From 19b57d56abe94ac1f97277506bc3648145ad35aa Mon Sep 17 00:00:00 2001 From: Clayton Parnell Date: Tue, 12 Aug 2025 18:14:23 +0000 Subject: [PATCH 1/6] Update entry scripts to autoenable s3ag --- .../sagemaker-ui/sagemaker_ui_post_startup.sh | 36 ++++++++++--------- .../usr/local/bin/entrypoint-jupyter-server | 6 ++++ .../sagemaker-ui/sagemaker_ui_post_startup.sh | 36 ++++++++++--------- .../usr/local/bin/entrypoint-jupyter-server | 6 ++++ 4 files changed, 52 insertions(+), 32 deletions(-) diff --git a/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh b/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh index 06f768550..a8821fb52 100644 --- a/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh +++ b/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh @@ -55,6 +55,10 @@ dataZoneDomainRegion=$(jq -r '.AdditionalMetadata.DataZoneDomainRegion' < $sourc set +e +# Enable S3 Access Grant plugin by default +export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin +echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc + # Remove the ~/.aws/config file to start clean when space restart rm -f /home/sagemaker-user/.aws/config echo "Successfully removed the ~/.aws/config file" @@ -212,7 +216,7 @@ mkdir -p "$HOME/.config" # Create config directory if it doesn't exist jq -n \ --arg smusProjectDirectory "$SMUS_PROJECT_DIR" \ --arg isGitProject "$IS_GIT_PROJECT" \ - '{ + '{ smusProjectDirectory: $smusProjectDirectory, isGitProject: ($isGitProject == "true") }' > "$HOME/.config/smus-storage-metadata.json" @@ -247,7 +251,7 @@ if [ -f "$q_settings_file" ]; then q_auth_mode=$(jq -r '.auth_mode' < $q_settings_file) if [ "$q_auth_mode" == "IAM" ]; then export AMAZON_Q_SIGV4=true - else + else export AMAZON_Q_SIGV4=false fi else @@ -260,7 +264,7 @@ if $AMAZON_Q_SIGV4; then else echo export AMAZON_Q_SIGV4=$AMAZON_Q_SIGV4 >> ~/.bashrc fi -else +else # Remove from .bashrc if it exists sed -i '/^export AMAZON_Q_SIGV4=/d' ~/.bashrc fi @@ -293,7 +297,7 @@ if [ -f "$source_file" ]; then if [ -f "$target_file" ]; then # Target file exists - merge configurations echo "Existing MCP configuration found, merging configurations..." - + # Check if it's valid JSON first if jq empty "$target_file" 2>/dev/null; then # Initialize mcpServers object if it doesn't exist @@ -302,9 +306,9 @@ if [ -f "$source_file" ]; then jq '. + {"mcpServers":{}}' "$target_file" > "$target_file.tmp" mv "$target_file.tmp" "$target_file" fi - + servers=$(jq '.mcpServers | keys[]' "$source_file" | tr -d '"') - + # Add each server from source to target if it doesn't exist for server in $servers; do if ! jq -e ".mcpServers.\"$server\"" "$target_file" >/dev/null 2>&1; then @@ -326,7 +330,7 @@ if [ -f "$source_file" ]; then cp "$source_file" "$target_file" echo "Created new MCP configuration with default servers" fi - + echo "Successfully configured MCP for SageMaker" else echo "Warning: MCP configuration file not found at $source_file" @@ -339,10 +343,10 @@ agents_source_file="/etc/sagemaker-ui/sagemaker-mcp/default.json" if [ -f "$agents_source_file" ]; then mkdir -p "$HOME/.aws/amazonq/agents/" - + if [ -f "$agents_target_file" ]; then echo "Existing Amazon Q agents configuration found, merging mcpServers..." - + # Check if target file is valid JSON if jq empty "$agents_target_file" 2>/dev/null; then # Initialize mcpServers object if it doesn't exist in target @@ -351,11 +355,11 @@ if [ -f "$agents_source_file" ]; then jq '. + {"mcpServers":{}}' "$agents_target_file" > "$agents_target_file.tmp" mv "$agents_target_file.tmp" "$agents_target_file" fi - + # Add servers from source that don't exist in target and update tools if jq -e '.mcpServers' "$agents_source_file" >/dev/null 2>&1; then source_server_names=$(jq -r '.mcpServers | keys[]' "$agents_source_file") - + for server_name in $source_server_names; do if ! jq -e ".mcpServers.