Cross-Account Machine Learning Model Deployment

Question

Pulumi · Accepted Answer

In order to perform a cross-account machine learning model deployment, you would typically set up your machine learning model in one AWS account, and then deploy it to a different AWS account where you want the model to be used. This can be achieved in AWS by using AWS SageMaker, which provides the ability to build, train, and deploy machine learning models at scale.

First, you would create and train your model using Amazon SageMaker in your source account. Once your model is trained, you would create a model package that includes the inference code and the trained model artifacts.

You can then share this model package to your target AWS account, where you can create an endpoint for real-time inference or a batch transform job for batch inference. Typically, you use AWS Identity and Access Management (IAM) roles and resource-based policies to grant the necessary permissions across accounts.

Below, I'll provide you with a Pulumi program written in Python that sets up the necessary infrastructure for a cross-account machine learning model deployment scenario using the `aws-native.sagemaker.ModelPackageGroup` resource, which makes it possible to manage and deploy machine learning models on Amazon SageMaker.

```python
import pulumi
import pulumi_aws_native as aws_native

# Define settings for the source account
source_account_id = "123456789012"  # Replace with your source AWS account ID
source_account_role_name = "SageMakerCrossAccountRole"  # Role name in the source account

# Define settings for the target account
target_account_id = "210987654321"  # Replace with your target AWS account ID
target_account_role_name = "SageMakerCrossAccountRole"  # Role name in the target account

# Assume an IAM role that gives access to the target account
assume_role_policy = aws_native.iam.get_policy_document(statements=[{
    'actions': ['sts:AssumeRole'],
    'principals': [{
        'identifiers': [f"arn:aws:iam::{source_account_id}:root"],
        'type': 'AWS',
    }]
}])

# Create an IAM role that can be assumed by the source account
target_account_role = aws_native.iam.Role('target-account-role',
    assume_role_policy=assume_role_policy.json
)

# TODO: Set up the trust relationship and permissions for the SageMaker execution role.

# Creating a ModelPackageGroup in the target AWS account using Amazon SageMaker
model_package_group = aws_native.sagemaker.ModelPackageGroup("model-package-group",
    model_package_group_name="cross-account-model-package-group",
    model_package_group_description="A Model Package Group for cross-account deployment",
    # Define the resource policy to allow the source account to access this ModelPackageGroup
    model_package_group_policy={
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": f"arn:aws:iam::{source_account_id}:role/{source_account_role_name}"
                },
                "Action": [
                    "sagemaker:CreateModelPackage",
                    "sagemaker:DeleteModelPackage",
                    "sagemaker:DescribeModelPackage",
                    "sagemaker:ListModelPackages",
                    "sagemaker:DeployModelPackage"
                ],
                "Resource": f"arn:aws:sagemaker:*:{target_account_id}:model-package-group/{model_package_group.model_package_group_name}"
            }
        ]
    }
)

# Output the ARN of the ModelPackageGroup
pulumi.export("model_package_group_arn", model_package_group.arn)

```

In this program:
- We define variables for the source and target account IDs and role names.
- An IAM policy document (`assume_role_policy`) is created that allows the source account to assume a role in the target account.
- A SageMaker `ModelPackageGroup` is created within the target account, with a resource policy attached that allows the source account to perform actions on the model packages in the group.
- Finally, the ARN of the `ModelPackageGroup` is exported for reference.

Please ensure that the AWS provider for Pulumi is configured with correct credentials that have the necessary permissions to create and manage the resources in both AWS accounts. You might need to configure additional permissions and trust relationships between the accounts to allow for resource sharing and access. This is a simplified example, and in a real-world scenario, you would need to handle the specific IAM permissions, the actual training of the models using SageMaker, and the final deployment in more detail.