Use Amazon SageMaker {custom} tags for mission useful resource governance and price monitoring

Amazon SageMaker introduced a brand new function that you should use so as to add {custom} tags to assets created by an Amazon SageMaker Unified Studio mission. This helps you implement tagging requirements that conform to your group’s service management insurance policies (SCPs) and helps allow value monitoring reporting practices on assets created throughout the group.

As a SageMaker administrator, you’ll be able to configure a mission profile with tag configurations that shall be pushed right down to initiatives that presently use or will use that mission profile. The mission profile is about as much as move both required key and worth tag pairings or move the important thing of the tag with a default worth that may be modified throughout mission creation. All tags handed to the mission will consequence within the assets created by that mission being tagged. This offers you with a governance mechanism that enforces that mission assets have the anticipated tags throughout all initiatives of the area.

The primary launch of {custom} tags for mission assets is supported by an software programming interface (API), by Amazon DataZone SDKs. On this submit, we have a look at use circumstances for {custom} tags and how you can use the AWS Command Line Interface (AWS CLI) so as to add tags to mission assets.

What we hear from clients

As clients proceed to construct and collaborate utilizing AWS instruments for mannequin growth, generative AI, knowledge processing, and SQL analytics, they see the necessity to deliver management and visibility into the assets being created. To help connectivity to those AWS instruments from SageMaker Unified Studio initiatives, many various kinds of assets throughout AWS providers must be created. These assets are created by AWS CloudFormation stacks (by mission setting deployment) by the Amazon SageMaker service. From clients we hear the next use circumstances:

• Prospects must implement that tagging practices conform to firm insurance policies by the usage of AWS controls, similar to SCPs, for useful resource creation. These controls block the creation of assets except particular tags are positioned on the useful resource.
• Prospects also can begin with insurance policies to implement that the proper tags are positioned when assets are created with the extra aim of standardizing on useful resource reporting. By inserting identifiable info on assets when created, they implement consistency and completeness when performing value attribution reporting and observability.

Buyer Swiss Life makes use of SageMaker as a single answer for cataloging, discovery, sharing, and governance of their enterprise knowledge throughout enterprise domains. They require all assets have a set of obligatory tags for his or her finance group to invoice organizations throughout their firm for the AWS assets created.

“The launch of mission useful resource tags for Amazon SageMaker permits us to deliver visibility to the prices incurred throughout our accounts. With this functionality we’re in a position to meet the useful resource tagging tips of our firm and trust in attributing prices throughout our multi-account setup for the assets created by Amazon SageMaker initiatives.”

– Tim Kopacz, Software program Developer at Swiss Life

Conditions

To get began with {custom} tags, you will need to have the next assets:

• A SageMaker Unified Studio area.
• An AWS Identification and Entry Administration (IAM) entity with privileges to make AWS CLI calls to the area.
• An IAM entity approved to make modifications to the area IAM provisioning function. If SageMaker created this for you, will probably be referred to as AmazonSageMakerProvisioning-. The provisioning function provisions and manages assets outlined within the chosen blueprints in your account.

How you can arrange mission useful resource tags

The next steps define how one can configure {custom} tags in your SageMaker Unified Studio mission assets:

1. (Elective) Replace the SageMaker provisioning function to allow particular tag keys.
2. Create a brand new mission profile with mission useful resource tags configured.
3. Create a brand new mission with mission useful resource tags.
4. Replace an present mission with mission useful resource tags.
5. Validate that the assets are tagged.

(Elective) Replace a SageMaker provisioning function to allow tag key values

The AmazonSageMakerProvisioning- function has an AWS managed coverage with situation aws:TagKeys permitting tags to be created by this function provided that the tag key begins with AmazonDataZone. For this instance, we’ll change the tag key to start with totally different strings. Skip to Create a brand new mission profile with mission useful resource tags configured when you don’t want tag keys to have a special construction (similar to begins with, incorporates, and so forth)

1. Open the AWS Administration Console and go to IAM.
2. Within the navigation pane, select Roles.
3. Within the listing, select AmazonSageMakerProvisioning-.
4. Select the Permissions tab.
5. Select Add permissions, after which select Create inline coverage.
6. Beneath Coverage editor, choose JSON.
7. Enter the next coverage. Add the strings underneath the situation aws:TagKeys. On this instance, tag keys starting with ACME or tag keys with the precise match of CostCenter shall be created by the function.

