0 / 0
Integrating watsonx.governance as a Service on AWS with Amazon SageMaker
Last updated: Dec 12, 2024
Integrating watsonx.governance as a Service on AWS with Amazon SageMaker

You can integrate watsonx.governance as a Service on AWS with Amazon SageMaker to bring the governance, risk, and compliance capabilities of watsonx.governance to your Amazon SageMaker models.

Before you begin

You must have the following services:

  • An instance of watsonx.governance
  • An instance of Amazon SageMaker

Set up the following services on AWS:

  • CloudTrail: Amazon SageMaker events are published to CloudTrail.
  • Simple Queue service (SQS): Use this service to set up a queue for your Amazon SageMaker models. For more information, see Setting up Amazon SQS.
  • EventBridge: Use this service to define rules that extract Amazon SageMaker model card changes to a Simple Queue Service (SQS) FIFO queue.
  • Resource Access Manager: Use this service to create central model registries and group your resources to manage them. For more information, see Setting up and configuring Resource Explorer.

Ensure that the CloudTrail and EventBridge services are running.

Planning the configuration

Credentials for the connection

Decide how you want to configure access between watsonx.governance and Amazon SageMaker. You can use a cross-account role or access keys.

Accounts

Each connection to Amazon SageMaker is to an account that owns a centralized model registry. You can connect to a maximum of ten different accounts, each with a model registry. For more information about using more than a single central model registry, see Guidance for Multi-Account Machine Learning Model Governance on AWS.

Business entities

Decide which business entities you want to use. You need a separate business entity for each Amazon SageMaker connection that you configure. This business entity must be at the root level, and not a child of any other business entity. Only use cases under the configured business entity, along with their associated model groups and models, are governed by watsonx.governance and Amazon SageMaker.

The business entity is the parent of the use cases, but it doesn't need to be the primary parent. You can use the business entity for other purposes.

Users must select the business entity when they create use cases. Ensure that your users know which business entity to use. Also, ensure that use case approvers verify that the business entity is set correctly before they approve a use case. If the business entity is not set correctly before a use case is approved, the use case and its child model groups and models won't sync with Amazon SageMaker.

For example, if a user selects a child of the business entity that you configured and the use case is approved, the synchronization job doesn't sync the use case to Amazon SageMaker.

To help users, use security domains to give the access to the specific business entities that they need.

Do the following steps:

  1. For each connection, decide which business entity to use. If you want to use a new business entity, create it before you configure the connection to Amazon SageMaker. To create a business entity, you must have administrative permissions.
  2. In the Governance console, give users access to the security domain for the business entity. For example, create a group, add users to the group, and then associate the group with the business entity's security domain. For more information, see Security domains.

Default profile and default user

For each connection, you need a default profile and a default user.

The default profile is used to generate the pre-signed links in task views. These links open Amazon SageMaker by using the default profile. Give the default profile the minimum access rights that are needed by the governance users to get more information about model groups and models in Amazon SageMaker.

The pre-signed link is valid for five minutes. After that time, users need to refresh the task view to regenerate the link.

The default user is used in the following cases:

  • When a model doesn't have an assigned owner, the model owner is set to this default user.
  • When the owner of a model doesn't have an account in the Governance console, the model owner is set to this default user.

Setting up credentials

You can use a cross-account role or access keys to connect to Amazon SageMaker. Consider using a cross-account role for improved security.

Setting up a cross-account role

This task is required if you want to use a cross-account role to integrate Amazon SageMaker with watsonx.governance. For more information, see Cross account resource access in IAM.

To set up the cross-account role, do the following steps:

  1. Generate an External ID for the AWS account.
  2. Attach the following policies to the role: AmazonSageMakerFullAccess and AmazonSQSFullAccess.
  3. Add the External ID to the trust policy of the role.

Sample role definition

You can use the following Terraform script as a guide to create the cross-account role.

