{ "cells": [ { "cell_type": "markdown", "id": "7a56e825", "metadata": {}, "source": [ "# [모듈 2.1] 카탈로그 포트폴리오 및 프러덕트 배포\n", "\n", "이 노트북은 sm-project-sc-portfolio.yaml 를 배포하여 서비스 카탈로그 포트폴리오 및 프러덕트의 생성을 합니다.\n", "\n", "\n", "1. 카탈로그 프트폴리오 및 프더덕트 CF 확인\n", " - 1.1 sm-project-sc-portfolio.yaml 파일 다운로드\n", "2. AWS Service Catalog 제품 및 포트폴리오 배포\n", " - 2.1 클라우드 포메이션 진행 확인\n", " - 2.2 서비스 카탈로그 및 프러덕트 생성 확인\n", "3. 서비스 카탈로그 런치 및 SageMaker 실행 IAM 역할에 권한 추가\n", "\n", "---\n" ] }, { "cell_type": "markdown", "id": "c1a847ff", "metadata": {}, "source": [ "# 0. 기존 변수 로딩" ] }, { "cell_type": "code", "execution_count": 1, "id": "0ddb8ece", "metadata": {}, "outputs": [], "source": [ "%store -r" ] }, { "cell_type": "markdown", "id": "b334d147", "metadata": {}, "source": [ "# 1. 카탈로그 프트폴리오 및 프더덕트 CF 확인" ] }, { "cell_type": "markdown", "id": "bbf2adb1", "metadata": {}, "source": [ "## 1.1 sm-project-sc-portfolio.yaml 파일 다운로드 \n", "- 다운로드의 이유는 sm-project-sc-portfolio.yaml 파일의 내용을 확인하기 위해서 임." ] }, { "cell_type": "code", "execution_count": 2, "id": "e8f41892", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "2022-02-07 12:26:43 7205 sm-project-sc-portfolio.yaml\n", "download: s3://sagemaker-us-east-1-627616086164/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml to ./sm-project-sc-portfolio.yaml\n" ] } ], "source": [ "! aws s3 ls {bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml \n", "! aws s3 cp s3://{bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml .\n", "# ! aws s3 ls https://s3.{bucket_region}.amazonaws.com/{bucket}/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml " ] }, { "cell_type": "markdown", "id": "7d35a8db", "metadata": {}, "source": [ "## 1.2 실행 결과의 Output 확인\n", "- PortfolioId\n", " - 서비스 카탈로그 데이터 과학 포트폴리오 ID\n", "- ProductId\n", " - 서비스 카탈로그 데이터 과학 제품 ID\n", "- ProductName\n", " - 서비스 카탈로그 데이터 과학 제품 이름\n", "- ProvisioningArtifactIds\n", " - 서비스 카탈로그 데이터 과학 프로비저닝 아티팩트 ID\n", "- ProvisioningArtifactNames\n", " - 서비스 카탈로그 데이터 과학 프로비저닝 아티팩트 이름\n", "- FSIngestionProductPolicyArn\n", " - Feature Store 수집 제품을 시작하기 위해 AmazonSageMakerServiceCatalogProductsLaunchRole에 대한 관리형 정책 \n", "- AmazonSageMakerExecutionRolePolicyArn\n", " - Feature Store 수집 실험으로 노트북을 실행하려면 권한이 있는 Amazon SageMaker 실행 역할에 대한 관리형 정책 \n", "- AmazonSageMakerExecutionRoleName\n", " - Amazon SageMaker 실행 역할의 이름" ] }, { "cell_type": "code", "execution_count": 3, "id": "473d6379", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "\u001b[94mOutputs\u001b[39;49;00m:\n", " \u001b[94mProductId\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Service Catalog data science product Id\n", " \u001b[94mValue\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: FeatureStoreDataIngestionProduct\n", " \u001b[94mPortfolioId\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Service Catalog data science portfolio Id\n", " \u001b[94mValue\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: DataScienceAutomationPortfolio\n", " \u001b[94mProductName\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Service Catalog data science product name\n", " \u001b[94mValue\u001b[39;49;00m:\n", " Fn::GetAtt:\n", " - FeatureStoreDataIngestionProduct\n", " - ProductName\n", " \u001b[94mProvisioningArtifactIds\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Service Catalog data science provisioning artifact