# Blueprints in Amazon SageMaker Unified Studio
Blueprints

A blueprint with which the project profile is created defines what AWS tools and services members of the project to which the project profile belongs can use as they work with data in the Amazon SageMaker catalog. 

**Topics**
+ [

# Supported blueprints
](supported-blueprints.md)
+ [

# Custom blueprints
](custom-blueprint.md)
+ [

# Enable or disable blueprints
](enable-disable-blueprints.md)
+ [

# Specify PEM certificate for EmrOnEc2 blueprint
](enable-emr-on-ec2-blueprint.md)
+ [

# Getting started with Amazon EMR on EKS in Amazon SageMaker Unified Studio
](getting-started-with-emr-on-eks.md)
+ [

# Manage blueprint authorization
](authorization-for-blueprints.md)
+ [

# Enable Tooling blueprint
](enable-tooling-blueprint.md)
+ [

# Manage Tooling blueprint parameters
](manage-tooling-blueprint.md)
+ [

# Modify the OnDemandWorkflows blueprint for creating workflow environments in a shared VPC
](modify-on-demand-workflows-blueprint.md)

# Supported blueprints


In the current release of Amazon SageMaker Unified Studio, the following default blueprints are supported:


| Blueprint name | Description | Resources created | 
| --- | --- | --- | 
| AmazonBedrockGenerativeAI | This is the combined Amazon Bedrock blueprint which contains seven sub-Amazon Bedrock blueprints. It enables users to build generative AI applications using tools such as Agents, Knowledge Bases, Guardrails, Flows, Functions, and Model Evaluation.  | 
| AmazonBedrockChatAgent | Provides a reusable AWS CloudFormation template to create an Amazon Bedrock Agent and supporting resources, including an execution role and a consumption role. | Bedrock Agent, Bedrock Agent Execution role, Bedrock Agent Consumption role | 
| AmazonBedrockEvaluation | Creates one IAM role as the service role for an Amazon Bedrock evaluation job. | Bedrock Evaluation job execution role | 
| AmazonBedrockFlow | Provides a reusable AWS CloudFormation template to create an Amazon Bedrock Prompt Flow and supporting resources such as an execution role. | Amazon Bedrock Flow, Amazon Bedrock Flow Execution role  | 
| AmazonBedrockFunction | Provides a reusable AWS CloudFormation template to create an AWS Lamda function and supporting resources, such as an execution role, and a secret manager. | Secrets Manager secret, AWS Lambda function, AWS Lambda function execution role, Log group | 
| AmazonBedrockGuardrail | Provides an AWS CloudFormation template to create an Amazon Bedrock Guardrail and supporting resources such as an execution role. | Amazon Bedrock Guardrail | 
| AmazonBedrockKnowledgeBase | Provides an AWS CloudFormation template to create a reusable Amazon Bedrock Knowledge Base and supporting resources such as an execution role. | Amazon Bedrock Knowledge Base, OpenSearch Serverless collection, Amazon Bedrock Knowledge Base Execution role, AWS Lambdas, including OpenSearch Index Lambda and KB Ingestion Trigger Lambda, AWS Lambda Execution role, Amazon Bedrock Knowledge Base data source | 
| AmazonBedrockPrompt | Provides a reusable AWS CloudFormation template to create an Amazon Bedrock Prompt and supporting resources, such as an execution role, and a consumption role. | Amazon Bedrock Prompt, Amazon Bedrock Prompt Consumption role | 
| LakeHouseDatabaseNote: If you search using API/CLI, the blueprint name is DataLake. | Provides a reusable AWS CloudFormation template to create a data lake environment with a AWS Glue database for data management and an Amazon Athena workgroup for querying data. | AWS Glue databases, lake formation permissions, Amazon Athena workgroups | 
| EMRonEC2 | Provides a reusable AWS CloudFormation template to create an Amazon EMR on EC2 cluster to run and scale Apache Spark, Hive, and other big data workloads. For more information about enabling this blueprint see, [Specify PEM certificate for EmrOnEc2 blueprint](enable-emr-on-ec2-blueprint.md)  | EMR on EC2 clusters | 
| EMRServerless | Provides a reusable AWS CloudFormation template to create an Amazon EMR Serverless application that is ready to serve Apache Spark batch jobs and interactive sessions. | EMR on Serverless applications | 
| LakehouseCatalog | Provisions a new catalog in the Amazon SageMaker Lakehouse that is backed by Amazon Redshift Managed Storage  | 
| MLExperiments | Provides OnDemand blueprint to enable MLflow tracking server for the experimentation inside a project. | MLflow tracking server (on demand) | 
| PartnerApps | Creates an IAM role and a Connection that enables access to Partner AI Apps. Through Partner AI Apps you can leverage integrated and fully-managed thrid-party solutions for AI/Ml development. | Amazon SageMaker Partner AI Apps IAM role, Amazon SageMaker Partner AI Apps Connection | 
| RedshiftServerless | Provides a reusable AWS CloudFormation template to create an Amazon Redshift Serverless environment to get insights from data without managing infrastructure. | Amazon Redshift Serverless warehouses | 
| Tooling | Creates resources for the project, including IAM user roles, security groups, and Amazon SageMaker unified domains. | IAM user roles, Amazon SageMaker unified domains, security groups | 
| Workflows | Provides an AWS CloudFormation template to create the MWAA environment for Airflow based Workflows | Enables project workflows on MWAA | 
| Quicksight | Enables visualization of data within an Amazon SageMaker Unified Studio project using Amazon QuickSight. | For each project with the QuickSight blueprint, Amazon SageMaker Unified Studio creates a restricted folder in Amazon QuickSight. Additionally, it creates Amazon Athena and Amazon Redshift data sources in the restricted folder depending on other blueprints in the project. For more information, see [Amazon QuickSight in Amazon SageMaker Unified Studio](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/quicksight-integration.html). | 

