Integrating watsonx.governance as a Service on AWS with Amazon SageMaker
Integrating watsonx.governance as a Service on AWS with Amazon SageMaker
Last updated: Dec 12, 2024
Integrating watsonx.governance as a Service on AWS with Amazon SageMaker
You can integrate watsonx.governance as a Service on AWS with Amazon SageMaker to bring the governance, risk, and compliance capabilities of watsonx.governance to your Amazon SageMaker models.
Before you begin
Copy link to section
You must have the following services:
An instance of watsonx.governance
An instance of Amazon SageMaker
Set up the following services on AWS:
CloudTrail: Amazon SageMaker events are published to CloudTrail.
Simple Queue service (SQS): Use this service to set up a queue for your Amazon SageMaker models. For more information, see Setting up Amazon SQS.
EventBridge: Use this service to define rules that extract Amazon SageMaker model card changes to a Simple Queue Service (SQS) FIFO queue.
Resource Access Manager: Use this service to create central model registries and group your resources to manage them. For more information, see Setting up and configuring Resource Explorer.
Ensure that the CloudTrail and EventBridge services are running.
Planning the configuration
Copy link to section
Credentials for the connection
Copy link to section
Decide how you want to configure access between watsonx.governance and Amazon SageMaker. You can use a cross-account role or access keys.
Each connection to Amazon SageMaker is to an account that owns a centralized model registry. You can connect to a maximum of ten different accounts, each with a model registry. For more information about using more than a single central
model registry, see Guidance for Multi-Account Machine Learning Model Governance on AWS.
Business entities
Copy link to section
Decide which business entities you want to use. You need a separate business entity for each Amazon SageMaker connection that you configure. This business entity must be at the root level, and not a child of any other business entity. Only
use cases under the configured business entity, along with their associated model groups and models, are governed by watsonx.governance and Amazon SageMaker.
The business entity is the parent of the use cases, but it doesn't need to be the primary parent. You can use the business entity for other purposes.
Users must select the business entity when they create use cases. Ensure that your users know which business entity to use. Also, ensure that use case approvers verify that the business entity is set correctly before they approve a use case.
If the business entity is not set correctly before a use case is approved, the use case and its child model groups and models won't sync with Amazon SageMaker.
For example, if a user selects a child of the business entity that you configured and the use case is approved, the synchronization job doesn't sync the use case to Amazon SageMaker.
To help users, use security domains to give the access to the specific business entities that they need.
Do the following steps:
For each connection, decide which business entity to use. If you want to use a new business entity, create it before you configure the connection to Amazon SageMaker. To create a business entity, you must have administrative permissions.
In the Governance console, give users access to the security domain for the business entity. For example, create a group, add users to the group, and then associate the group with the business entity's security domain. For more information,
see Security domains.
Default profile and default user
Copy link to section
For each connection, you need a default profile and a default user.
The default profile is used to generate the pre-signed links in task views. These links open Amazon SageMaker by using the default profile. Give the default profile the minimum access rights that are needed by the governance users to get
more information about model groups and models in Amazon SageMaker.
The pre-signed link is valid for five minutes. After that time, users need to refresh the task view to regenerate the link.
The default user is used in the following cases:
When a model doesn't have an assigned owner, the model owner is set to this default user.
When the owner of a model doesn't have an account in the Governance console, the model owner is set to this default user.
Setting up credentials
Copy link to section
You can use a cross-account role or access keys to connect to Amazon SageMaker. Consider using a cross-account role for improved security.
Setting up a cross-account role
Copy link to section
This task is required if you want to use a cross-account role to integrate Amazon SageMaker with watsonx.governance. For more information, see Cross account resource access in IAM.
To set up the cross-account role, do the following steps:
Generate an External ID for the AWS account.
Attach the following policies to the role: AmazonSageMakerFullAccess and AmazonSQSFullAccess.
Add the External ID to the trust policy of the role.
Sample role definition
Copy link to section
You can use the following Terraform script as a guide to create the cross-account role.
The script does the following actions:
The script creates an IAM role that is called Aws_Sagemaker_Sqs_Cross_Account_Role.
The script assigns the external ID 123456 to the role.
The script gives the role access to the following services:
sqs.amazonaws.com
sagemaker.amazonaws.com
The script then attaches the following policies to the role:
AmazonSQSFullAccess
AmazonSageMakerFullAccess
In the following line, replace 999999999999 with the ID of the watsonx.governance production account.
+ AWS = "arn:aws:iam::999999999999:root"
Where:
arn:aws:iam::767397658217:root is the ID of the watsonx.governance production account when the customer installs an instance from AWS Marketplace.
arn:aws:iam::384547875043:root is the ID of the watsonx.governance production account when the user installs an instance from IBM.