   {
       "Model": "2012-10-17",
       "Assertion": [
           {
               "Sid": "CustomTagsUnTagPermissions",
               "Effect": "Allow",
               "Action": [
                   "codecommit:UntagResource",
                   "iam:UntagRole",
                   "logs:UntagResource",
                   "athena:UntagResource",
                   "redshift-serverless:UntagResource",
                   "scheduler:UntagResource",
                   "bedrock:UntagResource",
                   "neptune-graph:UntagResource",
                   "quicksight:UntagResource",
                   "glue:UntagResource",
                   "airflow:UntagResource",
                   "secretsmanager:UntagResource",
                   "lambda:UntagResource",
                   "emr-serverless:UntagResource",
                   "elasticmapreduce:RemoveTags",
                   "sagemaker:DeleteTags",
                   "ec2:DeleteTags"
               ],
               "Useful resource": "*",
               "Situation": {
                   "StringEquals": {
                       "aws:ResourceAccount": "${aws:PrincipalAccount}"
                   },
                   "ForAllValues:StringLike": {
                       "aws:TagKeys": [
                           "AmazonDataZone*",
                           "ACME*",
                           "CostCenter"
                       ]
                   },
                   "Null": {
                       "aws:ResourceTag/AmazonDataZoneProject": "false"
                   }
               }
           },
           {
               "Sid": "CustomTagsTaggingPermissions",
               "Impact": "Permit",
               "Motion": [
                   "cloudformation:TagResource",
                   "codecommit:TagResource",
                   "iam:TagRole",
                   "glue:TagResource",
                   "athena:TagResource",
                   "lambda:TagResource",
                   "redshift-serverless:TagResource",
                   "logs:TagResource",
                   "secretsmanager:TagResource",
                   "sagemaker:AddTags",
                   "emr-serverless:TagResource",
                   "neptune-graph:TagResource",
                   "bedrock:TagResource",
                   "elasticmapreduce:AddTags",
                   "airflow:TagResource",
                   "scheduler:TagResource",
                   "quicksight:TagResource",
                   "emr-containers:TagResource",
                   "logs:CreateLogGroup",
                   "athena:CreateWorkGroup",
                   "scheduler:CreateScheduleGroup",
                   "cloudformation:CreateStack",
                   "ec2:*"
               ],
               "Useful resource": "*",
               "Situation": {
                   "ForAnyValue:StringLike": {
                       "aws:TagKeys": [
                           "AmazonDataZone*",
                           "ACME*",
                           "CostCenter"
                       ]
                   },
                   "StringEquals": {
                       "aws:ResourceAccount": "${aws:PrincipalAccount}"
                   }
               }
           }
       ]
   }

It’s doable to scope down the particular AWS service tag and un-tag permissions primarily based on which blueprints or capabilities are getting used.

Create a brand new mission profile with mission useful resource tags configured

Use the next steps to create a brand new SQL Analytics mission profile with {custom} tags. The instance makes use of AWS CLI instructions.

1. Open the AWS CloudShell console.
2. Create a mission profile utilizing the next CLI command.
   1. The project-resource-tags parameter consists of key (tag key), worth (tag worth), and isValueEditable (boolean indicating if the tag worth may be modified throughout mission creation or replace).
   2. The allow-custom-project-resource-tags parameter set to true permits the mission creator to create further key-value pairs. The important thing wants to evolve to the inline coverage of the AmazonSageMakerProvisioning- function.
   3. The project-resource-tags-description parameter is an outline subject for mission useful resource tags. The max character restrict is 2,048. The outline must be handed in each time create-project-profile or update-project-profile is known as.

