lists the version of all models available in a hub
  + `ImportHubContent`: Imports hub content 
  + `DeleteHubContent`: Deletes hub content
  + `CreateHubContentReference`: Creates a hub content reference that shares a model from the SageMaker AI **Public models** hub to a private hub 
  + `DeleteHubContentReference`: Delete a hub content reference that shares a model from the SageMaker AI **Public models** hub to a private hub 
  + `DeployHubModel`: Allows access to deploy available open-weight hub models for inference

`DeployHubModel` permissions are not required for proprietary models.

# Set up cross-account hub sharing
<a name="jumpstart-curated-hubs-ram-setup"></a>

SageMaker uses [AWS Resource Access Manager (AWS RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) to help you securely share your private hubs across accounts. Set up cross-account hub sharing using the following instructions along with the [Sharing your AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-create) instructions in the *AWS RAM User Guide*.

**Create a resource share**

1. Select **Create resource share** through the [AWS RAM console](https://console.aws.amazon.com/ram/home).

1. When specifying resource share details, choose the **SageMaker Hubs** resource type and select one more more private hubs that you want to share. When you share a hub with any other account, all of its contents are also shared implicitly. 

1. Associate permissions with your resources share. For more information about managed permissions, see [Managed permissions for curated private hubs](jumpstart-curated-hubs-ram.md#jumpstart-curated-hubs-ram-permissions)

1. Use AWS account IDs to specify the accounts to which you want to grant access to your shared resources.

1. Review your resource share configuration and select **Create resource share**. It may take a few minutes for the resource share and principal associations to complete.

For more information, see [Sharing your AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html) in the *AWS Resource Access Manager User Guide*.

After the resource share and principal associations are set, the specified AWS accounts receive an invitation to join the resource share. The AWS accounts must accept the invite to gain access to any shared resources.

For more information on accepting a resource share invite through AWS RAM, see [Using shared AWS resources ](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-shared.html)in the *AWS Resource Access Manager User Guide*.