The script does the following actions:

  • The script creates an IAM role that is called Aws_Sagemaker_Sqs_Cross_Account_Role.
  • The script assigns the external ID 123456 to the role.
  • The script gives the role access to the following services:
    • sqs.amazonaws.com
    • sagemaker.amazonaws.com
  • The script then attaches the following policies to the role:
    • AmazonSQSFullAccess
    • AmazonSageMakerFullAccess

In the following line, replace 999999999999 with the ID of the watsonx.governance production account.

+ AWS = "arn:aws:iam::999999999999:root"

Where:

  • arn:aws:iam::767397658217:root is the ID of the watsonx.governance production account when the customer installs an instance from AWS Marketplace.

  • arn:aws:iam::384547875043:root is the ID of the watsonx.governance production account when the user installs an instance from IBM.

    # module.iam.aws_iam_role.aws_sagemaker_sqs_cross_account_role[0] will be created
+ resource "aws_iam_role" "aws_sagemaker_sqs_cross_account_role" {
   + arn                   = (known after apply)
   + assume_role_policy    = jsonencode(
         {
           + Statement = [
               + {
                   + Action    = "sts:AssumeRole"
                   + Condition = {
                       + StringEquals = {
                           + "sts:ExternalId" = "123456"
                         }
                     }
                   + Effect    = "Allow"
                   + Principal = {
                       + AWS     = "arn:aws:iam::999999999999:root"
                       + Service = [
                           + "sqs.amazonaws.com",
                           + "sagemaker.amazonaws.com",
                         ]
                     }
                 },
             ]
           + Version   = "2012-10-17"
         }
     )
   + create_date           = (known after apply)
   + force_detach_policies = false
   + id                    = (known after apply)
   + managed_policy_arns   = (known after apply)
   + max_session_duration  = 3600
   + name                  = "Aws_Sagemaker_Sqs_Cross_Account_Role"
   + name_prefix           = (known after apply)
   + path                  = "/"
   + tags_all              = (known after apply)
   + unique_id             = (known after apply)
 }

# module.iam.aws_iam_role_policy_attachment.AmazonSQSFullAccess_role_policy_attach[0] will be created
+ resource "aws_iam_role_policy_attachment" "AmazonSQSFullAccess_role_policy_attach" {
   + id         = (known after apply)
   + policy_arn = "arn:aws:iam::aws:policy/AmazonSQSFullAccess"
   + role       = "Aws_Sagemaker_Sqs_Cross_Account_Role"
 }

# module.iam.aws_iam_role_policy_attachment.AmazonSageMakerFullAccess_cross_role_policy_attach[0] will be created
+ resource "aws_iam_role_policy_attachment" "AmazonSageMakerFullAccess_cross_role_policy_attach" {
   + id         = (known after apply)
   + policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
   + role       = "Aws_Sagemaker_Sqs_Cross_Account_Role"
 }

Setting up an access key

Do this task if you want to use access keys to connect Amazon SageMaker with watsonx.governance.

In AWS, set up a long-term access key for the integration with watsonx.governance. Your credentials must have the following access:

  • Programmatic access to Simple Queue service (SQS)
  • Programmatic access to the Amazon SageMaker APIs
  • Permissions to update model cards in Amazon SageMaker

For more information, see AWS security credentials.

Setting up AWS services for the integration

Do the following steps:

  1. Set up an SQS queue
  2. Set up an Amazon EventBridge rule and add your SQS queue as the target for the rule.

Setting up an SQS queue

The integration uses an SQS queue to receive notifications for any changes in models groups and models.

For each connection, set up an SQS queue in the account.

To set up an SQS queue, do the following steps:

  1. From the AWS console, select the Simple Queue Service.
  2. Click Create Queue.
  3. Type a name for the queue, and then enter the following information:
    • Type: FIFO
    • Visibility timeout: 30 seconds
    • Message retention period: 4 days
    • Maximum message size: 256 KB
    • Delivery delay: 0
    • Receive message wait time: 0
  4. Under FIFO queue settings, enable the following options:
    • Content-based deduplication
    • High throughput FIFO queue

The SQS queue is defined. Next, set up an EventBridge rule.