   aws datazone create-project-profile 
     --name "SQL Analytics with Venture Useful resource Tags" 
     --description "Analyze your knowledge in SageMaker Lakehouse utilizing SQL" 
     --domain-identifier "$DOMAIN_ID" 
     --region "$REGION" 
     --status ENABLED 
     --project-resource-tags '[
       {
           "key": "ACME-Application",
           "value": "SageMaker",
           "isValueEditable": false
       },
       {
           "key": "CostCenter",
           "value": "123",
           "isValueEditable": true
       }
     ]' 
     --allow-custom-project-resource-tags 
     --environment-configurations '[
       {
           "name": "Tooling",
           "description": "Configuration for the Tooling Environment",
           "environmentBlueprintId": "",
           "deploymentMode": "ON_CREATE",
           "deploymentOrder": 0,
           "awsAccount": {
           "awsAccountId": "$ACCOUNT"
       },
       "awsRegion": {
           "regionName": "$REGION"
       },
           "configurationParameters": {
               "parameterOverrides": [
                   {
                       "name": "enableSpaces",
                       "value": "false",
                       "isEditable": false
                   },
                   {
                       "name": "maxEbsVolumeSize",
                       "isEditable": false
                   },
                   {
                       "name": "idleTimeoutInMinutes",
                       "isEditable": false
                   },
                   {
                       "name": "lifecycleManagement",
                       "isEditable": false
                   },
                   {
                       "name": "enableNetworkIsolation",
                       "isEditable": false
                   }
               ]
           }
       },
       {
           "title": "Lakehouse Database",
           "description": "Creates databases in Amazon SageMaker Lakehouse for storing tables in S3 and Amazon Athena assets in your SQL workloads",
           "environmentBlueprintId": "",
           "deploymentMode": "ON_CREATE",
           "deploymentOrder": 1,
           "awsAccount": {
               "awsAccountId": "$ACCOUNT"
           },
           "awsRegion": {
           "regionName": "$REGION"
           },
           "configurationParameters": {
               "parameterOverrides": [
                   {
                       "name": "glueDbName",
                       "value": "glue_db",
                       "isEditable": true
                   }
               ]
           }
       },
       {
           "title": "OnDemand RedshiftServerless",
           "description": "Lets you create an extra Amazon Redshift Serverless workgroup in your SQL workloads",
           "environmentBlueprintId": "",
           "deploymentMode": "ON_DEMAND",
           "awsAccount": {
           "awsAccountId": "$ACCOUNT"
           },
           "awsRegion": {
               "regionName": "$REGION"
           },
           "configurationParameters": {
               "parameterOverrides": [
                   {
                       "name": "redshiftDbName",
                       "value": "dev",
                       "isEditable": true
                       },
                       {
                       "name": "redshiftMaxCapacity",
                       "value": "512",
                       "isEditable": true
                       },
                       {
                       "name": "redshiftWorkgroupName",
                       "value": "redshift-serverless-workgroup",
                       "isEditable": true
                       },
                       {
                       "name": "redshiftBaseCapacity",
                       "value": "128",
                       "isEditable": true
                       },
                       {
                       "name": "connectionName",
                       "value": "redshift.serverless",
                       "isEditable": true
                       },
                       {
                       "name": "connectToRMSCatalog",
                       "value": "false",
                       "isEditable": false
                       }
                   ]
               }
           },
           {
               "title": "OnDemand Catalog for Redshift Managed Storage",
               "description": "Lets you create further catalogs in Amazon SageMaker Lakehouse for storing knowledge in Redshift Managed Storage",
               "environmentBlueprintId": "",
               "deploymentMode": "ON_DEMAND",
               "awsAccount": {
               "awsAccountId": "$ACCOUNT"
               },
               "awsRegion": {
                   "regionName": "$REGION"
               },
               "configurationParameters": {
                   "parameterOverrides": [
                       {
                           "name": "catalogName",
                           "isEditable": true
                       },
                       {
                           "name": "catalogDescription",
                           "value": "RMS catalog",
                           "isEditable": true
                       }
                   ]
               }
           }
     ]'

This mission profile could have the tag ACME-Software = SageMaker positioned on all initiatives related to the mission profile and can’t be modified by the mission creator. The tag CostCenter = 123 can have the worth modified by the mission creator as a result of the isValueEditable property is about to true.

Grant permissions for customers to make use of the mission profile throughout mission creation. Within the Authorization part of the mission profile set both Chosen customers or teams or Permit all customers and teams.