# Custom blueprints


Custom blueprints in Amazon SageMaker Unified Studio enable organizations to standardize and accelerate how data projects get set up. They are administrator-defined templates, powered by AWS CloudFormation, that give teams a ready-made starting point for analytics and machine learning environments.

In addition to the [built-in blueprints](supported-blueprints.md) supported in Amazon SageMaker Unified Studio, you can also design your own. With custom blueprints, organizations can include their specific dependencies, security controls, and best practices to allow for new projects to align with internal standards. Since they're defined through infrastructure-as-code, custom blueprints are easy to version control, share across teams, and evolve over time. This not only speeds up onboarding but also keeps projects consistent and governed, no matter how big or distributed your data science organization becomes.

You can complete the following procedure to create custom blueprints in the Amazon SageMaker management console:

1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the domain's details page, navigate to the **Blueprints** tab. 

1. In the **Blueprints** tab, in the **Blueprints** section, choose **Create**. This brings up the **Create custom blueprint** page.

1. In the **Create custom blueprint** page, specify the following and then choose **Next**:
   + **Name** - the name for your custom blueprint. This blueprint name cannot be changed after the blueprint is created.
   + **Description** - optional - the description for your custom blueprint.
   + In the **Upload CloudFormation template** section, specify the Amazon S3 file path where the custom AWS CloudFormation template for your blueprint is stored. You can choose to either specify the Amazon S3 URL for your template or you can choose to upload your own template file.
**Note**  
You can choose the **View templates** button on the **Blueprints** page to view the following sample template that you can modify to fit your needs. This sample template creates an AWS Glue database in your SageMaker Lakehouse environment. It also configures the necessary LakeFormation permissions necessary for the newly created project to be able to access the database. In addition, it also adds a custom IAM policy to the project's role.  

