# How to connect with other AWS services with trusted identity propagation enabled
When trusted identity propagation is enabled for your Amazon SageMaker AI domain, the domain users can connect to other trusted identity propagation enabled AWS services. When trusted identity propagation is enabled, your identity context is automatically propagated to compatible services, allowing for fine-grained access control and improved auditing across your machine learning workflows. This integration eliminates the need for complex IAM role switching and provides a unified identity experience across AWS services. The following pages provide information on how to connect Amazon SageMaker Studio to other AWS services when trusted identity propagation is enabled.
**Topics**
+ [Connect Studio JupyterLab notebooks to Amazon S3 Access Grants with trusted identity propagation enabled](trustedidentitypropagation-s3-access-grants.md)
+ [Connect Studio JupyterLab notebooks to Amazon EMR with trusted identity propagation enabled](trustedidentitypropagation-emr-ec2.md)
+ [Connect your Studio JupyterLab notebooks to EMR Serverless with trusted identity propagation enabled](trustedidentitypropagation-emr-serverless.md)
+ [Connect Studio JupyterLab notebooks to Redshift Data API with trusted identity propagation enabled](trustedidentitypropagation-redshift-data-apis.md)
+ [Connect Studio JupyterLab notebooks to Lake Formation and Athena with trusted identity propagation enabled](trustedidentitypropagation-lake-formation-athena.md)
# Connect Studio JupyterLab notebooks to Amazon S3 Access Grants with trusted identity propagation enabled
You can use [Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) to flexibly grant identity-based fine-grain access control to Amazon S3 locations. These grant Amazon S3 buckets access directly to your corporate users and groups. The following pages provides information and instructions on how to use Amazon S3 Access Grants with trusted identity propagation for SageMaker AI.
## Prerequisites
To connect Studio to Lake Formation and Athena with trusted identity propagation enabled, ensure you have completed the following prerequisites:
+ [Setting up trusted identity propagation for Studio](trustedidentitypropagation-setup.md)
+ Follow the [getting started with Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-get-started.html) to set up Amazon S3 Access Grants for your bucket. See [scaling data access with Amazon S3 Access Grants](https://aws.amazon.com/blogs/storage/scaling-data-access-with-amazon-s3-access-grants/) for more information.
**Note**
Standard Amazon S3 APIs do not automatically work with Amazon S3 Access Grants. You must explicitly use Amazon S3 Access Grants APIs. See [Managing access with Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) for more information.
**Topics**
+ [Prerequisites](#s3-access-grants-prerequisites)
+ [Connect Amazon S3 Access Grants with Studio JupyterLab notebooks](s3-access-grants-setup.md)
+ [Connect Studio JupyterLab notebooks to Amazon S3 Access Grants with Training and Processing jobs](trustedidentitypropagation-s3-access-grants-jobs.md)
# Connect Amazon S3 Access Grants with Studio JupyterLab notebooks
Use the following information to grant Amazon S3 Access Grants in Studio JupyterLab notebooks.
After Amazon S3 Access Grants is set up, [add the following permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) to your domain or user [execution role](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-get-execution-role).
+ `us-east-1` is your AWS Region
+ `111122223333` is your AWS account ID
+ `S3-ACCESS-GRANT-ROLE` is your Amazon S3 Access Grant role
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDataAccessAPI",
"Effect": "Allow",
"Action": [
"s3:GetDataAccess"
],
"Resource": [
"arn:aws:s3:us-east-1:111122223333:access-grants/default"
]
},
{
"Sid": "RequiredForTIP",
"Effect": "Allow",
"Action": "sts:SetContext",
"Resource": "arn:aws:iam::111122223333:role/S3-ACCESS-GRANT-ROLE"
}
]
}
```
------
Ensure that your Amazon S3 Access Grants role's trust policy allows the `sts:SetContext` and `sts:AssumeRole` actions. The following is an example policy for when you [update your role trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"access-grants.s3.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:s3:us-east-1:111122223333:access-grants/default"
}
}
}
]
}
```
------
## Use Amazon S3 Access Grants to call Amazon S3
The following is an example Python script showing how Amazon S3 Access Grants can be used to call Amazon S3. This assumes you have already successfully set up trusted identity propagation with SageMaker AI.