\"$server_name\"" "$agents_target_file" >/dev/null 2>&1; then # Server doesn't exist in target - add it @@ -364,7 +368,7 @@ if [ -f "$agents_source_file" ]; then '.mcpServers[$name] = $config' "$agents_target_file" > "$agents_target_file.tmp" mv "$agents_target_file.tmp" "$agents_target_file" echo "Added server '$server_name' to agents configuration" - + # Check if source has tools that reference this server and add them server_tool_ref="@$server_name" if jq -e --arg tool "$server_tool_ref" '.tools | index($tool)' "$agents_source_file" >/dev/null 2>&1; then @@ -373,7 +377,7 @@ if [ -f "$agents_source_file" ]; then jq '. + {"tools":[]}' "$agents_target_file" > "$agents_target_file.tmp" mv "$agents_target_file.tmp" "$agents_target_file" fi - + # Add tool reference if it doesn't exist if ! jq -e --arg tool "$server_tool_ref" '.tools | index($tool)' "$agents_target_file" >/dev/null 2>&1; then jq --arg tool "$server_tool_ref" '.tools += [$tool]' "$agents_target_file" > "$agents_target_file.tmp" @@ -385,7 +389,7 @@ if [ -f "$agents_source_file" ]; then echo "Server '$server_name' already exists in configuration, skipping" fi done - + echo "Successfully added missing mcpServers and tools from default.json to agents configuration" else echo "No mcpServers found in source configuration" @@ -398,7 +402,7 @@ if [ -f "$agents_source_file" ]; then cp "$agents_source_file" "$agents_target_file" echo "Created new Amazon Q agents configuration file" fi - + echo "Successfully migrated MCP configuration to Amazon Q agents" else echo "Warning: Source configuration file not found at $agents_source_file" @@ -420,7 +424,7 @@ if [ "${SAGEMAKER_APP_TYPE_LOWERCASE}" = "jupyterlab" ] && [ "$is_express_mode" # write unexpected error to file if any of the remaining scripts fail. trap 'write_status_to_file "error" "An unexpected error occurred. Please stop and restart your space to retry."' ERR - + # Install conda and pip dependencies if lib mgmt config existing bash /etc/sagemaker-ui/libmgmt/install-lib.sh diff --git a/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server b/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server index 5b8c3ad4a..bfd668bfa 100755 --- a/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server +++ b/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server @@ -15,6 +15,12 @@ else micromamba activate base fi +# Enable S3AG plugin if TIP is enabled +if [ -n "$TRUSTED_IDENTITY_PROPOGATION_ENABLED" ]; then + export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin + echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc +fi + # Set up SAGEMAKER_APP_TYPE_LOWERCASE based on SAGEMAKER_APP_TYPE export SAGEMAKER_APP_TYPE_LOWERCASE=$(echo $SAGEMAKER_APP_TYPE | tr '[:upper:]' '[:lower:]') diff --git a/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh b/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh index 3cec0b226..792a05d1d 100755 --- a/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh +++ b/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh @@ -55,6 +55,10 @@ dataZoneDomainRegion=$(jq -r '.AdditionalMetadata.DataZoneDomainRegion' < $sourc set +e +# Enable S3 Access Grant plugin by default +export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin +echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc + # Remove the ~/.aws/config file to start clean when space restart rm -f /home/sagemaker-user/.aws/config echo "Successfully removed the ~/.aws/config file" @@ -213,7 +217,7 @@ mkdir -p "$HOME/.config" # Create config directory if it doesn't exist jq -n \ --arg smusProjectDirectory "$SMUS_PROJECT_DIR" \ --arg isGitProject "$IS_GIT_PROJECT" \ - '{ + '{ smusProjectDirectory: $smusProjectDirectory, isGitProject: ($isGitProject == "true") }' > "$HOME/.config/smus-storage-metadata.json" @@ -248,7 +252,7 @@ if [ -f "$q_settings_file" ]; then q_auth_mode=$(jq -r '.auth_mode' < $q_settings_file) if [ "$q_auth_mode" == "IAM" ]; then export AMAZON_Q_SIGV4=true - else + else export AMAZON_Q_SIGV4=false fi else @@ -261,7 +265,7 @@ if $AMAZON_Q_SIGV4; then else echo export