   ```
   {
     "Parameters": {
       "datazoneEnvironmentEnvironmentId": {
         "Type": "String",
         "Description": "EnvironmentId for which the resource will be created for."
       },
       "datazoneEnvironmentProjectId": {
         "Type": "String",
         "Description": "DZ projectId for which project the resource will be created for."
       },
       "userRoleArn": {
         "Type": "String",
         "Description": "Project Role ARN"
       },
       "glueDbName": {
         "Type": "String",
         "Default": "gluedb",
         "Description": "Glue DB name"
       }
     },
     "Resources": {
       "GlueDatabase": {
         "Type": "AWS::Glue::Database",
         "Properties": {
           "CatalogId": {
             "Ref": "AWS::AccountId"
           },
           "DatabaseInput": {
             "CreateTableDefaultPermissions": [],
             "Description": {
               "Fn::Join": [
                 "",
                 [
                   "Created by DataZone for project ",
                   {
                     "Ref": "datazoneEnvironmentProjectId"
                   }
                 ]
               ]
             },
             "LocationUri": {
               "Fn::Join": [
                 "",
                 [
                   {
                     "Fn::ImportValue": {
                       "Fn::Join": [
                         "",
                         [
                           "s3BucketPath-",
                           {
                             "Ref": "datazoneEnvironmentProjectId"
                           },
                           "-dev"
                         ]
                       ]
                     }
                   },
                   "/data/catalogs/"
                 ]
               ]
             },
             "Name": {
               "Fn::Sub": "${glueDbName}-${datazoneEnvironmentEnvironmentId}"
             }
           }
         }
       },
       "GlueAccessManagedPolicy": {
         "Type": "AWS::IAM::ManagedPolicy",
         "Properties": {
           "ManagedPolicyName": {
             "Fn::Sub": "GlueAccess-${glueDbName}-${datazoneEnvironmentEnvironmentId}-Policy"
           },
           "PolicyDocument": {
             "Version": "2012-10-17",		 	 	 
             "Statement": [
               {
                 "Effect": "Allow",
                 "Action": [
                   "glue:GetDatabase",
                   "glue:GetTables",
                   "glue:GetTable",
                   "glue:CreateTable",
                   "glue:UpdateTable",
                   "glue:DeleteTable",
                   "glue:BatchDeleteTable",
                   "glue:GetPartitions",
                   "glue:GetPartition",
                   "glue:BatchCreatePartition",
                   "glue:BatchDeletePartition"
                 ],
                 "Resource": [
                   {
                     "Fn::Sub": "arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog"
                   },
                   {
                     "Fn::Sub": "arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${glueDbName}-${datazoneEnvironmentEnvironmentId}"
                   },
                   {
                     "Fn::Sub": "arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${glueDbName}-${datazoneEnvironmentEnvironmentId}/*"
                   }
                 ]
               }
             ]
           }
         }
       },
       "LakeFormationDbPermissions": {
         "Type": "AWS::LakeFormation::Permissions",
         "Properties": {
           "DataLakePrincipal": {
             "DataLakePrincipalIdentifier": {
               "Ref": "userRoleArn"
             }
           },
           "Resource": {
             "DatabaseResource": {
               "CatalogId": {
                 "Ref": "AWS::AccountId"
               },
               "Name": {
                 "Fn::Sub": "${glueDbName}-${datazoneEnvironmentEnvironmentId}"
               }
             }
           },
           "Permissions": [
             "DESCRIBE",
             "CREATE_TABLE"
           ]
         },
         "DependsOn": [
           "GlueDatabase"
         ]
       },
       "LakeFormationTablePermissions": {
         "Type": "AWS::LakeFormation::Permissions",
         "Properties": {
           "DataLakePrincipal": {
             "DataLakePrincipalIdentifier": {
               "Ref": "userRoleArn"
             }
           },
           "Resource": {
             "TableResource": {
               "CatalogId": {
                 "Ref": "AWS::AccountId"
               },
               "DatabaseName": {
                 "Fn::Sub": "${glueDbName}-${datazoneEnvironmentEnvironmentId}"
               },
               "TableWildcard": {}
             }
           },
           "Permissions": [
             "ALL"
           ]
         },
         "DependsOn": [
           "GlueDatabase"
         ]
       }
     },
     "Outputs": {
       "GlueDatabaseName": {
         "Value": {
           "Fn::Sub": "${glueDbName}-${datazoneEnvironmentEnvironmentId}"
         },
         "Export": {
           "Name": {
             "Fn::Sub": "${glueDbName}-${datazoneEnvironmentEnvironmentId}"
           }
         }
       },
       "GlueAccessManagedPolicy": {
         "Description": "ARN of the created managed policy",
         "Value": {
           "Ref": "GlueAccessManagedPolicy"
         },
         "Export": {
           "Name": {
             "Fn::Sub": "datazone-managed-policy-glue-${glueDbName}-${datazoneEnvironmentEnvironmentId}"
           }
         }
       }
     }
   }
   ```

1. In the **Configure editable parameters** page, you can choose the parameters for your custom blueprint. Editable parameters are values that are visible and editable when this blueprint is used in project profiles. On this page, you can remove parameters that you don’t want to be editable in project profiles, or edit their default values. Then choose **Next**.

1. In the **Enable blueprint - optional** page, you can enable your custom blueprint so that it can be used in project profiles and projects.

   If you choose to enable your custom bluerpint at this point, in the **Provisioning role**, you must specify that role that Amazon SageMaker Unified Studio can use to provision and manage resources defined in this blueprint in your account.

   Also, in the **Authorized domain units** section, you must specify the domain units where projects can access resources defined by this custom blueprint. 

   Then choose **Next**.

1. Review your selections in the **Review and create** page, and then choose **Create blueprint**.

Now that your custom blueprint is created, you can use it when creating custom project profiles. For more information, see [Custom project profile](custom.md). 

