2024/05/16 - Amazon SageMaker Service - 4 updated api methods
Changes Introduced WorkerAccessConfiguration to SageMaker Workteam. This allows customers to configure resource access for workers in a workteam.
{'WorkerAccessConfiguration': {'S3Presign': {'IamPolicyConstraints': {'SourceIp': 'Enabled '
'| '
'Disabled',
'VpcSourceIp': 'Enabled '
'| '
'Disabled'}}}}
Creates a new work team for labeling your data. A work team is defined by one or more Amazon Cognito user pools. You must first create the user pools before you can create a work team.
You cannot create more than 25 work teams in an account and region.
See also: AWS API Documentation
Request Syntax
client.create_workteam(
WorkteamName='string',
WorkforceName='string',
MemberDefinitions=[
{
'CognitoMemberDefinition': {
'UserPool': 'string',
'UserGroup': 'string',
'ClientId': 'string'
},
'OidcMemberDefinition': {
'Groups': [
'string',
]
}
},
],
Description='string',
NotificationConfiguration={
'NotificationTopicArn': 'string'
},
WorkerAccessConfiguration={
'S3Presign': {
'IamPolicyConstraints': {
'SourceIp': 'Enabled'|'Disabled',
'VpcSourceIp': 'Enabled'|'Disabled'
}
}
},
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
string
[REQUIRED]
The name of the work team. Use this name to identify the work team.
string
The name of the workforce.
list
[REQUIRED]
A list of MemberDefinition objects that contains objects that identify the workers that make up the work team.
Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use CognitoMemberDefinition . For workforces created using your own OIDC identity provider (IdP) use OidcMemberDefinition . Do not provide input for both of these parameters in a single request.
For workforces created using Amazon Cognito, private work teams correspond to Amazon Cognito user groups within the user pool used to create a workforce. All of the CognitoMemberDefinition objects that make up the member definition must have the same ClientId and UserPool values. To add a Amazon Cognito user group to an existing worker pool, see Adding groups to a User Pool. For more information about user pools, see `Amazon Cognito User Pools.
For workforces created using your own OIDC IdP, specify the user groups that you want to include in your private work team in OidcMemberDefinition by listing those groups in Groups .
(dict) --
Defines an Amazon Cognito or your own OIDC IdP user group that is part of a work team.
CognitoMemberDefinition (dict) --
The Amazon Cognito user group that is part of the work team.
UserPool (string) -- [REQUIRED]
An identifier for a user pool. The user pool must be in the same region as the service that you are calling.
UserGroup (string) -- [REQUIRED]
An identifier for a user group.
ClientId (string) -- [REQUIRED]
An identifier for an application client. You must create the app client ID using Amazon Cognito.
OidcMemberDefinition (dict) --
A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. When you add a user group to the list of Groups , you can add that user group to one or more private work teams. If you add a user group to a private work team, all workers in that user group are added to the work team.
Groups (list) --
A list of comma seperated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers.
(string) --
string
[REQUIRED]
A description of the work team.
dict
Configures notification of workers regarding available or expiring work items.
NotificationTopicArn (string) --
The ARN for the Amazon SNS topic to which notifications should be published.
dict
Use this optional parameter to constrain access to an Amazon S3 resource based on the IP address using supported IAM global condition keys. The Amazon S3 resource is accessed in the worker portal using a Amazon S3 presigned URL.
S3Presign (dict) --
Defines any Amazon S3 resource constraints.
IamPolicyConstraints (dict) --
Use this parameter to specify the allowed request source. Possible sources are either SourceIp or VpcSourceIp .
SourceIp (string) --
When SourceIp is Enabled the worker's IP address when a task is rendered in the worker portal is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. This IP address is checked by Amazon S3 and must match in order for the Amazon S3 resource to be rendered in the worker portal.
VpcSourceIp (string) --
When VpcSourceIp is Enabled the worker's IP address when a task is rendered in private worker portal inside the VPC is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. To render the task successfully Amazon S3 checks that the presigned URL is being accessed over an Amazon S3 VPC Endpoint, and that the worker's IP address matches the IP address in the IAM policy. To learn more about configuring private worker portal, see Use Amazon VPC mode from a private worker portal.
list
An array of key-value pairs.
For more information, see Resource Tag and Using Cost Allocation Tags in the Amazon Web Services Billing and Cost Management User Guide .
(dict) --
A tag object that consists of a key and an optional value, used to manage metadata for SageMaker Amazon Web Services resources.
