Set up AWS SageMaker Unified Studio

Configure AWS authentication to enable Atlan to integrate with AWS DataZone and SageMaker Catalog Unified Studio (SMUS). This enables Atlan to retrieve DataZone metadata and update SMUS assets at source for reverse sync.

Prerequisites

Before you begin, make sure you have:

• AWS administrator access to create IAM roles, users, and policies
• Access to your AWS account where SageMaker Catalog Unified Studio is configured
• Your SMUS domain ID
• Comma-separated list of SMUS project IDs to enable Atlan sync

Configure AWS authentication

Choose your authentication method based on your security requirements. IAM Role provides enhanced security through temporary credentials, while IAM User uses long-lived access keys.

IAM Role

IAM Role-based authentication uses cross-account trust relationships to enable Atlan to securely assume a role in your AWS account. This method provides enhanced security through temporary credentials.

Get Atlan account node group IAM role

Before setting up the connector, establish a connection between your AWS SMUS instance and your Atlan tenant.

1. Raise a support ticket to request your Atlan account node group IAM role ARN. In the ticket, include your Atlan instance URL and specify that you need the IAM role ARN for AWS SageMaker Unified Studio integration.

2. Save the IAM role ARN provided by Atlan support. You need this when deploying the CloudFormation template.

Deploy CloudFormation template

Deploy the CloudFormation template to create all required IAM policies, build the correct trust relationship to the Atlan Node Instance Role, and register an AWS SMUS IAM role user profile required for SMUS sync.

1. Download the CloudFormation template from GitHub.
2. Before deploying the CloudFormation template, fill in the following parameters:
   • SMUSDomainId: Your SMUS (SageMaker Catalog Unified Studio) domain ID
   • SMUSProjectsToSync: Comma-separated list of SMUS project IDs to enable Atlan sync
   • AtlanNodeInstanceRoleArn: The IAM Role ARN you obtained from Atlan support
3. In AWS Console, navigate to CloudFormation > Create stack.
4. Upload the template and enter the required parameters.
5. Review and create the stack.
6. After deployment, CloudFormation generates the following resources:
   • IAM Policy: Custom DataZone access policy required by Atlan SMUS
   • IAM Role: The integration role Atlan assumes to access your DataZone and SMUS environment
   • Trust Relationship: A cross-account trust between your SMUS IAM Role and Atlan Node Instance Role that enables Atlan to assume your SMUS IAM role securely
   • IAM Role added to AWS DataZone Domain and Projects: The stack automatically assigns the IAM Role as a Project Owner for the SMUS project IDs you provided, ensuring Atlan can manage metadata
7. After deployment, navigate to the CloudFormation stack outputs.
8. Copy the IAM Role ARN from the outputs and save it. You need this when configuring the AWS SMUS connection inside Atlan.

Share IAM role with Atlan team

Once the role is created, share the IAM Role ARN with the Atlan team:

1. Raise a support ticket to share the SMUS IAM role ARN. In the ticket, include your Atlan instance URL, the Atlan Node Instance IAM Role provided earlier by Atlan Support, and the IAM Role ARN you created from the CloudFormation stack outputs.

2. After submitting the ticket, Atlan IT team adds the SMUS IAM role to the Atlan Node IAM Role as an inline policy for sts:AssumeRole operation.

IAM User

IAM User-based authentication uses long-lived access keys. This method requires manually creating an IAM policy with the required permissions and attaching it to an IAM user.

Create IAM policy

Create an IAM policy with the permissions required for Atlan to access your DataZone and SMUS environment.

1. Sign in to the AWS Management Console.

2. Navigate to IAM > Policies > Create policy.

3. Select the JSON tab and paste the following policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "datazone:GetDomain",
           "datazone:GetDomainUnit",
           "datazone:GetProject",
           "datazone:ListDomainUnitsForParent",
           "datazone:ListDomains",
           "datazone:ListProjects",
           "datazone:GetAsset",
           "datazone:GetAssetFilter",
           "datazone:GetListing",
           "datazone:Search",
           "datazone:SearchListings",
           "datazone:GetGlossary",
           "datazone:GetGlossaryTerm",
           "datazone:GetDataProduct",
           "datazone:ListDataProductRevisions",
           "datazone:GetSubscription",
           "datazone:GetSubscriptionGrant",
           "datazone:GetSubscriptionRequestDetails",
           "datazone:GetSubscriptionTarget",
           "datazone:ListSubscriptionGrants",
           "datazone:ListSubscriptionRequests",
           "datazone:ListSubscriptions",
           "datazone:ListSubscriptionTargets",
           "datazone:GetLineageEvent",
           "datazone:ListLineageEvents",
           "datazone:GetFormType",
           "datazone:GetUserProfile",
           "datazone:SearchUserProfiles",
           "datazone:CreateGlossary",
           "datazone:CreateGlossaryTerm",
           "datazone:UpdateGlossary",
           "datazone:UpdateGlossaryTerm",
           "datazone:CreateProject",
           "datazone:CreateProjectMembership",
           "datazone:UpdateProject",
           "datazone:CreateAssetRevision",
           "datazone:UpdateDomain",
           "datazone:UpdateDomainUnit",
           "datazone:UpdateSubscriptionRequest"
         ],
         "Resource": "*",
         "Condition": {
           "StringEquals": {
             "aws:ResourceAccount": "<account_id>"
           }
         }
       }
     ]
   }

   • Replace <account_id> with your AWS account ID

4. Click Next and enter a policy name (for example, AtlanSMUSAccessPolicy).

5. Click Create policy.

Create IAM user

Create an IAM user and attach the policy you created.

1. Navigate to IAM > Users > Create user.
2. Enter a user name (for example, atlan-smus-service).
3. Click Next.
4. On the Set permissions page, select Attach policies directly.
5. Search for and select the policy you created (AtlanSMUSAccessPolicy).
6. Click Next and then Create user.

Create access keys

Generate access keys for the IAM user to enable programmatic access.

1. In the user details page, go to the Security credentials tab.
2. Click Create access key.
3. Choose Application running outside AWS.
4. Click Create access key.
5. Copy and securely store the Access Key ID and Secret Access Key.

warning

This is your only opportunity to view or download the secret access key. You can't access it again after leaving this screen.

Add IAM user to DataZone domain and projects

To enable Atlan to manage metadata, add the IAM user as a Project Owner for your SMUS projects.

1. Navigate to Amazon DataZone > Domains.
2. Select your SMUS domain.
3. For each project you want Atlan to sync:
   • Select the project
   • Navigate to Members
   • Add the IAM user ARN as a Project Owner

IAM Role authentication

If you configured IAM Role-based authentication, wait for confirmation from the Atlan IT Support team that the SMUS IAM Role has been added to the Node Instance IAM Role for sts:AssumeRole action before proceeding to crawl assets.

Next steps

• Crawl AWS SageMaker Unified Studio assets: Configure and run the crawler to extract metadata from SageMaker Unified Studio