# Enable or disable blueprints


You can complete the following procedure to enable or disable blueprints in the Amazon SageMaker management console:

1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the domain's details page, navigate to the **Blueprints** tab. 

1. In the **Blueprints** tab, use the radio buttons to select the blueprints that you want to enable or disable and then choose the **Enable** or **Disable** buttons to perform the action.

**Important**  
When you enable a blueprint, by default, you are enabling it in the same region as your domain. When you are enabling blueprints for a project profile that is created and enabled in a different region from your domain, you must enable these blueprints in same region where this project profile is enabled (in addition to enabling this blueprint in the same region as your domain). You can do this via the **Regions** tab in the blueprint details page. This applies to all blueprints, including the Tooling blueprint. 

# Specify PEM certificate for EmrOnEc2 blueprint


In order to successfully enable the EmrOnEc2 blueprint, you must specify the location of your PEM certificate. To do this, complete the following procedure:

1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. Choose the **Project profiles** tab and then choose **All capabilities**.

1. Choose one of the following instance type configurations:
   + OnDemand Amazon EMR on EC2 General Purpose: this configuration uses Amazon EC2 instances (like m5.xlarge) to provide balanced compute, memory, and network resources. Choose this option for standard data processing workloads.
   + OnDemand Amazon EMR on EC2 Memory-Optimized: this configuration uses Amazon EC2 instances (like r5.xlarge) to provide more memory per vCPU. Choose this option for memory-intensive workloads such as in-memory databases or real-time analytics.

1. Choose the corresponding radio button for the EmrOnEc2 blueprint deployment setting and choose **Edit**.

1. Under the **Blueprint parameters** section, edit the **certificateLocation** parameter. Enter the S3 location of the ZIP file that contains PEM certificate file(s). You must enter the S3 location URL using the correct format of `s3://<DomainBucketName>/<AmazonDataZoneDomainID>/certificate_location/` Make sure to replace <DomainBucketName>/<AmazonDataZoneDomainID> with the correct values for those for your domain.

   For more information about PEM certificates, see [Using PEM certificates](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-encryption-enable.html#emr-encryption-certificates).

# Getting started with Amazon EMR on EKS in Amazon SageMaker Unified Studio
Getting started with Amazon EMR on EKS

 Before you begin with Amazon EMR on EKS, you must have a compatible Amazon EKS cluster. If you do not have an existing Amazon EKS cluster, see [Get started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) for more information regarding cost, installation and management of an Amazon EKS cluster. 

 Amazon EMR on EKS and Amazon SageMaker Unified Studio require additional Amazon EKS cluster configurations granting minimum access controls and connectivity. Review your Amazon EKS cluster configuration and ensure all requirements are fulfilled: 

1.  [ Install and configure the Load Balancer Controller for your Amazon EKS cluster ](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html) 

1.  [ Enable Amazon EKS cluster access for Amazon EMR on EKS and Amazon SageMaker Unified Studio ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/enable-eks-cluster-access-for-emr-on-eks-and-sagemaker-unified-studio.html) 

 Additionally, Amazon EKS clusters in a different account or Amazon VPC network than your Amazon SageMaker Unified Studio domain require additional configuration. Review your Amazon EKS cluster configuration and ensure all requirements are fulfilled: 

1.  [ Enable cross-account access for Amazon EMR on EKS using Amazon SageMaker Unified Studio associated domains ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/enable-cross-account-access-using-associated-domains.html) 

1.  [ Enable cross-network access for Amazon SageMaker Unified Studio using VPC peering connections ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/enable-cross-network-access-using-vpc-peering.html) 

## Configure project profiles in Amazon SageMaker Unified Studio for Amazon EMR on EKS


 For data workers to use Amazon EMR on EKS in Amazon SageMaker Unified Studio, administrators must configure project profiles with Amazon EMR on EKS environment blueprint configurations. 

**Note**  
 Administrators can configure multiple environment blueprint configurations using different Amazon EKS clusters in the same project profile. Data workers can view environment blueprint configurations and select a specific Amazon EKS cluster when creating Amazon EMR on EKS resources in a Amazon SageMaker Unified Studio project. 

1.  Navigate to the [Amazon SageMaker Unified Studio management console](https://console.aws.amazon.com/datazone). 

1.  From the navigation bar, select **Domains**. For cross-account Amazon EKS clusters, select **Associated domains**. 

1.  Select the name of the domain you want to configure Amazon EMR on EKS for. 

1.  In the domain management view, navigate to **Project profiles**. 

1.  Search for and select your target project profile. 

1.  In the project profile management view, navigate to the **Blueprint deployment settings** view and select **Blueprint deployment settings**. 