```
import boto3
from botocore.config import Config
def get_access_grant_credentials(account_id: str, target: str,
permission: str = 'READ'):
s3control = boto3.client('s3control')
response = s3control.get_data_access(
AccountId=account_id,
Target=target,
Permission=permission
)
return response['Credentials']
def create_s3_client_from_credentials(credentials) -> boto3.client:
return boto3.client(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken']
)
# Create client
credentials = get_access_grant_credentials('111122223333',
"s3://tip-enabled-bucket/tip-enabled-path/")
s3 = create_s3_client_from_credentials(credentials)
s3.list_objects(Bucket="tip-enabled-bucket", Prefix="tip-enabled-path/")
```
If you use a path to an Amazon S3 bucket where Amazon S3 access grant is not enabled, the call will fail.
For other programming languages, see [Managing access with Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) for more information.
# Connect Studio JupyterLab notebooks to Amazon S3 Access Grants with Training and Processing jobs
Use the following information to grant Amazon S3 Access Grants to access data in Amazon SageMaker Training and Processing jobs.
When a user with trusted identity propagation enabled launches a SageMaker Training or Processing job that needs to access Amazon S3 data:
+ SageMaker AI calls Amazon S3 Access Grants to get temporary credentials based on the user's identity
+ If successful, these temporary credentials access the Amazon S3 data
+ If unsuccessful, SageMaker AI falls back to using the IAM role credentials
**Note**
To enforce that all of the permission are granted through Amazon S3 Access Grants, you will need to remove related Amazon S3 access permission your execution role and attach them to your corresponding [Amazon S3 Access Grant](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-s3.html#tip-tutorial-s3-create-grant).
**Topics**
+ [Considerations](#s3-access-grants-jobs-considerations)
+ [Set up Amazon S3 Access Grants with Training and Processing jobs](#s3-access-grants-jobs-setup)
## Considerations
Amazon S3 Access Grants cannot be used with [Pipe mode](https://docs.aws.amazon.com/sagemaker/latest/dg/augmented-manifest-stream.html) for both SageMaker Training and Processing for Amazon S3 input.
When trusted identity propagation is enabled, you cannot launch a SageMaker Training Job with the following feature
+ Remote Debug
+ Debugger
+ Profiler
When trusted identity propagation is enabled, you cannot launch a Processing job with the following feature
+ DatasetDefinition
## Set up Amazon S3 Access Grants with Training and Processing jobs
After Amazon S3 Access Grants is set up, [add the following permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) to your domain or user [execution role](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-get-execution-role).
+ `us-east-1` is your AWS Region
+ `111122223333` is your AWS account ID
+ `S3-ACCESS-GRANT-ROLE` is your Amazon S3 Access Grant role
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDataAccessAPI",
"Effect": "Allow",
"Action": [
"s3:GetDataAccess",
"s3:GetAccessGrantsInstanceForPrefix"
],
"Resource": [
"arn:aws:s3:us-east-1:111122223333:access-grants/default"
]
},
{
"Sid": "RequiredForIdentificationPropagation",
"Effect": "Allow",
"Action": "sts:SetContext",
"Resource": "arn:aws:iam::111122223333:role/S3-ACCESS-GRANT-ROLE"
}
]
}
```
------
# Connect Studio JupyterLab notebooks to Amazon EMR with trusted identity propagation enabled
Connecting Amazon SageMaker Studio JupyterLab notebooks to Amazon EMR clusters enables you to leverage the distributed computing power of Amazon EMR for large-scale data processing and analytics workloads. With trusted identity propagation enabled, your identity context is propagated to Amazon EMR, allowing for fine-grained access control and comprehensive audit trails. The following page provides instructions on how to connect your Studio notebook to Amazon EMR clusters. Once set up, you can use the `Connect to Cluster` option in your Studio notebook.
To connect Studio to Amazon EMR with trusted identity propagation enabled, ensure you have completed the following setups:
+ [Setting up trusted identity propagation for Studio](trustedidentitypropagation-setup.md)
+ [Getting started with AWS IAM Identity Center integration for Amazon EMR](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-idc-start.html)
+ [Enable communications between Studio and Amazon EMR clusters](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-emr-cluster.html)
**Connect to the Amazon EMR cluster**
For a full list of options on how to connect your JupyterLab notebook to Amazon EMR, see [Connect to an Amazon EMR cluster](https://docs.aws.amazon.com/sagemaker/latest/dg/connect-emr-clusters.html).