AMAZON_Q_SIGV4=$AMAZON_Q_SIGV4 >> ~/.bashrc fi -else +else # Remove from .bashrc if it exists sed -i '/^export AMAZON_Q_SIGV4=/d' ~/.bashrc fi @@ -294,7 +298,7 @@ if [ -f "$source_file" ]; then if [ -f "$target_file" ]; then # Target file exists - merge configurations echo "Existing MCP configuration found, merging configurations..." - + # Check if it's valid JSON first if jq empty "$target_file" 2>/dev/null; then # Initialize mcpServers object if it doesn't exist @@ -303,9 +307,9 @@ if [ -f "$source_file" ]; then jq '. + {"mcpServers":{}}' "$target_file" > "$target_file.tmp" mv "$target_file.tmp" "$target_file" fi - + servers=$(jq '.mcpServers | keys[]' "$source_file" | tr -d '"') - + # Add each server from source to target if it doesn't exist for server in $servers; do if ! jq -e ".mcpServers.\"$server\"" "$target_file" >/dev/null 2>&1; then @@ -327,7 +331,7 @@ if [ -f "$source_file" ]; then cp "$source_file" "$target_file" echo "Created new MCP configuration with default servers" fi - + echo "Successfully configured MCP for SageMaker" else echo "Warning: MCP configuration file not found at $source_file" @@ -340,10 +344,10 @@ agents_source_file="/etc/sagemaker-ui/sagemaker-mcp/default.json" if [ -f "$agents_source_file" ]; then mkdir -p "$HOME/.aws/amazonq/agents/" - + if [ -f "$agents_target_file" ]; then echo "Existing Amazon Q agents configuration found, merging mcpServers..." - + # Check if target file is valid JSON if jq empty "$agents_target_file" 2>/dev/null; then # Initialize mcpServers object if it doesn't exist in target @@ -352,11 +356,11 @@ if [ -f "$agents_source_file" ]; then jq '. + {"mcpServers":{}}' "$agents_target_file" > "$agents_target_file.tmp" mv "$agents_target_file.tmp" "$agents_target_file" fi - + # Add servers from source that don't exist in target and update tools if jq -e '.mcpServers' "$agents_source_file" >/dev/null 2>&1; then source_server_names=$(jq -r '.mcpServers | keys[]' "$agents_source_file") - + for server_name in $source_server_names; do if ! jq -e ".mcpServers.\"$server_name\"" "$agents_target_file" >/dev/null 2>&1; then # Server doesn't exist in target - add it @@ -365,7 +369,7 @@ if [ -f "$agents_source_file" ]; then '.mcpServers[$name] = $config' "$agents_target_file" > "$agents_target_file.tmp" mv "$agents_target_file.tmp" "$agents_target_file" echo "Added server '$server_name' to agents configuration" - + # Check if source has tools that reference this server and add them server_tool_ref="@$server_name" if jq -e --arg tool "$server_tool_ref" '.tools | index($tool)' "$agents_source_file" >/dev/null 2>&1; then @@ -374,7 +378,7 @@ if [ -f "$agents_source_file" ]; then jq '. + {"tools":[]}' "$agents_target_file" > "$agents_target_file.tmp" mv "$agents_target_file.tmp" "$agents_target_file" fi - + # Add tool reference if it doesn't exist if ! jq -e --arg tool "$server_tool_ref" '.tools | index($tool)' "$agents_target_file" >/dev/null 2>&1; then jq --arg tool "$server_tool_ref" '.tools += [$tool]' "$agents_target_file" > "$agents_target_file.tmp" @@ -386,7 +390,7 @@ if [ -f "$agents_source_file" ]; then echo "Server '$server_name' already exists in configuration, skipping" fi done - + echo "Successfully added missing mcpServers and tools from default.json to agents configuration" else echo "No mcpServers found in source configuration" @@ -399,7 +403,7 @@ if [ -f "$agents_source_file" ]; then cp "$agents_source_file" "$agents_target_file" echo "Created new Amazon Q agents configuration file" fi - + echo "Successfully migrated MCP configuration to Amazon Q agents" else echo "Warning: Source configuration file not found at $agents_source_file" @@ -421,7 +425,7 @@ if [ "${SAGEMAKER_APP_TYPE_LOWERCASE}" = "jupyterlab" ] && [ "$is_express_mode" # write unexpected error to file if any of the remaining scripts fail. trap 'write_status_to_file "error" "An unexpected error occurred. Please stop and restart your space to retry."' ERR - + # Install conda and pip