1.  In the **Blueprint** section, select **EmrOnEks** from the dropdown. 

1.  In the **Account and region** section, specify the same AWS account and AWS region as your Amazon EKS cluster. 

1.  In the **Blueprint parameters** section, specify the Amazon EKS cluster ARN as the `eksClusterArn` user parameter value. 

1.  At the bottom of the page, select **Add blueprint deployment settings** to create your Amazon EMR on EKS environment blueprint configuration. 

# Enable Amazon EKS cluster access for Amazon EMR on EKS and Amazon SageMaker Unified Studio
Enable Amazon EKS cluster access for Amazon EMR on EKS and Amazon SageMaker Unified Studio

 Amazon EMR on EKS and Amazon SageMaker Unified Studio require access to the Kubernetes service running on the Amazon EKS cluster. 

## Amazon EKS cluster access for Amazon EMR on EKS


1.  Create a Kubernetes cluster role for Amazon EMR on EKS. 

   ```
   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: emr-containers
   rules:
     - apiGroups: [""]
       resources: ["namespaces"]
       verbs: ["get"]
     - apiGroups: [""]
       resources: ["statefulsets", "event", "serviceaccounts", "services", "configmaps", "events", "pods", "pods/log", "pods/exec", "pods/portforward", "pods/secrets"]
       verbs: ["update", "get", "list", "watch", "describe", "create", "edit", "delete", "deletecollection", "annotate", "patch", "label"]
     - apiGroups: [""]
       resources: ["secrets"]
       verbs: ["list", "get", "create", "patch", "delete", "watch"]
     - apiGroups: ["apps"]
       resources: ["statefulsets", "deployments", "configmaps", "events", "persistentvolumeclaims", "pods", "pods/exec", "pods/log", "pods/portforward", "pods/secrets", "serviceaccounts", "services"]
       verbs: ["get", "list", "watch", "describe", "create", "edit", "delete", "annotate", "patch", "update", "label", "deletecollection"]
     - apiGroups: ["batch", "extensions"]
       resources: ["jobs", "configmaps", "events", "persistentvolumeclaims", "pods", "pods/exec", "pods/log", "pods/portforward", "pods/secrets", "serviceaccounts", "services", "statefulsets"]
       verbs: ["get", "describe", "create", "delete", "watch", "list", "patch", "update", "edit", "deletecollection", "label"]
     - apiGroups: ["extensions", "networking.k8s.io"]
       resources: ["ingresses"]
       verbs: ["get", "list", "watch", "describe", "create", "edit", "delete", "annotate", "patch", "label"]
     - apiGroups: ["rbac.authorization.k8s.io"]
       resources: ["clusterroles","clusterrolebindings","roles", "rolebindings"]
       verbs: ["get", "list", "watch", "describe", "create", "edit", "delete", "deletecollection", "annotate", "patch", "label"]
     - apiGroups: [""]
       resources: ["persistentvolumeclaims"]
       verbs: ["update", "get", "list", "watch", "describe", "create", "edit", "delete",  "deletecollection", "annotate", "patch", "label"]
   EOF
   ```

1.  Create a Kubernetes cluster role binding for Amazon EMR on EKS. 

   ```
   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: emr-containers
   subjects:
   - kind: User
     name: emr-containers
     apiGroup: rbac.authorization.k8s.io
   - kind: User
     name: EmrContainersUser
     apiGroup: rbac.authorization.k8s.io
   roleRef:
     kind: ClusterRole
     name: emr-containers
     apiGroup: rbac.authorization.k8s.io
   EOF
   ```

1.  Create a Amazon EKS IAM identity mapping binding the Kubernetes user "emr-containers" to the service-linked IAM role for EMR on EKS. 

   ```
   eksctl create iamidentitymapping \
       --cluster {eks-cluster-name} \
       --arn "arn:aws:iam::{aws-account-id}:role/AWSServiceRoleForAmazonEMRContainers" \
       --username emr-containers
   ```

**Note**  
 `AWSServiceRoleForAmazonEMRContainers` is a service-linked role managed by Amazon EMR on EKS. For more information, see [ Using service-linked roles for Amazon EMR on EKS](https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/using-service-linked-roles.html). 