Setting up an EventBridge rule

To set up an EventBridge rule and add your SQS queue as a target, do the following steps:

  1. From the AWS console, select the Amazon EventBridge service.
  2. Click Create Rule.
  3. Type a name for the rule, and then click Next.
  4. For the event source, click Other.
  5. For the creation method, click Custom pattern (JSON editor), and then enter the following JSON for Event pattern:
    {
   "source": ["aws.sagemaker"],
   "detail-type": ["AWS API Call via CloudTrail"],
   "detail": {
    "eventSource": ["sagemaker.amazonaws.com"],
    "eventName": ["CreateModelPackage", "CreateModelPackageGroup"
    "DeleteModelPackage", "DeleteModelPackageGroup", "UpdateModelPackage"]
   }
}
  6. Click Next.
  7. Set the target to the SQS queue that you created.
  8. Click Next on the remaining pages, and then click Create Rule.

You now have an EventBridge rule with your SQS queue as the target of the rule.

Configuring the integration

To do this task, you need AWS credentials.

  • If you're using a cross-account role, you need the following information:
    • The Amazon Resource Name (ARN) of the role.
    • The external ID of the role.
    • The Amazon SQS service URL that you set up for the integration.
    • The ARN of the default profile for presigned URLs.
  • If you're using access keys, you need the following information:
    • Your AWS account ID.
    • The access key ID and secret ID that you set up for the integration.
    • The Amazon SQS service URL that you set up for the integration.
    • The ARN of the default profile for presigned URLs.

Required permission: You need the All/SOX/Administration/SageMaker application permission in the Governance console.

To configure the integration, do the following steps:

  1. Log in to Governance console as an administrator.
  2. Click Admin menu > Integrations > Amazon SageMaker.
  3. Click New connection.
  4. Under General configuration, do the following steps:
    1. Type a description.
    2. Select the parent business entity for this Amazon SageMaker connection. Use a different business entity for each connection that you configure. For more information, see Business entities.
    3. Select a default user. For more information, see Default profile and default user.
  5. In AWS account credentials, enter your AWS account credentials and region.
    1. In the Default profile ARN field, type the ARN of the default profile that you created for your account.
    2. Enter your credentials.
      • To set up access by using a role, click Cross-account Role. Enter the Role ARN and External ID.
      • To set up access by using keys, click Access Keys. Enter your AWS account ID, access key ID, and secret key ID.
    3. Type the region of your watsonx.governance instance, for example us-east-1.
  6. In the Model SQS URL, enter the URL of the SQS queue that you configured for the account.
  7. Click Test connection, and then click Save.
  8. Click the toggle to enable the integration. The automatic synchronization process starts. To see the progress, click Other > Background Processes. This process syncs updates from this point in time onwards.
  9. If you have existing models in Amazon SageMaker, you need to run a manual synchronization. Click Synchronize existing model information. The SageMaker synchronizations table shows the progress of the manual synchronization of the account.

Your Amazon SageMaker models are now available in the Governance console.

If you already have model groups and models in Amazon SageMaker that were created outside of the watsonx.governance use case workflow, you need to link the model groups to their associated use cases manually.

Data synchronization

The automated synchronization process listens for the following actions:

  • Model package created in Amazon SageMaker (CreateModelPackage)
  • Model package updated in Amazon SageMaker (UpdateModelPackage)
  • Model package deleted in Amazon SageMaker (DeleteModelPackage)
  • Model group created (CreateModelPackageGroup)
  • Model group deleted (DeleteModelPackageGroup)

To view the status of the automated synchronization processes, click Other > Background Processes.

To view the status of manual synchronization processes, click Admin menu > Integrations > Amazon SageMaker. The SageMaker synchronizations table lists the manual synchronization processes for all connections. To see the status for a specific connection, click its name in the Connections table.

Learn more

Learn more about these process flows:

Parent topic: Setting up your watsonx.governance environment on AWS