You can add tags to notebook instances, training jobs, hyperparameter tuning jobs, batch transform jobs, models, labeling jobs, work teams, endpoint configurations, and endpoints. For more information on adding tags to SageMaker resources, see AddTags.
For more information on adding metadata to your Amazon Web Services resources with tagging, see Tagging Amazon Web Services resources. For advice on best practices for managing Amazon Web Services resources with tagging, see Tagging Best Practices: Implement an Effective Amazon Web Services Resource Tagging Strategy.
Key (string) -- [REQUIRED]
The tag key. Tag keys must be unique per resource.
Value (string) -- [REQUIRED]
The tag value.
dict
Response Syntax
{
'WorkteamArn': 'string'
}
Response Structure
(dict) --
WorkteamArn (string) --
The Amazon Resource Name (ARN) of the work team. You can use this ARN to identify the work team.
{'Workteam': {'WorkerAccessConfiguration': {'S3Presign': {'IamPolicyConstraints': {'SourceIp': 'Enabled '
'| '
'Disabled',
'VpcSourceIp': 'Enabled '
'| '
'Disabled'}}}}}
Gets information about a specific work team. You can see information such as the create date, the last updated date, membership information, and the work team's Amazon Resource Name (ARN).
See also: AWS API Documentation
Request Syntax
client.describe_workteam(
WorkteamName='string'
)
string
[REQUIRED]
The name of the work team to return a description of.
dict
Response Syntax
{
'Workteam': {
'WorkteamName': 'string',
'MemberDefinitions': [
{
'CognitoMemberDefinition': {
'UserPool': 'string',
'UserGroup': 'string',
'ClientId': 'string'
},
'OidcMemberDefinition': {
'Groups': [
'string',
]
}
},
],
'WorkteamArn': 'string',
'WorkforceArn': 'string',
'ProductListingIds': [
'string',
],
'Description': 'string',
'SubDomain': 'string',
'CreateDate': datetime(2015, 1, 1),
'LastUpdatedDate': datetime(2015, 1, 1),
'NotificationConfiguration': {
'NotificationTopicArn': 'string'
},
'WorkerAccessConfiguration': {
'S3Presign': {
'IamPolicyConstraints': {
'SourceIp': 'Enabled'|'Disabled',
'VpcSourceIp': 'Enabled'|'Disabled'
}
}
}
}
}
Response Structure
(dict) --
Workteam (dict) --
A Workteam instance that contains information about the work team.
WorkteamName (string) --
The name of the work team.
MemberDefinitions (list) --
A list of MemberDefinition objects that contains objects that identify the workers that make up the work team.
Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use CognitoMemberDefinition . For workforces created using your own OIDC identity provider (IdP) use OidcMemberDefinition .
(dict) --
Defines an Amazon Cognito or your own OIDC IdP user group that is part of a work team.
CognitoMemberDefinition (dict) --
The Amazon Cognito user group that is part of the work team.
UserPool (string) --
An identifier for a user pool. The user pool must be in the same region as the service that you are calling.
UserGroup (string) --
An identifier for a user group.
ClientId (string) --
An identifier for an application client. You must create the app client ID using Amazon Cognito.
OidcMemberDefinition (dict) --
A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. When you add a user group to the list of Groups , you can add that user group to one or more private work teams. If you add a user group to a private work team, all workers in that user group are added to the work team.
Groups (list) --
A list of comma seperated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers.
(string) --
WorkteamArn (string) --
The Amazon Resource Name (ARN) that identifies the work team.
WorkforceArn (string) --
The Amazon Resource Name (ARN) of the workforce.
ProductListingIds (list) --
The Amazon Marketplace identifier for a vendor's work team.
(string) --
Description (string) --
A description of the work team.
SubDomain (string) --
The URI of the labeling job's user interface. Workers open this URI to start labeling your data objects.
CreateDate (datetime) --
The date and time that the work team was created (timestamp).
LastUpdatedDate (datetime) --
The date and time that the work team was last updated (timestamp).
NotificationConfiguration (dict) --
Configures SNS notifications of available or expiring work items for work teams.
NotificationTopicArn (string) --
The ARN for the Amazon SNS topic to which notifications should be published.
WorkerAccessConfiguration (dict) --
Describes any access constraints that have been defined for Amazon S3 resources.
S3Presign (dict) --
Defines any Amazon S3 resource constraints.
IamPolicyConstraints (dict) --
Use this parameter to specify the allowed request source. Possible sources are either SourceIp or VpcSourceIp .
