Skip to content

Commit a4bc433

Browse files
chuyang-dengchuyang-deng
authored
Merge branch 'master' into master
2 parents 7276ec9 + 16df87a commit a4bc433

File tree

1 file changed

+76
-4
lines changed

1 file changed

+76
-4
lines changed

doc/workflows/kubernetes/amazon_sagemaker_operators_for_kubernetes.rst

Lines changed: 76 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,7 @@ To work around this, run the following command:
144144

145145
::
146146

147-
aws eks describe-cluster --query cluster --name ${CLUSTER_NAME} --output text | grep OIDC
147+
aws eks describe-cluster --region ${AWS_REGION} --query cluster --name ${CLUSTER_NAME} --output text | grep OIDC
148148

149149
The OIDC URL will be returned as follows:
150150

@@ -179,13 +179,37 @@ relationship code block into it. Be sure to replace all ``<OIDC ID>``, ``<AWS ac
179179
]
180180
}
181181

182+
If you're using the Amazon SageMaker Operators in China, create a file named ``trust.json`` and insert the following trust
183+
relationship code block into it instead. Be sure to replace all ``<OIDC ID>``, ``<AWS account number>``, and ``<EKS Cluster region>`` placeholders with values corresponding to your cluster.
184+
185+
::
186+
187+
{
188+
"Version": "2012-10-17",
189+
"Statement": [
190+
{
191+
"Effect": "Allow",
192+
"Principal": {
193+
"Federated": "arn:aws-cn:iam::<AWS account number>:oidc-provider/oidc.eks.<EKS Cluster region>.amazonaws.com/id/<OIDC ID>"
194+
},
195+
"Action": "sts:AssumeRoleWithWebIdentity",
196+
"Condition": {
197+
"StringEquals": {
198+
"oidc.eks.<EKS Cluster region>.amazonaws.com/id/<OIDC ID>:aud": "sts.amazonaws.com",
199+
"oidc.eks.<EKS Cluster region>.amazonaws.com/id/<OIDC ID>:sub": "system:serviceaccount:sagemaker-k8s-operator-system:sagemaker-k8s-operator-default"
200+
}
201+
}
202+
}
203+
]
204+
}
205+
182206
Run the following command to create a role with the trust
183207
relationship defined in ``trust.json``. This role enables the
184208
Amazon EKS cluster to get and refresh credentials from IAM.
185209

186210
::
187211

188-
aws iam create-role --role-name <role name> --assume-role-policy-document file://trust.json --output=text
212+
aws iam create-role --region ${AWS_REGION} --role-name <role name> --assume-role-policy-document file://trust.json --output=text
189213

190214
Your output should look like the following:
191215

@@ -214,6 +238,12 @@ To attach AmazonSageMakerFullAccess, run the following command:
214238

215239
aws iam attach-role-policy --role-name <role name> --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
216240

241+
If you're using the Amazon SageMaker Operators in China, attach the following policy instead:
242+
243+
::
244+
245+
aws iam attach-role-policy --region ${AWS_REGION} --role-name <role name> --policy-arn arn:aws-cn:iam::aws:policy/AmazonSageMakerFullAccess
246+
217247
The Kubernetes
218248
ServiceAccount ``sagemaker-k8s-operator-default`` should
219249
have ``AmazonSageMakerFullAccess`` permissions. Confirm this when you
@@ -237,6 +267,12 @@ follows:
237267

238268
wget https://raw.githubusercontent.com/aws/amazon-sagemaker-operator-for-k8s/master/release/rolebased/installer.yaml
239269

270+
If you're using the Amazon SageMaker Operators in China, download the following installer script instead. Whenever ``installer.yaml`` is referenced, use ``installer_china.yaml`` instead.
271+
272+
::
273+
274+
wget https://raw.githubusercontent.com/aws/amazon-sagemaker-operator-for-k8s/master/release/rolebased/china/installer_china.yaml
275+
240276
- Edit the ``installer.yaml`` file to
241277
replace ``eks.amazonaws.com/role-arn``. Replace the ARN here with
242278
the Amazon Resource Name (ARN) for the OIDC-based role you’ve created.
@@ -405,7 +441,7 @@ To work around this, run the following command:
405441

