For this tutorial and a working demo, your AWS cloud environment is expected to include the following:
1. VPC, Private Subnet, Security Group, and VPC endpoints: to restrict internet access, monitor and inspect traffic, and control data flow from SageMaker resources
2. SageMaker Domain/Users
Get started - Amazon SageMaker
Note the role name and ARN of the SageMaker execution role used during the configuration of the SageMaker Domain as they will be needed in various places during this tutorial.
SageMaker Roles
3. S3 Bucket (with training data): to store data that will be accessed for ML model training
Creating a bucket - Amazon Simple Storage Service
Ensure the SageMaker execution role has permission to access the S3 Bucket. SageMaker Roles
Download the dataset for training from https://storage.googleapis.com/tensorflow/tf-keras-datasets/mnist.npz and upload it to the S3 bucket to a directory named “training-data-folder”
(e.g. s3://<S3 BUCKET NAME>/training-data-folder/)
4. AWS Secret: to centralize and store all of the sensitive data needed for authorization and access to Artifactory and the necessary repositories
Create an AWS Secrets Manager secret
A convenient script, deploy-secret.sh that creates an AWS Secret that can be used for all of the demos in this article is available here.
The following is an explanation for each of the keys that will be needed for this portion of the tutorial:
username : the username used for authentication with Artifactory
(Example value: myusername)
token : the value of the scoped token created for this tutorial (refer to Artifactory setup)
(Example value: zYzMbggy3zB34s2OeHQlxzuWOuGvo4LFRL7FVpyEtlxykheHQZywhZxZh2L8RIk3)
host : the url of the Artifactory instance
(Example value: myartifactory.jfrog.io)
pypirepo : the name of the virtual PyPi repo in Artifactory
(Example value: sagemaker-pypi)
huggingfacerepo : the name of the remote Hugging Face repo in Artifactory
(Example value: huggingface-remote)
huggingface-remote-repo : the full url of the Hugging Face remote repo in Artifactory
(Example value: https://myartifactory.jfrog.io/artifactory/api/huggingfaceml/huggingface-remote)
huggingface-remote-token : an identity access token for the remote Hugging Face repo in Artifactory
(Example value: ibFodVFSyWTnAPch2XJNSPHHZatd9rlwHnsONsNY5qk/VyLoU2cxvQVGdyZ58XQO)
huggingface-local-repo : the full url of the Hugging Face local repo in Artifactory
(Example value: https://myartifactory.jfrog.io/artifactory/api/huggingfaceml/huggingface-remote
huggingface-local-token : an identity access token for the local Hugging Face repo in Artifactory
(Example value: m2JLw7XFg4kA1yMIz1U4n7/gPDKh7znzeXFjXuM1nJX8bnWLPgV5m7tmumuYvhq6)
5. AWS Lambda: to provide access credentials to SageMaker to authenticate to the Docker registry in Artifactory
Use a Docker registry that requires authentication for training - Amazon SageMaker
Creating an AWS Lambda for the purpose of authenticating to the Artifactory Docker Registry will require creating related IAM roles and policies. An example script, deploy-lambda.sh that will create all of the necessary resources can be found here in the infrastructure directory along with the lambda function itself in lambda_function.py.
Once the Lambda function is created, remember to add to the SageMaker execution role the InvokeFunction permission.
1. VPC, Private Subnet, Security Group, and VPC endpoints: to restrict internet access, monitor and inspect traffic, and control data flow from SageMaker resources
- Securing Amazon SageMaker Studio connectivity using a private VPC | AWS Machine Learning Blog
- Create a VPC - Amazon Virtual Private Cloud
- Connect your VPC to services using AWS PrivateLink - Amazon Virtual Private Cloud
2. SageMaker Domain/Users
Get started - Amazon SageMaker
Note the role name and ARN of the SageMaker execution role used during the configuration of the SageMaker Domain as they will be needed in various places during this tutorial.
SageMaker Roles
3. S3 Bucket (with training data): to store data that will be accessed for ML model training
Creating a bucket - Amazon Simple Storage Service
Ensure the SageMaker execution role has permission to access the S3 Bucket. SageMaker Roles
Download the dataset for training from https://storage.googleapis.com/tensorflow/tf-keras-datasets/mnist.npz and upload it to the S3 bucket to a directory named “training-data-folder”
(e.g. s3://<S3 BUCKET NAME>/training-data-folder/)
4. AWS Secret: to centralize and store all of the sensitive data needed for authorization and access to Artifactory and the necessary repositories
Create an AWS Secrets Manager secret
A convenient script, deploy-secret.sh that creates an AWS Secret that can be used for all of the demos in this article is available here.
The following is an explanation for each of the keys that will be needed for this portion of the tutorial:
username : the username used for authentication with Artifactory
(Example value: myusername)
token : the value of the scoped token created for this tutorial (refer to Artifactory setup)
(Example value: zYzMbggy3zB34s2OeHQlxzuWOuGvo4LFRL7FVpyEtlxykheHQZywhZxZh2L8RIk3)
host : the url of the Artifactory instance
(Example value: myartifactory.jfrog.io)
pypirepo : the name of the virtual PyPi repo in Artifactory
(Example value: sagemaker-pypi)
huggingfacerepo : the name of the remote Hugging Face repo in Artifactory
(Example value: huggingface-remote)
huggingface-remote-repo : the full url of the Hugging Face remote repo in Artifactory
(Example value: https://myartifactory.jfrog.io/artifactory/api/huggingfaceml/huggingface-remote)
huggingface-remote-token : an identity access token for the remote Hugging Face repo in Artifactory
(Example value: ibFodVFSyWTnAPch2XJNSPHHZatd9rlwHnsONsNY5qk/VyLoU2cxvQVGdyZ58XQO)
huggingface-local-repo : the full url of the Hugging Face local repo in Artifactory
(Example value: https://myartifactory.jfrog.io/artifactory/api/huggingfaceml/huggingface-remote
huggingface-local-token : an identity access token for the local Hugging Face repo in Artifactory
(Example value: m2JLw7XFg4kA1yMIz1U4n7/gPDKh7znzeXFjXuM1nJX8bnWLPgV5m7tmumuYvhq6)
5. AWS Lambda: to provide access credentials to SageMaker to authenticate to the Docker registry in Artifactory
Use a Docker registry that requires authentication for training - Amazon SageMaker
Creating an AWS Lambda for the purpose of authenticating to the Artifactory Docker Registry will require creating related IAM roles and policies. An example script, deploy-lambda.sh that will create all of the necessary resources can be found here in the infrastructure directory along with the lambda function itself in lambda_function.py.
Once the Lambda function is created, remember to add to the SageMaker execution role the InvokeFunction permission.
{
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:${region}:${account_id}:function:${lambda_name}"
]
}