Using the allow-custom-project-resource-tags parameter means the mission creator can add their very own tags (key-value pair). The important thing should conform to the situation examine within the coverage of the provisioning function (AmazonSageMakerProvisioning-). If the allow-custom-project-resource-tagsparameter is modified to false after a mission created tags, tags created by the mission shall be eliminated through the subsequent mission replace.

Updates to the mission profile

Updates to mission useful resource tags are doable by the update-project-profile command. The command will change all values within the project-resource-tags part so remember to embrace the exhaustive set of tags. Updates to the mission profile are mirrored in initiatives after operating the update-project command or when a brand new mission is created utilizing the mission profile. The next instance provides a brand new tag, ACME-BusinessUnit = Retail.

There are 3 ways to work with the project-resource-tags parameter when updating the mission profile.

• Passing a non-empty listing of mission useful resource tags will change the tags presently configured on the mission profile.
• Passing an empty listing of mission useful resource tags will filter out all beforehand configured tags:
  • --project-resource-tags '[]'
• Not together with the mission useful resource tag parameter will hold beforehand configured tags as-is.

aws datazone update-project-profile 
  --domain-identifier "$DOMAIN_ID" 
  --identifier "$PROJECT_PROFILE_ID" 
  --region "$REGION" 
  --project-resource-tags '[
    {
        "key": "ACME-Application",
        "value": "SageMaker",
        "isValueEditable": false
    },
    {
        "key": "CostCenter",
        "value": "123",
        "isValueEditable": true
    },
    {
        "key": "ACME-BusinessUnit",
        "value": "Retail",
        "isValueEditable": false
    }
  ]'

Create a brand new mission with mission useful resource tags

The next steps stroll you thru creating a brand new mission that inherits tags from the mission profile and lets the mission creator modify one of many tag values.

1. Create a mission utilizing the next instance CLI command.
2. Modify the CostCenter tag worth utilizing the --resource-tags parameter. Tags configured on the mission profile the place the isValueEditable attribute is false shall be pushed to the mission mechanically.

   aws datazone create-project 
     --domain-identifier "$DOMAIN_ID" 
     --region "$REGION" 
     --name "$PROJECT_NAME" 
     --description "New mission with tags" 
     --project-profile-id "$PROJECT_PROFILE_ID" 
     --resource-tags '{
           "CostCenter": "456"
       }'

Replace present mission with mission useful resource tags

For present initiatives related to the mission profile, you will need to replace the mission for the brand new tags to be utilized.

1. Replace the mission utilizing the next instance CLI command.
2. On this state of affairs, an editable worth must be up to date and a brand new tag added. Tag CostCenter could have its default worth overwritten as “789” and the brand new ACME-Division = Finance tag shall be added.

   aws datazone update-project 
     --domain-identifier "$DOMAIN_ID" 
     --identifier "$PROJECT_ID" 
     --project-profile-version "newest" 
     --region "$REGION" 
     --resource-tags '{
           "CostCenter": "789",
           "ACME-Division": "Finance"
       }' 

Venture degree tags (these not configured from the mission profile) must be handed throughout mission replace to be preserved. For tags with isValueEditable = true configured from the mission profile, any override beforehand set must be utilized or the worth will revert to the default from the mission profile.

Validating assets are tagged

Validate that tags are positioned accurately. An instance useful resource that’s created by the mission is the mission IAM function. Viewing the tags for this function ought to present the tags configured from the mission profile.

1. Open SageMaker Unified Studio to get the mission function from the Venture particulars part of the mission. The function title begins with datazone_usr_role_.
2. Open the IAM console.
3. Within the navigation pane, select Roles.
4. Seek for the mission IAM function.
5. Choose the Tags tab.
   

Conclusion

On this submit, we mentioned tagging associated use circumstances from clients and walked by getting began with {custom} tags in Amazon SageMaker to position tags on the assets created by the mission. By giving directors a technique to configure mission profiles with standardized tag configurations, now you can assist guarantee constant tagging practices throughout all SageMaker Unified Studio initiatives whereas sustaining compliance with SCPs. This function addresses two important buyer wants: imposing organizational tagging requirements by automated governance mechanisms and enabling correct value attribution reporting throughout multi-service deployments.

To be taught extra, go to Amazon SageMaker, then get began with Venture useful resource tags.

Concerning the authors