406442
::
407443

408-
aws eks describe-cluster --query cluster --name ${CLUSTER_NAME} --output text | grep OIDC
444+
aws eks describe-cluster --region ${AWS_REGION} --query cluster --name ${CLUSTER_NAME} --output text | grep OIDC
409445

410446
The OIDC URL will be returned as follows:
411447

@@ -440,13 +476,37 @@ relationship code block into it. Be sure to replace all ``<OIDC ID>``, ``<AWS ac
440476
]
441477
}
442478

479+
If you're using the Amazon SageMaker Operators in China, create a file named ``trust.json`` and insert the following trust
480+
relationship code block into it instead. Be sure to replace all ``<OIDC ID>``, ``<AWS account number>``, and ``<EKS Cluster region>`` placeholders with values corresponding to your cluster.
481+
482+
::
483+
484+
{
485+
"Version": "2012-10-17",
486+
"Statement": [
487+
{
488+
"Effect": "Allow",
489+
"Principal": {
490+
"Federated": "arn:aws-cn:iam::<AWS account number>:oidc-provider/oidc.eks.<EKS Cluster region>.amazonaws.com/id/<OIDC ID>"
491+
},
492+
"Action": "sts:AssumeRoleWithWebIdentity",
493+
"Condition": {
494+
"StringEquals": {
495+
"oidc.eks.<EKS Cluster region>.amazonaws.com/id/<OIDC ID>:aud": "sts.amazonaws.com",
496+
"oidc.eks.<EKS Cluster region>.amazonaws.com/id/<OIDC ID>:sub": "system:serviceaccount:<Namespace>:sagemaker-k8s-operator-default"
497+
}
498+
}
499+
}
500+
]
501+
}
502+
443503
Run the following command to create a role with the trust
444504
relationship defined in ``trust.json``. This role enables the
445505
Amazon EKS cluster to get and refresh credentials from IAM.
446506

447507
::
448508

449-
aws iam create-role --role-name <role name> --assume-role-policy-document file://trust.json --output=text
509+
aws iam create-role --region ${AWS_REGION} --role-name <role name> --assume-role-policy-document file://trust.json --output=text
450510

451511
Your output should look like the following:
452512

@@ -475,6 +535,12 @@ To attach AmazonSageMakerFullAccess, run the following command:
475535

476536
aws iam attach-role-policy --role-name <role name> --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
477537

538+
If you're using the Amazon SageMaker Operators in China, attach the following policy instead:
539+
540+
::
541+
542+
aws iam attach-role-policy --region ${AWS_REGION} --role-name <role name> --policy-arn arn:aws-cn:iam::aws:policy/AmazonSageMakerFullAccess
543+
478544
The Kubernetes
479545
ServiceAccount ``sagemaker-k8s-operator-default`` should
480546
have ``AmazonSageMakerFullAccess`` permissions. Confirm this when you
@@ -505,6 +571,12 @@ To install the operator onto the cluster:
505571

506572
wget https://raw.githubusercontent.com/aws/amazon-sagemaker-operator-for-k8s/master/release/rolebased/namespaced/operator.yaml
507573

574+
If you're using the Amazon SageMaker Operators in China, download the following operator script instead. Whenever ``operator.yaml`` is referenced, use ``operator_china.yaml`` instead.
575+
576+
::
577+
578+
wget https://raw.githubusercontent.com/aws/amazon-sagemaker-operator-for-k8s/master/release/rolebased/namespaced/china/operator_china.yaml
579+
508580
- Update the installer YAML to place the resources into your specified namespace using the following command:
509581

510582
::

0 commit comments

Comments
 (0)