Ids\n", " \u001b[94mValue\u001b[39;49;00m:\n", " Fn::GetAtt:\n", " - FeatureStoreDataIngestionProduct\n", " - ProvisioningArtifactIds\n", " \u001b[94mProvisioningArtifactNames\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Service Catalog data science provisioning artifact names\n", " \u001b[94mValue\u001b[39;49;00m:\n", " Fn::GetAtt:\n", " - FeatureStoreDataIngestionProduct\n", " - ProvisioningArtifactNames\n", " \u001b[94mFSIngestionProductPolicyArn\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Managed policy for AmazonSageMakerServiceCatalogProductsLaunchRole\n", " to launch an Feature Store ingestion product\n", " \u001b[94mValue\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: AmazonSageMakerServiceCatalogFSIngestionProductPolicy\n", " \u001b[94mAmazonSageMakerExecutionRolePolicyArn\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Managed policy for Amazon SageMaker execution role with permissions\n", " to run the notebooks with Feature Store ingestion experiments\n", " \u001b[94mValue\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: AmazonSageMakerExecutionRolePolicy\n", " \u001b[94mAmazonSageMakerExecutionRoleName\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m: Name of the Amazon SageMaker execution role\n", " \u001b[94mValue\u001b[39;49;00m:\n", " Fn::Select:\n", " - 1\n", " - Fn::Split:\n", " - /\n", " - \u001b[94mRef\u001b[39;49;00m: SCPortfolioPrincipalRoleArn\n" ] } ], "source": [ "!pygmentize \"sm-project-sc-portfolio.yaml\" | sed -n 6,50p" ] }, { "cell_type": "markdown", "id": "bd4d431b", "metadata": {}, "source": [ "## 1.2 sm-project-sc-portfolio.yaml 파라미터\n", "- SCPortfolioPrincipalRoleArn\n", " - 서비스 카탈로그 제품에 대한 액세스 권한이 부여될 IAM 역할\n", "- SCProductLaunchRoleArn\n", " - SageMaker Studio가 제품을 시작될 때 서비스 카탈로그가 맡는 IAM 역할" ] }, { "cell_type": "code", "execution_count": 4, "id": "44c0f778", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "\u001b[94mParameters\u001b[39;49;00m:\n", " \u001b[94mSCPortfolioPrincipalRoleArn\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: String\n", " \u001b[94mDescription\u001b[39;49;00m: IAM role which will be granted access to Service Catalog products\n", " \u001b[94mSCProductLaunchRoleArn\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: String\n", " \u001b[94mDescription\u001b[39;49;00m: IAM role that Service Catalog assumes when SageMaker Studio launches\n", " a product\n", " \u001b[94mDefault\u001b[39;49;00m: AmazonSageMakerServiceCatalogProductsLaunchRole\n" ] } ], "source": [ "!pygmentize \"sm-project-sc-portfolio.yaml\" | sed -n 51,59p" ] }, { "cell_type": "markdown", "id": "660bb12c", "metadata": {}, "source": [ "## 1.2 sm-project-sc-portfolio.yaml 생성될 리소스\n", "- DataScienceAutomationPortfolio\n", " - 이 포트폴리오는 SageMaker Studio용 재사용 가능한 데이터 과학 자동화 구성 요소 모음입니다.\n", "- FeatureStoreDataIngestionProduct\n", " - 이 템플릿은 데이터 변환을 하는 Data Wrangler 및 SageMaker 파이프라인을 사용하여 S3 버킷에서 피쳐 그룹으로 데이터 수집을 자동화하기 위한 SageMaker 프로젝트를 생성합니다.