SourceIp (string) --
When SourceIp is Enabled the worker's IP address when a task is rendered in the worker portal is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. This IP address is checked by Amazon S3 and must match in order for the Amazon S3 resource to be rendered in the worker portal.
VpcSourceIp (string) --
When VpcSourceIp is Enabled the worker's IP address when a task is rendered in private worker portal inside the VPC is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. To render the task successfully Amazon S3 checks that the presigned URL is being accessed over an Amazon S3 VPC Endpoint, and that the worker's IP address matches the IP address in the IAM policy. To learn more about configuring private worker portal, see Use Amazon VPC mode from a private worker portal.
{'Workteams': {'WorkerAccessConfiguration': {'S3Presign': {'IamPolicyConstraints': {'SourceIp': 'Enabled '
'| '
'Disabled',
'VpcSourceIp': 'Enabled '
'| '
'Disabled'}}}}}
Gets a list of private work teams that you have defined in a region. The list may be empty if no work team satisfies the filter specified in the NameContains parameter.
See also: AWS API Documentation
Request Syntax
client.list_workteams(
SortBy='Name'|'CreateDate',
SortOrder='Ascending'|'Descending',
NameContains='string',
NextToken='string',
MaxResults=123
)
string
The field to sort results by. The default is CreationTime .
string
The sort order for results. The default is Ascending .
string
A string in the work team's name. This filter returns only work teams whose name contains the specified string.
string
If the result of the previous ListWorkteams request was truncated, the response includes a NextToken . To retrieve the next set of labeling jobs, use the token in the next request.
integer
The maximum number of work teams to return in each page of the response.
dict
Response Syntax
{
'Workteams': [
{
'WorkteamName': 'string',
'MemberDefinitions': [
{
'CognitoMemberDefinition': {
'UserPool': 'string',
'UserGroup': 'string',
'ClientId': 'string'
},
'OidcMemberDefinition': {
'Groups': [
'string',
]
}
},
],
'WorkteamArn': 'string',
'WorkforceArn': 'string',
'ProductListingIds': [
'string',
],
'Description': 'string',
'SubDomain': 'string',
'CreateDate': datetime(2015, 1, 1),
'LastUpdatedDate': datetime(2015, 1, 1),
'NotificationConfiguration': {
'NotificationTopicArn': 'string'
},
'WorkerAccessConfiguration': {
'S3Presign': {
'IamPolicyConstraints': {
'SourceIp': 'Enabled'|'Disabled',
'VpcSourceIp': 'Enabled'|'Disabled'
}
}
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Workteams (list) --
An array of Workteam objects, each describing a work team.
(dict) --
Provides details about a labeling work team.
WorkteamName (string) --
The name of the work team.
MemberDefinitions (list) --
A list of MemberDefinition objects that contains objects that identify the workers that make up the work team.
Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use CognitoMemberDefinition . For workforces created using your own OIDC identity provider (IdP) use OidcMemberDefinition .
(dict) --
Defines an Amazon Cognito or your own OIDC IdP user group that is part of a work team.
CognitoMemberDefinition (dict) --
The Amazon Cognito user group that is part of the work team.
UserPool (string) --
An identifier for a user pool. The user pool must be in the same region as the service that you are calling.
UserGroup (string) --
An identifier for a user group.
ClientId (string) --
An identifier for an application client. You must create the app client ID using Amazon Cognito.
OidcMemberDefinition (dict) --
A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. When you add a user group to the list of Groups , you can add that user group to one or more private work teams. If you add a user group to a private work team, all workers in that user group are added to the work team.
Groups (list) --
A list of comma seperated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers.
(string) --
WorkteamArn (string) --
The Amazon Resource Name (ARN) that identifies the work team.
WorkforceArn (string) --
The Amazon Resource Name (ARN) of the workforce.
ProductListingIds (list) --
The Amazon Marketplace identifier for a vendor's work team.
(string) --
Description (string) --
A description of the work team.
SubDomain (string) --
The URI of the labeling job's user interface. Workers open this URI to start labeling your data objects.
CreateDate (datetime) --
The date and time that the work team was created (timestamp).
LastUpdatedDate (datetime) --
The date and time that the work team was last updated (timestamp).
NotificationConfiguration (dict) --
Configures SNS notifications of available or expiring work items for work teams.
NotificationTopicArn (string) --
The ARN for the Amazon SNS topic to which notifications should be published.
WorkerAccessConfiguration (dict) --
Describes any access constraints that have been defined for Amazon S3 resources.