## Amazon EKS cluster access for Amazon SageMaker Unified Studio


1.  Create a Kubernetes cluster role for Amazon SageMaker Unified Studio. 

   ```
   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: sagemaker-provisioning
   rules:
     - apiGroups: [""]
       resources: ["namespaces"]
       verbs: ["create", "delete"]
   EOF
   ```

1.  Create a Kubernetes cluster role binding for Amazon SageMaker Unified Studio. 

   ```
   kubectl apply -f - <<EOF
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: sagemaker-provisioning
   subjects:
   - kind: Group
     name: sagemaker-provisioning
     apiGroup: rbac.authorization.k8s.io
   roleRef:
     kind: ClusterRole
     name: sagemaker-provisioning
     apiGroup: rbac.authorization.k8s.io
   EOF
   ```

1.  Create a Amazon EKS access entry binding the Kubernetes group "sagemaker-provisioning" to the IAM role designated as the provisioning role for your target domain. 

   ```
   aws eks create-access-entry \
       --cluster-name {eks-cluster-name} \
       --region {aws-region-code} \
       --principal-arn {iam-provisioning-role-arn} \
       --kubernetes-groups sagemaker-provisioning \
       --type STANDARD
   ```

# Enable cross-account access for Amazon EMR on EKS using Amazon SageMaker Unified Studio associated domains
Enable cross-account access using associated domains

 Amazon EMR on EKS virtual clusters require an Amazon EKS cluster residing in the same account. As an admin, you can make use of Amazon SageMaker Unified Studio associated domains to bring Amazon EKS clusters from any account and use with any Amazon SageMaker Unified Studio domain. 

 Enabling cross-account access for Amazon EMR on EKS using Amazon SageMaker Unified Studio associated domains requires high privilege access to both Amazon EKS cluster account and Amazon SageMaker Unified Studio domain account. 

## Step 1: Submit associated domain request from the Amazon SageMaker Unified Studio domain account


1.  Navigate to the [Amazon SageMaker Unified Studio management console](https://console.aws.amazon.com/datazone). 

1.  From the navigation bar, select **Domains**. 

1.  Select the name of the domain you want to configure Amazon EMR on EKS for. 

1.  In the domain management view, navigate to **Account associations**. 

1.  Select the **Request association** button. 

1.  In the request domain association view, under accounts, provide the Amazon EKS cluster account. 

1.  Select the **Request assocation** button to submit. 

## Step 2: Accept and configure associated domain in the Amazon EKS cluster account


1.  Navigate to the [Amazon SageMaker Unified Studio management console](https://console.aws.amazon.com/datazone). 

1.  Select **Associated domains**. 

1.  Under **Requests**, select the name of the domain you requested domain association for. 

1.  In the domain association request view, select **Accept association**. 

1.  After domain association succeeds, select the domain name to navigate the domain management view. 

1.  In the domain management view, select **Blueprints**. 

1.  In the Tooling section, select **Enable** and configure the associated Tooling environment. 

1.  In the Blueprints section, select **EmrOnEks**, enable and configure the associated EmrOnEks environment. 

**Note**  
 The IAM role designated as the provisioning role must have access to the Amazon EKS cluster. See [ Enable Amazon EKS cluster access for Amazon EMR on EKS and Amazon SageMaker Unified Studio ](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/enable-eks-cluster-access-for-emr-on-eks-and-sagemaker-unified-studio.html) 

# Enable cross-network access for Amazon SageMaker Unified Studio using VPC peering connections
Enable cross-network access using VPC peering connections

**Note**  
 If your Amazon SageMaker Unified Studio domain and your Amazon EKS cluster are configured with the same Amazon VPC, you can skip the steps in this section. 

 Amazon SageMaker Unified Studio requires network connectivity between your Amazon SageMaker Unified Studio domain and your Amazon EKS cluster in order to maintain interactive sessions. See [What is VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) and [Update your route tables for a VPC peering connection](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html) for more information regarding cross-network connectivity with Amazon VPC. 

# Configuring monitoring with Spark History Server for Amazon EMR on EKS
Configuring monitoring with Spark History Server

 Amazon EMR on EKS requires additional IAM permissions to enable monitoring with Spark History Server. You must attach the following inline IAM role policy to the IAM role created as the project user role. 

**Note**  
 The project user role for an Amazon SageMaker Unified Studio project is named `datazone_usr_role_{project_id}`. 