# Connect your Studio JupyterLab notebooks to EMR Serverless with trusted identity propagation enabled
Amazon EMR Serverless provides a serverless option for running Apache Spark and Apache Hive applications without managing clusters. When integrated with trusted identity propagation, EMR Serverless automatically scales compute resources while maintaining your identity context for access control and auditing. This approach eliminates the operational overhead of cluster management while preserving the security benefits of identity-based access control. The following section provides information on how to connect your trusted identity propagation enabled Studio with the EMR Serverless.
To connect Studio to Amazon EMR Serverless with trusted identity propagation enabled, ensure you have completed the following setups:
+ [Setting up trusted identity propagation for Studio](trustedidentitypropagation-setup.md)
+ [Trusted identity propagation with EMR Serverless](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/security-iam-service-trusted-prop.html)
+ [Enable communications between Studio and EMR Serverless](https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-emr-serverless.html)
**Connect to the EMR Serverless application**
For a full list of options on how to connect your JupyterLab notebook to EMR Serverless, see [Connect to an EMR Serverless application](https://docs.aws.amazon.com/sagemaker/latest/dg/connect-emr-serverless-application.html).
# Connect Studio JupyterLab notebooks to Redshift Data API with trusted identity propagation enabled
Amazon Redshift Data API enables you to interact with your Amazon Redshift clusters programmatically without managing persistent connections. When combined with trusted identity propagation, the Redshift Data API provides secure, identity-based access to your data warehouse, allowing you to run SQL queries and retrieve results while maintaining full audit trails of user activities. This integration is particularly valuable for data science workflows that require access to structured data stored in Redshift. The following page includes information and instructions on how to connect trusted identity propagation with Amazon SageMaker Studio to Redshift Data API.
To connect Studio to Redshift Data API with trusted identity propagation enabled, ensure you have completed the following setups:
+ [Setting up trusted identity propagation for Studio](trustedidentitypropagation-setup.md)
+ [Using Redshift Data API with trusted identity propagation](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api-trusted-identity-propagation.html)
+ Ensure your execution role has relevant permissions for Redshift Data API. See [authorizing access](https://docs.aws.amazon.com/redshift/latest/mgmt/data-api-access.html) for more information.
+ [Simplify access management with Amazon Redshift and AWS Lake Formation for users in an External Identity Provider](https://aws.amazon.com/blogs/big-data/simplify-access-management-with-amazon-redshift-and-aws-lake-formation-for-users-in-an-external-identity-provider/)
# Connect Studio JupyterLab notebooks to Lake Formation and Athena with trusted identity propagation enabled
AWS Lake Formation and Amazon Athena work together to provide a comprehensive data lake solution with fine-grained access control and serverless query capabilities. Lake Formation centralizes permissions management for your data lake, while Athena provides interactive query services. When integrated with trusted identity propagation, this combination enables data scientists to access only the data they're authorized to see, with all queries and data access automatically logged for compliance and auditing purposes. The following page provides information and instructions on how to connect trusted identity propagation with Amazon SageMaker Studio to Lake Formation and Athena
To connect Studio to Lake Formation and Athena with trusted identity propagation enabled, ensure you have completed the following setups:
+ [Setting up trusted identity propagation for Studio](trustedidentitypropagation-setup.md)
+ [Create a Lake Formation role](https://docs.aws.amazon.com/lake-formation/latest/dg/prerequisites-identity-center.html)
+ [Connect Lake Formation with IAM Identity Center](https://docs.aws.amazon.com/lake-formation/latest/dg/connect-lf-identity-center.html)
+ Create Lake Formation resources:
+ [Database](https://docs.aws.amazon.com/lake-formation/latest/dg/creating-database.html)
+ [Tables](https://docs.aws.amazon.com/lake-formation/latest/dg/creating-tables.html)
+ [Create Athena workgroup](https://docs.aws.amazon.com/athena/latest/ug/creating-workgroups.html)
+ Choose **AthenaSQL** for the engine
+ Choose **IAM Identity Center** for authentication method
+ Create a new service role
+ Ensure that the IAM Identity Center users have access to the query result location using Amazon S3 Access Grants
+ [Granting database permissions using the named resource method](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-database-permissions.html)