S3Presign (dict) --
Defines any Amazon S3 resource constraints.
IamPolicyConstraints (dict) --
Use this parameter to specify the allowed request source. Possible sources are either SourceIp or VpcSourceIp .
SourceIp (string) --
When SourceIp is Enabled the worker's IP address when a task is rendered in the worker portal is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. This IP address is checked by Amazon S3 and must match in order for the Amazon S3 resource to be rendered in the worker portal.
VpcSourceIp (string) --
When VpcSourceIp is Enabled the worker's IP address when a task is rendered in private worker portal inside the VPC is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. To render the task successfully Amazon S3 checks that the presigned URL is being accessed over an Amazon S3 VPC Endpoint, and that the worker's IP address matches the IP address in the IAM policy. To learn more about configuring private worker portal, see Use Amazon VPC mode from a private worker portal.
NextToken (string) --
If the response is truncated, Amazon SageMaker returns this token. To retrieve the next set of work teams, use it in the subsequent request.
{'WorkerAccessConfiguration': {'S3Presign': {'IamPolicyConstraints': {'SourceIp': 'Enabled '
'| '
'Disabled',
'VpcSourceIp': 'Enabled '
'| '
'Disabled'}}}}
Response {'Workteam': {'WorkerAccessConfiguration': {'S3Presign': {'IamPolicyConstraints': {'SourceIp': 'Enabled '
'| '
'Disabled',
'VpcSourceIp': 'Enabled '
'| '
'Disabled'}}}}}
Updates an existing work team with new member definitions or description.
See also: AWS API Documentation
Request Syntax
client.update_workteam(
WorkteamName='string',
MemberDefinitions=[
{
'CognitoMemberDefinition': {
'UserPool': 'string',
'UserGroup': 'string',
'ClientId': 'string'
},
'OidcMemberDefinition': {
'Groups': [
'string',
]
}
},
],
Description='string',
NotificationConfiguration={
'NotificationTopicArn': 'string'
},
WorkerAccessConfiguration={
'S3Presign': {
'IamPolicyConstraints': {
'SourceIp': 'Enabled'|'Disabled',
'VpcSourceIp': 'Enabled'|'Disabled'
}
}
}
)
string
[REQUIRED]
The name of the work team to update.
list
A list of MemberDefinition objects that contains objects that identify the workers that make up the work team.
Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use CognitoMemberDefinition . For workforces created using your own OIDC identity provider (IdP) use OidcMemberDefinition . You should not provide input for both of these parameters in a single request.
For workforces created using Amazon Cognito, private work teams correspond to Amazon Cognito user groups within the user pool used to create a workforce. All of the CognitoMemberDefinition objects that make up the member definition must have the same ClientId and UserPool values. To add a Amazon Cognito user group to an existing worker pool, see Adding groups to a User Pool. For more information about user pools, see `Amazon Cognito User Pools.
For workforces created using your own OIDC IdP, specify the user groups that you want to include in your private work team in OidcMemberDefinition by listing those groups in Groups . Be aware that user groups that are already in the work team must also be listed in Groups when you make this request to remain on the work team. If you do not include these user groups, they will no longer be associated with the work team you update.
(dict) --
Defines an Amazon Cognito or your own OIDC IdP user group that is part of a work team.
CognitoMemberDefinition (dict) --
The Amazon Cognito user group that is part of the work team.
UserPool (string) -- [REQUIRED]
An identifier for a user pool. The user pool must be in the same region as the service that you are calling.
UserGroup (string) -- [REQUIRED]
An identifier for a user group.
ClientId (string) -- [REQUIRED]
An identifier for an application client. You must create the app client ID using Amazon Cognito.
OidcMemberDefinition (dict) --
A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. When you add a user group to the list of Groups , you can add that user group to one or more private work teams. If you add a user group to a private work team, all workers in that user group are added to the work team.
Groups (list) --
A list of comma seperated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers.
(string) --
string
An updated description for the work team.
dict
Configures SNS topic notifications for available or expiring work items
NotificationTopicArn (string) --
The ARN for the Amazon SNS topic to which notifications should be published.
dict
Use this optional parameter to constrain access to an Amazon S3 resource based on the IP address using supported IAM global condition keys. The Amazon S3 resource is accessed in the worker portal using a Amazon S3 presigned URL.
S3Presign (dict) --
Defines any Amazon S3 resource constraints.
IamPolicyConstraints (dict) --
Use this parameter to specify the allowed request source. Possible sources are either SourceIp or VpcSourceIp .