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "SparkHistoryServer",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreatePresignedDomainUrl"
            ],
            "Resource": "arn:aws:sagemaker:*:*:user-profile/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/AmazonDataZoneProject": "${aws:PrincipalTag/AmazonDataZoneProject}"
                }
            }
        }
    ]
}
```

# Configuring fine-grained access controls for Amazon EMR on EKS
Configuring fine-grained access controls

 Amazon EMR on EKS requires additional IAM permissions to enable fine-grained access controls. You must attach the following inline IAM role policy to the IAM role created as the project user role. 

**Note**  
 The project user role for an Amazon SageMaker Unified Studio project is named `datazone_usr_role_{project_id}`. 

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "FineGrainedAccessControls",
            "Effect": "Allow",
            "Action": [
                "emr-containers:CreateCertificate"
            ],
            "Resource": "*"
        }
    ]
}
```

# Configuring trusted identity propagation for Amazon EMR on EKS
Configuring trusted identity propagation

 Amazon EMR on EKS requires additional IAM permissions to enable trusted identity propagation. You must attach the following inline IAM role policy to the IAM role created as the project user role. 

**Note**  
 The project user role for an Amazon SageMaker Unified Studio project is named `datazone_usr_role_{project_id}`. 

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "TrustedIdentityPropagation",
            "Effect": "Allow",
            "Action": [
                "sso-oauth:CreateTokenWithIAM",
                "sso-oauth:IntrospectTokenWithIAM",
                "sso-oauth:RevokeTokenWithIAM"
            ],
            "Resource": "*"
        }
    ]
}
```

# Configuring user background sessions for Amazon EMR on EKS
Configuring user background sessions

**Warning**  
 When user background sessions is enabled for Amazon EMR on EKS, Amazon SageMaker Unified Studio will not terminate interactive sessions. All interactive sessions will be only terminated once all queries are completed and the compute session has timed out. 

 Amazon EMR on EKS requires additional IAM permissions to enable user background sessions. You must attach the following inline IAM role policy to the IAM role created as the project user role. 

**Note**  
 The project user role for an Amazon SageMaker Unified Studio project is named `datazone_usr_role_{project_id}`. 

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "UserBackgroundSessions",
            "Effect": "Allow",
            "Action": [
                "sso:GetApplicationSessionConfiguration"
            ],
            "Resource": "*"
        }
    ]
}
```

# Manage blueprint authorization


You can perform the following procedure to manage the authorization configuration of a blueprint. 

1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the domain's details page, navigate to the **Blueprints** tab. 

1. In the **Blueprints** tab, choose the blueprint the authorization configuration of which you'd like to change. The name of the blueprint is a hyperlink. 

1. On the bluprint's details page, navigate to the **Authorization** tab. 

1. In the Authorization tab, you can use the Add and Remove buttons to add or remove domain units. By adding a domain unit, you're allowing projects that belong to this domain unit to use this blueprint. By removing a domain unit, you're removing the ability to use this blueprint from projects that belong to this domain unit.

   You can use the **Cascade to all child domain units** toggle to apply the authorization setting that you're configuring to all the child domain units of the domain unit that you're adding or removing.

# Enable Tooling blueprint


The tooling blueprint creates resources for the project, including IAM user roles, security groups, and Amazon SageMaker unified domains.

You can perform the following procedure to enable the Tooling blueprint. 

1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the domain's details page, navigate to the **Blueprints** tab. 

1. In the Tooling blueprint section, choose **Enable** and then specify the following configurations:
   + Provisioning role - Amazon SageMaker Unified Studio uses this role to provision and manage resources defined in the selected blueprints in your account.
   + Manage access role - this role grants Amazon SageMaker Unified Studio permissions to publish, grant access, and revoke access to Amazon SageMaker Lakehouse, AWS Glue Data Catalog and Amazon Redshift data. It also grants Amazon SageMaker Unified Studio to publish and manage subscriptions on Amazon SageMaker Catalog data and AI assets.
   + Query execution role - this role is used while running a query execution. AWS LakeFormation assumes this role to vend credentials needed by Amazon Athena during query execution.
   + Amazon S3 bucket for projects - Amazon SageMaker Unified Studio requires an S3 bucket for projects in your AWS account.
   + Virtual private cloud (VPC) - Select a VPC in which to provision your Amazon SageMaker Unified Studio domain. VPCs tagged with Amazon SageMaker Unified Studio should be correctly configured.
   + Data encryption - your data is encrypted by default with a key that AWS owns and manages for you. To choose a different key, customize your encryption settings. 
   + User role policy - Amazon SageMaker Unified Studio creates IAM roles for project users to perform data analytics, AI, and ML actions. You can attach your own AWS IAM policies to the role rather than using the default system-managed policy. This provides more granular control over permissions but requires knowledge of IAM policy configuration. The IAM policy must include all necessary permissions required for the service to function properly.
   + Authorized domain units - domain units where projects can access resources defined by the blueprints. 