\n" ] }, { "cell_type": "code", "execution_count": 5, "id": "0563ddf0", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "\u001b[94mResources\u001b[39;49;00m:\n", " \u001b[94mDataScienceAutomationPortfolio\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: AWS::ServiceCatalog::Portfolio\n", " \u001b[94mProperties\u001b[39;49;00m:\n", " \u001b[94mProviderName\u001b[39;49;00m: Data Science Administration Team\n", " \u001b[94mDescription\u001b[39;49;00m: This portfolio is a collection of re-usable data science automation\n", " components for SageMaker Studio\n", " \u001b[94mDisplayName\u001b[39;49;00m: Re-usable data science automation components for your ML environment\n", " \u001b[94mFeatureStoreDataIngestionProduct\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: AWS::ServiceCatalog::CloudFormationProduct\n", " \u001b[94mProperties\u001b[39;49;00m:\n", " \u001b[94mName\u001b[39;49;00m: Automated Feature Transformation and Ingestion Pipeline v1.0\n", " \u001b[94mDescription\u001b[39;49;00m: This template creates a SageMaker project for automating a data\n", " ingestion from an S3 bucket into a feature group using Data Wrangler data\n", " transformation and SageMaker Pipelines\n", " \u001b[94mOwner\u001b[39;49;00m: Data Science Administration Team\n", " \u001b[94mProvisioningArtifactParameters\u001b[39;49;00m:\n", " - \u001b[94mName\u001b[39;49;00m: Automated Feature Transformation and Ingestion Pipeline v1.0\n", " \u001b[94mDescription\u001b[39;49;00m: SageMaker project to transform and ingest features into a feature\n", " group\n", " \u001b[94mInfo\u001b[39;49;00m:\n", " \u001b[94mLoadTemplateFromURL\u001b[39;49;00m: https://s3.amazonaws.com/sagemaker-us-east-1-627616086164/amazon-sagemaker-reusable-components/project-s3-fs-ingestion.yaml\n", " \u001b[94mTags\u001b[39;49;00m:\n", " - \u001b[94mKey\u001b[39;49;00m: sagemaker:studio-visibility\n", " \u001b[94mValue\u001b[39;49;00m: \u001b[33m'\u001b[39;49;00m\u001b[33mtrue\u001b[39;49;00m\u001b[33m'\u001b[39;49;00m\n" ] } ], "source": [ "!pygmentize \"sm-project-sc-portfolio.yaml\" | sed -n 65,89p" ] }, { "cell_type": "markdown", "id": "2f69f652", "metadata": {}, "source": [ "## 1.3 이외 생성될 리소스\n", "- SCPortfolioFeatureStoreDataIngestionProductAssociation\n", "- SCPortfolioPrincipleAssociation\n", "- SCFeatureStoreDataIngestionProductLaunchRoleConstraint\n", "- AmazonSageMakerExecutionRolePolicy\n", "- AmazonSageMakerServiceCatalogFSIngestionProductPolicy\n" ] }, { "cell_type": "code", "execution_count": 6, "id": "064f538d", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ " \u001b[94mSCPortfolioFeatureStoreDataIngestionProductAssociation\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: AWS::ServiceCatalog::PortfolioProductAssociation\n", " \u001b[94mProperties\u001b[39;49;00m:\n", " \u001b[94mPortfolioId\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: DataScienceAutomationPortfolio\n", " \u001b[94mProductId\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: FeatureStoreDataIngestionProduct\n", " \u001b[94mSCPortfolioPrincipleAssociation\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: AWS::ServiceCatalog::PortfolioPrincipalAssociation\n", " \u001b[94mProperties\u001b[39;49;00m:\n", " \u001b[94mPortfolioId\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: DataScienceAutomationPortfolio\n", " \u001b[94mPrincipalARN\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: SCPortfolioPrincipalRoleArn\n", " \u001b[94mPrincipalType\u001b[39;49;00m: IAM\n", " \u001b[94mSCFeatureStoreDataIngestionProductLaunchRoleConstraint\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: AWS::ServiceCatalog::LaunchRoleConstraint\n", " \u001b[94mDependsOn\u001b[39;49;00m:\n", " - SCPortfolioPrincipleAssociation\n", " \u001b[94mProperties\u001b[39;49;00m:\n", " \u001b[94mDescription\u001b[39;49;00m:\n", " Fn::Sub: AWS Service Catalog uses ${SCProductLaunchRoleArn} to launch SageMaker\n", " projects\n", " \u001b[94mPortfolioId\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: DataScienceAutomationPortfolio\n", " \u001b[94mProductId\u001b[39;49;00m:\n", " \u001b[94mRef\u001b[39;49;00m: FeatureStoreDataIngestionProduct\n", " \u001b[94mRoleArn\u001b[39;49;00m:\n", " Fn::If:\n", " - DefaultLaunchRole\n", " - Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:role/service-role/${SCProductLaunchRoleArn}\n", " - \u001b[94mRef\u001b[39;49;00m: SCProductLaunchRoleArn\n", " \u001b[94mAmazonSageMakerExecutionRolePolicy\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: AWS::IAM::ManagedPolicy\n", " \u001b[94mProperties\u001b[39;49;00m:\n", " \u001b[94mPolicyDocument\u001b[39;49;00m:\n", " \u001b[94mVersion\u001b[39;49;00m: 2012-10-17\n", " \u001b[94mStatement\u001b[39;49;00m:\n", " - \u001b[94mSid\u001b[39;49;00m: CloudFormationPermission\n", " \u001b[94mEffect\u001b[39;49;00m: Allow\n", " \u001b[94mAction\u001b[39;49;00m:\n", " - cloudformation:Describe*\n", " - cloudformation:Get*\n", " - cloudformation:List*\n", " \u001b[94mResource\u001b[39;49;00m:\n", " - Fn::Sub: arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/sm-*\n", " - Fn::Sub: arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/sagemaker-*\n", " - \u001b[94mSid\u001b[39;49;00m: S3Permission\n", " \u001b[94mEffect\u001b[39;49;00m: Allow\n", " \u001b[94mAction\u001b[39;49;00m:\n", " - s3:DeleteBucket\n", " \u001b[94mResource\u001b[39;49;00m:\n", " - arn:aws:s3:::sagemaker-cp-*\n", " - arn:aws:s3:::sagemaker-ct-*\n", " \u001b[94mAmazonSageMakerServiceCatalogFSIngestionProductPolicy\u001b[39;49;00m:\n", " \u001b[94mType\u001b[39;49;00m: AWS::IAM::ManagedPolicy\n", " \u001b[94mProperties\u001b[39;49;00m:\n", " \u001b[94mPolicyDocument\u001b[39;49;00m:\n", " \u001b[94mVersion\u001b[39;49;00m: 2012-10-17\n", " \u001b[94mStatement\u001b[39;49;00m:\n", " - \u001b[94mSid\u001b[39;49;00m: FSIngestionPermissionIAM\n", " \u001b[94mEffect\u001b[39;49;00m: Allow\n", " \u001b[94mAction\u001b[39;49;00m:\n", " - iam:CreateRole\n", " - iam:DeleteRole\n", " - iam:PutRolePolicy\n", " - iam:DeleteRolePolicy\n", " - iam:DetachRolePolicy\n", " - iam:AttachRolePolicy\n", " - iam:GetRole\n", " - iam:GetRolePolicy\n", " \u001b[94mResource\u001b[39;49;00m:\n", " Fn::Sub: arn:aws:iam::${AWS::AccountId}:*\n", " - \u001b[94mSid\u001b[39;49;00m: FSIngestionPermissionS3\n", " \u001b[94mEffect\u001b[39;49;00m: Allow\n", " \u001b[94mAction\u001b[39;49;00m:\n", " - s3:PutBucketOwnershipControls\n", " \u001b[94mResource\u001b[39;49;00m: arn:aws:s3:::sagemaker-*\n", " - \u001b[94mSid\u001b[39;49;00m: FSIngestionPermissionPassRole\n", " \u001b[94mEffect\u001b[39;49;00m: Allow\n", " \u001b[94mAction\u001b[39;49;00m:\n", " - iam:PassRole\n", " \u001b[94mResource\u001b[39;49;00m:\n", " - Fn::Sub: arn:aws:iam::${AWS::AccountId}:role/*StartIngestionPipeline*\n", " - \u001b[94mSid\u001b[39;49;00m: FSIngestionPermissionEvents\n", " \u001b[94mEffect\u001b[39;49;00m: Allow\n", " \u001b[94mAction\u001b[39;49;00m:\n", " - events:DescribeRule\n", " - events:DeleteRule\n", " - events:EnableRule\n", " - events:PutRule\n", " - events:PutTargets\n", " - events:RemoveTargets\n", " - events:TagResource\n", " - events:UntagResource\n", " \u001b[94mResource\u001b[39;49;00m:\n", " - Fn::Sub: arn:aws:events:${AWS::Region}:${AWS::AccountId}:*\n", " - \u001b[94mSid\u001b[39;49;00m: FSIngestionPermissionCloudTrail\n", " \u001b[94mEffect\u001b[39;49;00m: Allow\n", " \u001b[94mAction\u001b[39;49;00m:\n", " - cloudtrail:CreateTrail\n", " - cloudtrail:DeleteTrail\n", " - cloudtrail:AddTags\n", " - cloudtrail:RemoveTags\n", " - cloudtrail:PutEventSelectors\n", " - cloudtrail:RemoveTags\n", " - cloudtrail:StartLogging\n", " - cloudtrail:StopLogging\n", " \u001b[94mResource\u001b[39;49;00m:\n", " - Fn::Sub: arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/cloudtrail-sagemaker-*\n" ] } ], "source": [ "!pygmentize \"sm-project-sc-portfolio.yaml\" | sed -n 90,199p" ] }, { "cell_type": "markdown", "id": "a0149747", "metadata": {}, "source": [ "# 2. AWS Service Catalog 제품 및 포트폴리오 배포\n", "- 'sm-project-sc-portfolio.yaml' 를 실행하여 카탈로그 포트폴리오 및 프로덕트에 등록하는 과정\n", "- 아래와 같은 주요 파라미터가 필요 합니다.\n", "```\n", "aws cloudformation create-stack \\\n", " --template-url # 포트폴리오 및 프로덕트가 정의된 CF YAML\n", " --region # 리젼\n", " --stack-name # 스텍 이름\n", " --disable-rollback \n", " --capabilities CAPABILITY_NAMED_IAM \\\n", " --parameters \\\n", " ParameterKey=SCPortfolioPrincipalRoleArn,ParameterValue= <> # SageMaker Execution Role 할당\n", "```" ] }, { "cell_type": "code", "execution_count": 7, "id": "8c1af08c", "metadata": {}, "outputs": [], "source": [ "import sagemaker\n", "region = sagemaker.Session().boto_region_name\n", "SC_PORTFOLIO_STACK_NAME='sm-project-sc-portfolio'" ] }, { "cell_type": "code", "execution_count": 10, "id": "e6ee3291", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "bucket_name : sagemaker-us-east-1-627616086164\n", "stack_name : sm-project-sc-portfolio\n", "Bucket Region : us-east-1\n", "SageMaker Studio Domain ID : d-qlke3qpg5lek\n", "SageMaker Execution Role : arn:aws:iam::627616086164:role/mod-6297809195fe4845-SageMakerExecutionRole-1BEMVGZB3KC6H\n", "CF File: : https://s3.us-east-1.amazonaws.com/sagemaker-us-east-1-627616086164/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml\n", "{\n", " \"StackId\": \"arn:aws:cloudformation:us-east-1:627616086164:stack/sm-project-sc-portfolio/babd4330-8811-11ec-ae7e-12732f42e421\"\n", "}\n" ] } ], "source": [ "%%sh -s \"{bucket}\" \"{SC_PORTFOLIO_STACK_NAME}\" \"{region}\"\n", "\n", "bucket_name=$1\n", "sc_portfolio_stack_name=$2\n", "region=$3\n", "echo 'bucket_name' : $bucket_name\n", "echo 'stack_name' : $sc_portfolio_stack_name\n", "echo 'Bucket Region' : $region\n", " \n", "export SM_DOMAIN_ID=$(aws sagemaker list-domains \\\n", " --output text --query 'Domains[0].DomainId')\n", "echo 'SageMaker Studio Domain ID' : $SM_DOMAIN_ID\n", "\n", "export SM_EXECUTION_ROLE=$(aws sagemaker describe-domain \\\n", " --domain-id $SM_DOMAIN_ID \\\n", " --output text --query 'DefaultUserSettings.ExecutionRole')\n", "echo 'SageMaker Execution Role' : $SM_EXECUTION_ROLE\n", "\n", "echo 'CF File: ' : https://s3.$region.amazonaws.com/$bucket_name/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml\n", "\n", "aws cloudformation create-stack \\\n", " --template-url https://s3.