SourceIp (string) --
When SourceIp is Enabled the worker's IP address when a task is rendered in the worker portal is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. This IP address is checked by Amazon S3 and must match in order for the Amazon S3 resource to be rendered in the worker portal.
VpcSourceIp (string) --
When VpcSourceIp is Enabled the worker's IP address when a task is rendered in private worker portal inside the VPC is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. To render the task successfully Amazon S3 checks that the presigned URL is being accessed over an Amazon S3 VPC Endpoint, and that the worker's IP address matches the IP address in the IAM policy. To learn more about configuring private worker portal, see Use Amazon VPC mode from a private worker portal.
dict
Response Syntax
{
'Workteam': {
'WorkteamName': 'string',
'MemberDefinitions': [
{
'CognitoMemberDefinition': {
'UserPool': 'string',
'UserGroup': 'string',
'ClientId': 'string'
},
'OidcMemberDefinition': {
'Groups': [
'string',
]
}
},
],
'WorkteamArn': 'string',
'WorkforceArn': 'string',
'ProductListingIds': [
'string',
],
'Description': 'string',
'SubDomain': 'string',
'CreateDate': datetime(2015, 1, 1),
'LastUpdatedDate': datetime(2015, 1, 1),
'NotificationConfiguration': {
'NotificationTopicArn': 'string'
},
'WorkerAccessConfiguration': {
'S3Presign': {
'IamPolicyConstraints': {
'SourceIp': 'Enabled'|'Disabled',
'VpcSourceIp': 'Enabled'|'Disabled'
}
}
}
}
}
Response Structure
(dict) --
Workteam (dict) --
A Workteam object that describes the updated work team.
WorkteamName (string) --
The name of the work team.
MemberDefinitions (list) --
A list of MemberDefinition objects that contains objects that identify the workers that make up the work team.
Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use CognitoMemberDefinition . For workforces created using your own OIDC identity provider (IdP) use OidcMemberDefinition .
(dict) --
Defines an Amazon Cognito or your own OIDC IdP user group that is part of a work team.
CognitoMemberDefinition (dict) --
The Amazon Cognito user group that is part of the work team.
UserPool (string) --
An identifier for a user pool. The user pool must be in the same region as the service that you are calling.
UserGroup (string) --
An identifier for a user group.
ClientId (string) --
An identifier for an application client. You must create the app client ID using Amazon Cognito.
OidcMemberDefinition (dict) --
A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. When you add a user group to the list of Groups , you can add that user group to one or more private work teams. If you add a user group to a private work team, all workers in that user group are added to the work team.
Groups (list) --
A list of comma seperated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers.
(string) --
WorkteamArn (string) --
The Amazon Resource Name (ARN) that identifies the work team.
WorkforceArn (string) --
The Amazon Resource Name (ARN) of the workforce.
ProductListingIds (list) --
The Amazon Marketplace identifier for a vendor's work team.
(string) --
Description (string) --
A description of the work team.
SubDomain (string) --
The URI of the labeling job's user interface. Workers open this URI to start labeling your data objects.
CreateDate (datetime) --
The date and time that the work team was created (timestamp).
LastUpdatedDate (datetime) --
The date and time that the work team was last updated (timestamp).
NotificationConfiguration (dict) --
Configures SNS notifications of available or expiring work items for work teams.
NotificationTopicArn (string) --
The ARN for the Amazon SNS topic to which notifications should be published.
WorkerAccessConfiguration (dict) --
Describes any access constraints that have been defined for Amazon S3 resources.
S3Presign (dict) --
Defines any Amazon S3 resource constraints.
IamPolicyConstraints (dict) --
Use this parameter to specify the allowed request source. Possible sources are either SourceIp or VpcSourceIp .
SourceIp (string) --
When SourceIp is Enabled the worker's IP address when a task is rendered in the worker portal is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. This IP address is checked by Amazon S3 and must match in order for the Amazon S3 resource to be rendered in the worker portal.
VpcSourceIp (string) --
When VpcSourceIp is Enabled the worker's IP address when a task is rendered in private worker portal inside the VPC is added to the IAM policy as a Condition used to generate the Amazon S3 presigned URL. To render the task successfully Amazon S3 checks that the presigned URL is being accessed over an Amazon S3 VPC Endpoint, and that the worker's IP address matches the IP address in the IAM policy. To learn more about configuring private worker portal, see Use Amazon VPC mode from a private worker portal.