1. Once all the configuration settings have been specified, choose **Enable blueprint**.

# Manage Tooling blueprint parameters


The tooling blueprint creates resources for the project, including IAM user roles, security groups, and Amazon SageMaker unified domains.

You can perform the following procedure to manage the parameters of the Tooling blueprint. 

1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the domain's details page, navigate to the **Project profiles** tab. 

1. In the **Project profiles** tab, choose a project profile, for example, **All capabilities**. The name of the project profile is a hyperlink.

1. On the project profile details page, choose **Tooling configuration**. 

1. In the Blueprint parameters section, review the parameter values that will be used during project creation.

   To modify a parameter value, first, on the **Tooling configuration** tab, choose **Edit**, then choose the parameter that you want to edit by checking its radio button, and then choose **Edit**.

   In the **Edit blueprint parameter** pop up window, modify the parameter value, and check the **Editable** box if you want the values to be provided during project creation.

   You can modify the following parameters:
   + `minIdleTimeoutInMinutes` - the minimum time (in minutes) that Amazon SageMaker waits after the application becomes idle before shutting the user's space down.
   + `maxEbsVolumeSize` - the maximum EBS storage volume size (in GB) for the user's private spaces.
   + `idleTimeoutInMinutes` - the time (in minutes) that Amazon SageMaker waits after the application becomes idle before shutting the user's space down.
   + `enableNetworkIsolation` - enable network isolation for training and deployed inference container.
   + `lifecycleManagement` - indicates whether idle shutdown is activated for this project's Amazon SageMaker unified domain.
   + `sagemakerDomainNetworkType` - The network type for this project's Amazon SageMaker unified domain.
   + `maxIdleTimeoutInMinutes` - the maximum time (in minutes) that Amazon SageMaker waits after the application becomes idle before shutting this project's Amazon SageMaker unified domain down.
   + `allowConnectionToUserGovernedEmrClusters` - allow connection creation to existing user governed EMR Clusters.
   + `enableSpaces` - enable creation of private compute spaces for development tools.
   + `enableProjectRepositoryAutoSync` - synchronise your Git repository code artifacts to your Amazon SageMaker Unified Studio project’s S3 bucket at `s3://{bucket}/{domain_id}/{project_id}/sys/code/dev/{repository_id}/{branch}/`. This synchronisation can be triggered via Git `commit push` events. Keeping the S3 bucket in sync with the Git repository ensures that any changes pushed by the user are immediately available for utilization.

**Note**  
Enabling `maxEbsVolumeSize`, `enableSpaces`, or `enableProjectRepositoryAutoSync` parameters might result in incurring additional costs. For more infromation, see [Amazon SageMaker pricing](https://aws.amazon.com/sagemaker/pricing/). 

# Modify the OnDemandWorkflows blueprint for creating workflow environments in a shared VPC


In order to support creating workflow environments in a shared VPC setup, where the VPC is in one AWS account and the project and the Amazon Managed Workflows for Apache Airflow (Amazon MWAA) environment are in another AWS account, the domain administrator must complete the following procedure to modify the endpointManagement parameter of the OnDemand Workflows blueprint.

1. Navigate to the Amazon SageMaker management console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the domain's details page, navigate to the **Project profiles** tab. 

1. In the **Project profiles** tab, choose a project profile, for example, **All capabilities**. The name of the project profile is a hyperlink.

1. On the project profile details page, choose **OnDemand Workflows** blueprint.

1. In the **OnDemand Workflows** details page, choose **Edit**.

1. In the **Blueprint parameters** section, choose **endpointManagement** and then choose **Edit**. 

1. In the **Edit blueprint parameter** pop up window, choose **Customer** in the **Value** drop-down. 

   This value defines whether the VPC endpoints configured for the environment are created and managed by the customer or by Amazon MWAA. If **Value** is set to **SERVICE**, Amazon MWAA creates and manages the required VPC endpoints in your VPC. If **Value** is set to **CUSTOMER**, you must create and manage the VPC endpoints for your VPC. If you choose to create an environment in a shared VPC, you must set this value to **CUSTOMER**.

The domain users can then [create workflow environments](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/create-workflow-environment.html) and the domain administrators then can follow the steps and procedures described [here](https://aws.amazon.com/blogs/big-data/introducing-shared-vpc-support-on-amazon-mwaa/) to automate deployment of Amazon Amazon MWAA environments using customer-managed endpoints in a VPC.