# Connect Studio JupyterLab notebooks to Amazon S3 Access Grants with trusted identity propagation enabled
You can use [Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) to flexibly grant identity-based fine-grain access control to Amazon S3 locations. These grant Amazon S3 buckets access directly to your corporate users and groups. The following pages provides information and instructions on how to use Amazon S3 Access Grants with trusted identity propagation for SageMaker AI.
## Prerequisites
To connect Studio to Lake Formation and Athena with trusted identity propagation enabled, ensure you have completed the following prerequisites:
+ [Setting up trusted identity propagation for Studio](trustedidentitypropagation-setup.md)
+ Follow the [getting started with Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-get-started.html) to set up Amazon S3 Access Grants for your bucket. See [scaling data access with Amazon S3 Access Grants](https://aws.amazon.com/blogs/storage/scaling-data-access-with-amazon-s3-access-grants/) for more information.
**Note**
Standard Amazon S3 APIs do not automatically work with Amazon S3 Access Grants. You must explicitly use Amazon S3 Access Grants APIs. See [Managing access with Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) for more information.
**Topics**
+ [Prerequisites](#s3-access-grants-prerequisites)
+ [Connect Amazon S3 Access Grants with Studio JupyterLab notebooks](s3-access-grants-setup.md)
+ [Connect Studio JupyterLab notebooks to Amazon S3 Access Grants with Training and Processing jobs](trustedidentitypropagation-s3-access-grants-jobs.md)
# Connect Amazon S3 Access Grants with Studio JupyterLab notebooks
Use the following information to grant Amazon S3 Access Grants in Studio JupyterLab notebooks.
After Amazon S3 Access Grants is set up, [add the following permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) to your domain or user [execution role](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-get-execution-role).
+ `us-east-1` is your AWS Region
+ `111122223333` is your AWS account ID
+ `S3-ACCESS-GRANT-ROLE` is your Amazon S3 Access Grant role
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDataAccessAPI",
"Effect": "Allow",
"Action": [
"s3:GetDataAccess"
],
"Resource": [
"arn:aws:s3:us-east-1:111122223333:access-grants/default"
]
},
{
"Sid": "RequiredForTIP",
"Effect": "Allow",
"Action": "sts:SetContext",
"Resource": "arn:aws:iam::111122223333:role/S3-ACCESS-GRANT-ROLE"
}
]
}
```
------
Ensure that your Amazon S3 Access Grants role's trust policy allows the `sts:SetContext` and `sts:AssumeRole` actions. The following is an example policy for when you [update your role trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"access-grants.s3.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333",
"aws:SourceArn": "arn:aws:s3:us-east-1:111122223333:access-grants/default"
}
}
}
]
}
```
------
## Use Amazon S3 Access Grants to call Amazon S3
The following is an example Python script showing how Amazon S3 Access Grants can be used to call Amazon S3. This assumes you have already successfully set up trusted identity propagation with SageMaker AI.
```
import boto3
from botocore.config import Config
def get_access_grant_credentials(account_id: str, target: str,
permission: str = 'READ'):
s3control = boto3.client('s3control')
response = s3control.get_data_access(
AccountId=account_id,
Target=target,
Permission=permission
)
return response['Credentials']
def create_s3_client_from_credentials(credentials) -> boto3.client:
return boto3.client(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken']
)
# Create client
credentials = get_access_grant_credentials('111122223333',
"s3://tip-enabled-bucket/tip-enabled-path/")
s3 = create_s3_client_from_credentials(credentials)
s3.list_objects(Bucket="tip-enabled-bucket", Prefix="tip-enabled-path/")
```
If you use a path to an Amazon S3 bucket where Amazon S3 access grant is not enabled, the call will fail.
For other programming languages, see [Managing access with Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) for more information.
# Connect Studio JupyterLab notebooks to Amazon S3 Access Grants with Training and Processing jobs
Use the following information to grant Amazon S3 Access Grants to access data in Amazon SageMaker Training and Processing jobs.
When a user with trusted identity propagation enabled launches a SageMaker Training or Processing job that needs to access Amazon S3 data:
+ SageMaker AI calls Amazon S3 Access Grants to get temporary credentials based on the user's identity
+ If successful, these temporary credentials access the Amazon S3 data
+ If unsuccessful, SageMaker AI falls back to using the IAM role credentials
**Note**
To enforce that all of the permission are granted through Amazon S3 Access Grants, you will need to remove related Amazon S3 access permission your execution role and attach them to your corresponding [Amazon S3 Access Grant](https://docs.aws.amazon.com/singlesignon/latest/userguide/tip-tutorial-s3.html#tip-tutorial-s3-create-grant).
**Topics**
+ [Considerations](#s3-access-grants-jobs-considerations)
+ [Set up Amazon S3 Access Grants with Training and Processing jobs](#s3-access-grants-jobs-setup)
## Considerations
Amazon S3 Access Grants cannot be used with [Pipe mode](https://docs.aws.amazon.com/sagemaker/latest/dg/augmented-manifest-stream.html) for both SageMaker Training and Processing for Amazon S3 input.
When trusted identity propagation is enabled, you cannot launch a SageMaker Training Job with the following feature
+ Remote Debug
+ Debugger
+ Profiler
When trusted identity propagation is enabled, you cannot launch a Processing job with the following feature
+ DatasetDefinition
## Set up Amazon S3 Access Grants with Training and Processing jobs
After Amazon S3 Access Grants is set up, [add the following permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) to your domain or user [execution role](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-get-execution-role).
+ `us-east-1` is your AWS Region
+ `111122223333` is your AWS account ID
+ `S3-ACCESS-GRANT-ROLE` is your Amazon S3 Access Grant role
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDataAccessAPI",
"Effect": "Allow",
"Action": [
"s3:GetDataAccess",
"s3:GetAccessGrantsInstanceForPrefix"
],
"Resource": [
"arn:aws:s3:us-east-1:111122223333:access-grants/default"
]
},
{
"Sid": "RequiredForIdentificationPropagation",
"Effect": "Allow",
"Action": "sts:SetContext",
"Resource": "arn:aws:iam::111122223333:role/S3-ACCESS-GRANT-ROLE"
}
]
}
```
------