$region.amazonaws.com/$bucket_name/amazon-sagemaker-reusable-components/sm-project-sc-portfolio.yaml \\\n", " --region $region \\\n", " --stack-name $sc_portfolio_stack_name \\\n", " --disable-rollback \\\n", " --capabilities CAPABILITY_NAMED_IAM \\\n", " --parameters \\\n", " ParameterKey=SCPortfolioPrincipalRoleArn,ParameterValue=$SM_EXECUTION_ROLE" ] }, { "cell_type": "markdown", "id": "4aba989e", "metadata": {}, "source": [ "## 2.1 클라우드 포메이션 진행 확인\n", "\n", "- 클라우드 포메이션의 콘솔로 가셔서 sm-project-sc-portfolio 가 성공적으로 끝났는지를 확인 합니다." ] }, { "cell_type": "markdown", "id": "d7865ec8", "metadata": {}, "source": [ "![cf_deploy_portfolio.png](img2/cf_deploy_portfolio.png)" ] }, { "cell_type": "markdown", "id": "50910405", "metadata": {}, "source": [ "## 2.2 서비스 카탈로그 및 프러덕트 생성 확인\n", "- 서비스 카탈로그 콘솔로 이동하여 아래 처럼 생성이 되었는지를 확인 합니다." ] }, { "cell_type": "markdown", "id": "66cb5188", "metadata": {}, "source": [ "![service_catalog.png](img2/service_catalog.png)" ] }, { "cell_type": "markdown", "id": "0a3e6e8f", "metadata": {}, "source": [ "# 3. 서비스 카탈로그 런치 및 SageMaker 실행 IAM 역할에 권한 추가\n", "\n", "- AmazonSageMakerServiceCatalogProductsLaunchRole 에 권한 추가\n", " - AWS Service Catalog는 기본 [`AmazonSageMakerServiceCatalogProductsLaunchRole` IAM 역할](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol-sc.html)을 사용하여 SageMaker 프로젝트와 함께 CloudFormation 템플릿을 시작합니다. 이 역할은 Studio 사용자에 대해 SageMaker 프로젝트를 활성화한 경우 SageMaker Studio를 프로비저닝하는 동안 자동으로 생성됩니다.\n", " - Feature Store 수집 제품을 SageMaker 프로젝트로 배포하려면 이 역할에 추가 권한이 필요합니다. 필요한 모든 권한은 [관리형 정책 리소스 `AmazonSageMakerServiceCatalogFSIngestionProductPolicy`](cfn-templates/sm-project-sc-portfolio.yaml)에 정의되어 있으며 이를 역할(`AmazonSageMakerServiceCatalogProductsLaunchRole`) 에 첨부해야 합니다.\n", " - 이는 SageMaker 프로젝트 배포를 시작하기 전에 해야 합니다.\n", "\n", "\n", "- AmazonSageMakerExecutionRole 에 권한 추가\n", " - 예를 들어 [CloudFormation API](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_Operations.html)를 호출하여 제공된 노트북에서 일부 코드 셀을 실행하려면 SageMaker 실행 역할에 추가 권한이 필요합니다. 이러한 권한은 [관리형 정책 리소스 `AmazonSageMakerExecutionRolePolicy`](cfn-templates/sm-project-sc-portfolio.yaml)에 정의되어 있으며 SageMaker 실행 역할에 연결되어야 합니다.\n", "\n", "다음 명령을 실행하여 생성된 관리형 정책을 `AmazonSageMakerServiceCatalogProductsLaunchRole` 및 SageMaker 실행 IAM 역할에 연결합니다.\n", "- 또한 추가적인 권한을 제공하여, 추후에 리소스 제거시 사용 합니다.\n", "\n" ] }, { "cell_type": "code", "execution_count": 11, "id": "78f0b71b", "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "SM_SC_FS_INGESTION_POLICY_ARN : arn:aws:iam::627616086164:policy/sm-project-sc-portfolio-AmazonSageMakerServiceCatalogFSIngestionProductPolicy-1ELCY7G3Q44HC\n", "\n", "SM_EXECUTION_ROLE_POLICY_ARN : arn:aws:iam::627616086164:policy/sm-project-sc-portfolio-AmazonSageMakerExecutionRolePolicy-X02MZ0KBMA39\n", "\n", "SM_EXECUTION_ROLE_NAME : mod-6297809195fe4845-SageMakerExecutionRole-1BEMVGZB3KC6H\n", "mod-6297809195fe4845-SageMakerExecutionRole-1BEMVGZB3KC6H : Additional policies attached to cleanup later\n" ] } ], "source": [ "%%sh -s \"{SC_PORTFOLIO_STACK_NAME}\" \n", "\n", "sc_portfolio_stack_name=$1\n", "export SM_SC_FS_INGESTION_POLICY_ARN=$(aws cloudformation describe-stacks \\\n", " --stack-name $sc_portfolio_stack_name \\\n", " --output text \\\n", " --query 'Stacks[0].Outputs[?OutputKey==`FSIngestionProductPolicyArn`].OutputValue')\n", "\n", "echo 'SM_SC_FS_INGESTION_POLICY_ARN' : $SM_SC_FS_INGESTION_POLICY_ARN\n", " \n", "export SM_EXECUTION_ROLE_POLICY_ARN=$(aws cloudformation describe-stacks \\\n", " --stack-name $sc_portfolio_stack_name \\\n", " --output text \\\n", " --query 'Stacks[0].Outputs[?OutputKey==`AmazonSageMakerExecutionRolePolicyArn`].OutputValue')\n", "\n", "echo ''\n", "echo 'SM_EXECUTION_ROLE_POLICY_ARN' : $SM_EXECUTION_ROLE_POLICY_ARN \n", " \n", "export SM_EXECUTION_ROLE_NAME=$(aws cloudformation describe-stacks \\\n", " --stack-name $sc_portfolio_stack_name \\\n", " --output text \\\n", " --query 'Stacks[0].Outputs[?OutputKey==`AmazonSageMakerExecutionRoleName`].OutputValue')\n", "\n", "echo ''\n", "echo 'SM_EXECUTION_ROLE_NAME' : $SM_EXECUTION_ROLE_NAME \n", "\n", "aws iam attach-role-policy \\\n", " --role-name AmazonSageMakerServiceCatalogProductsLaunchRole \\\n", " --policy-arn $SM_SC_FS_INGESTION_POLICY_ARN\n", "\n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn $SM_EXECUTION_ROLE_POLICY_ARN\n", "\n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn \"arn:aws:iam::aws:policy/IAMFullAccess\"\n", "\n", "echo $SM_EXECUTION_ROLE_NAME : Additional policies attached to cleanup later\n", " \n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn arn:aws:iam::aws:policy/IAMFullAccess\n", "\n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn arn:aws:iam::aws:policy/AWSCloudFormationFullAccess\n", "\n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess\n", "\n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess\n", "\n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn arn:aws:iam::aws:policy/AWSLambda_FullAccess\n", "\n", "aws iam attach-role-policy \\\n", " --role-name $SM_EXECUTION_ROLE_NAME \\\n", " --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess\n", "\n", " " ] }, { "cell_type": "markdown", "id": "72cf22c3", "metadata": {}, "source": [ "# 4. Next\n", "- README 파일로 이동하시고, 아래는 트러블 슈팅시 참고 하세요." ] }, { "cell_type": "markdown", "id": "8073c1fa", "metadata": {}, "source": [ "---\n", "\n", "# A. 트러블 슈팅 커맨드 및 에러 케이스" ] }, { "cell_type": "markdown", "id": "213cd949", "metadata": {}, "source": [ "## A.1. sm-project-sc-portfolio.yaml 스택 실행시 에러\n", "아래 스택 실행시에 에러 발생 함. \n", "\n", "Template error: Fn::Select cannot select nonexistent value at index 2\n", "\n", "```\n", "AmazonSageMakerExecutionRoleName:\n", " Description: Name of the Amazon SageMaker execution role\n", " Value:\n", " Fn::Select:\n", " - 1 # 기존에 2 였음. 1로 변경 함\n", "```\n", "아래 파일을 다음과 같이 변경 \n", "amazon-sagemaker-reusable-components/build/sm-project-sc-portfolio.yaml\n", "```\n", "Before:\n", " AmazonSageMakerExecutionRoleName:\n", " Description: Name of the Amazon SageMaker execution role\n", " Value: !Select [2, !Split ['/', !Ref SCPortfolioPrincipalRoleArn ] ] \n", "```\n", "```\n", "After: \n", " AmazonSageMakerExecutionRoleName:\n", " Description: Name of the Amazon SageMaker execution role\n", " Value: !Select [1, !Split ['/', !Ref SCPortfolioPrincipalRoleArn ] ] \n", "\n", "\n", "```" ] }, { "cell_type": "markdown", "id": "a8a430b8", "metadata": {}, "source": [ "## A.2 sm-project-sc-portfolio.yaml 배포시 에러\n", "\n", "![deploy_error](img2/error-deploy-portfolio-product.png)\n", "\n", "위의 현상이 간헐적으로 발생합니다. 이경우에 스택을 다시 지우고 다시 생성을 시도 하세요.\n", "- 이유는 인터널 에러로 추정 됩니다." ] }, { "cell_type": "code", "execution_count": null, "id": "e7f6a8ee", "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "conda_python3", "language": "python", "name": "conda_python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.13" } }, "nbformat": 4, "nbformat_minor": 5 }