# module.iam.aws_iam_role.aws_sagemaker_sqs_cross_account_role[0] will be created
+ resource "aws_iam_role""aws_sagemaker_sqs_cross_account_role" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Condition = {
+ StringEquals = {
+ "sts:ExternalId" = "123456"
}
}
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::999999999999:root"
+ Service = [
+ "sqs.amazonaws.com",
+ "sagemaker.amazonaws.com",
]
}
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "Aws_Sagemaker_Sqs_Cross_Account_Role"
+ name_prefix = (known after apply)
+ path = "/"
+ tags_all = (known after apply)
+ unique_id = (known after apply)
}
# module.iam.aws_iam_role_policy_attachment.AmazonSQSFullAccess_role_policy_attach[0] will be created
+ resource "aws_iam_role_policy_attachment""AmazonSQSFullAccess_role_policy_attach" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/AmazonSQSFullAccess"
+ role = "Aws_Sagemaker_Sqs_Cross_Account_Role"
}
# module.iam.aws_iam_role_policy_attachment.AmazonSageMakerFullAccess_cross_role_policy_attach[0] will be created
+ resource "aws_iam_role_policy_attachment""AmazonSageMakerFullAccess_cross_role_policy_attach" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess"
+ role = "Aws_Sagemaker_Sqs_Cross_Account_Role"
}
Copy to clipboardCopied to clipboardShow more
Setting up an access key
Copy link to section
Do this task if you want to use access keys to connect Amazon SageMaker with watsonx.governance.
In AWS, set up a long-term access key for the integration with watsonx.governance. Your credentials must have the following access:
Programmatic access to Simple Queue service (SQS)
Programmatic access to the Amazon SageMaker APIs
Permissions to update model cards in Amazon SageMaker
The integration uses an SQS queue to receive notifications for any changes in models groups and models.
For each connection, set up an SQS queue in the account.
To set up an SQS queue, do the following steps:
From the AWS console, select the Simple Queue Service.
Click Create Queue.
Type a name for the queue, and then enter the following information:
Type: FIFO
Visibility timeout: 30 seconds
Message retention period: 4 days
Maximum message size: 256 KB
Delivery delay: 0
Receive message wait time: 0
Under FIFO queue settings, enable the following options:
Content-based deduplication
High throughput FIFO queue
The SQS queue is defined. Next, set up an EventBridge rule.
Setting up an EventBridge rule
Copy link to section
To set up an EventBridge rule and add your SQS queue as a target, do the following steps:
From the AWS console, select the Amazon EventBridge service.
Click Create Rule.
Type a name for the rule, and then click Next.
For the event source, click Other.
For the creation method, click Custom pattern (JSON editor), and then enter the following JSON for Event pattern:
{
"source": ["aws.sagemaker"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["sagemaker.amazonaws.com"],
"eventName": ["CreateModelPackage", "CreateModelPackageGroup""DeleteModelPackage", "DeleteModelPackageGroup", "UpdateModelPackage"]
}
}
Copy to clipboardCopied to clipboard
Click Next.
Set the target to the SQS queue that you created.
Click Next on the remaining pages, and then click Create Rule.
You now have an EventBridge rule with your SQS queue as the target of the rule.
Configuring the integration
Copy link to section
To do this task, you need AWS credentials.
If you're using a cross-account role, you need the following information:
The Amazon Resource Name (ARN) of the role.
The external ID of the role.
The Amazon SQS service URL that you set up for the integration.
The ARN of the default profile for presigned URLs.
If you're using access keys, you need the following information:
Your AWS account ID.
The access key ID and secret ID that you set up for the integration.
The Amazon SQS service URL that you set up for the integration.
The ARN of the default profile for presigned URLs.
Required permission: You need the All/SOX/Administration/SageMaker application permission in the Governance console.
To configure the integration, do the following steps:
Log in to Governance console as an administrator.
Click > Integrations > Amazon SageMaker.
Click New connection.
Under General configuration, do the following steps:
Type a description.
Select the parent business entity for this Amazon SageMaker connection. Use a different business entity for each connection that you configure. For more information, see Business entities.
In AWS account credentials, enter your AWS account credentials and region.
In the Default profile ARN field, type the ARN of the default profile that you created for your account.
Enter your credentials.
To set up access by using a role, click Cross-account Role. Enter the Role ARN and External ID.
To set up access by using keys, click Access Keys. Enter your AWS account ID, access key ID, and secret key ID.
Type the region of your watsonx.governance instance, for example us-east-1.
In the Model SQS URL, enter the URL of the SQS queue that you configured for the account.
Click Test connection, and then click Save.
Click the toggle to enable the integration. The automatic synchronization process starts. To see the progress, click Other > Background Processes. This process syncs updates from this point in time onwards.
If you have existing models in Amazon SageMaker, you need to run a manual synchronization. Click Synchronize existing model information. The SageMaker synchronizations table shows the progress of the manual
synchronization of the account.
Your Amazon SageMaker models are now available in the Governance console.
If you already have model groups and models in Amazon SageMaker that were created outside of the watsonx.governance use case workflow, you need to link the model groups to their associated use cases manually.
Data synchronization
Copy link to section
The automated synchronization process listens for the following actions:
Model package created in Amazon SageMaker (CreateModelPackage)
Model package updated in Amazon SageMaker (UpdateModelPackage)
Model package deleted in Amazon SageMaker (DeleteModelPackage)
Model group created (CreateModelPackageGroup)
Model group deleted (DeleteModelPackageGroup)
To view the status of the automated synchronization processes, click Other > Background Processes.
To view the status of manual synchronization processes, click > Integrations > Amazon SageMaker. The SageMaker synchronizations table lists the manual synchronization processes for all connections. To see the status for a specific connection, click its name in the Connections table.
About cookies on this siteOur websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising.For more information, please review your cookie preferences options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.