dependencies if lib mgmt config existing bash /etc/sagemaker-ui/libmgmt/install-lib.sh diff --git a/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server b/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server index f71e97f79..737603d56 100755 --- a/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server +++ b/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server @@ -15,6 +15,12 @@ else micromamba activate base fi +# Enable S3AG plugin if TIP is enabled +if [ -n "$TRUSTED_IDENTITY_PROPOGATION_ENABLED" ]; then + export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin + echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc +fi + # Set up SAGEMAKER_APP_TYPE_LOWERCASE based on SAGEMAKER_APP_TYPE export SAGEMAKER_APP_TYPE_LOWERCASE=$(echo $SAGEMAKER_APP_TYPE | tr '[:upper:]' '[:lower:]') From 7b247e4c7c3f51d1801676d55d64a6410fedd798 Mon Sep 17 00:00:00 2001 From: Clayton Parnell Date: Wed, 13 Aug 2025 19:31:09 +0000 Subject: [PATCH 2/6] Update pysdk defaults --- template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py | 8 ++++---- template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py b/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py index 0489d4028..2df1252c6 100644 --- a/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py +++ b/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py @@ -7,7 +7,7 @@ def generate_intelligent_default_config(metadata: str) -> dict: has_vpc = metadata["SecurityGroupIds"] and metadata["Subnets"] and metadata["SecurityGroupIds"] != [''] and metadata["Subnets"] != [''] - + config = { "SchemaVersion": "1.0", "SageMaker": { @@ -31,10 +31,10 @@ def generate_intelligent_default_config(metadata: str) -> dict: "Model": {"ExecutionRoleArn": metadata["UserRoleArn"]}, "ModelPackage": {"ValidationSpecification": {"ValidationRole": metadata["UserRoleArn"]}}, "ProcessingJob": {"RoleArn": metadata["UserRoleArn"]}, - "TrainingJob": {"RoleArn": metadata["UserRoleArn"]}, + "TrainingJob": {"RoleArn": metadata["UserRoleArn"], "Environment": {"BOTOCORE_EXPERIMENTAL__PLUGINS": "S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin"}}, }, } - + if has_vpc: vpc_config = {"SecurityGroupIds": metadata["SecurityGroupIds"], "Subnets": metadata["Subnets"]} config["SageMaker"]["PythonSDK"]["Modules"]["RemoteFunction"]["VpcConfig"] = vpc_config @@ -58,7 +58,7 @@ def generate_intelligent_default_config(metadata: str) -> dict: config["SageMaker"]["Model"]["VpcConfig"] = vpc_config config["SageMaker"]["ProcessingJob"]["NetworkConfig"] = {"VpcConfig": vpc_config} config["SageMaker"]["TrainingJob"]["VpcConfig"] = vpc_config - + return config diff --git a/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py b/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py index 328dddb99..5bfecddb8 100644 --- a/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py +++ b/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py @@ -8,7 +8,7 @@ def generate_intelligent_default_config(metadata: str) -> dict: has_vpc = metadata["SecurityGroupIds"] and metadata["Subnets"] and metadata["SecurityGroupIds"] != [''] and metadata["Subnets"] != [''] vpc_config = {"SecurityGroupIds": metadata["SecurityGroupIds"], "Subnets": metadata["Subnets"]} if has_vpc else None - + config = { "SchemaVersion": "1.0", "SageMaker": { @@ -32,10 +32,10 @@ def generate_intelligent_default_config(metadata: str) -> dict: "Model": {"ExecutionRoleArn": metadata["UserRoleArn"]}, "ModelPackage": {"ValidationSpecification": {"ValidationRole": metadata["UserRoleArn"]}}, "ProcessingJob": {"RoleArn": metadata["UserRoleArn"]}, - "TrainingJob": {"RoleArn": metadata["UserRoleArn"]}, + "TrainingJob": {"RoleArn": metadata["UserRoleArn"], "Environment": {"BOTOCORE_EXPERIMENTAL__PLUGINS": "S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin"}}, }, } - + if has_vpc: config["SageMaker"]["PythonSDK"]["Modules"]["RemoteFunction"]["VpcConfig"] = vpc_config config["SageMaker"]["PythonSDK"]["Modules"]["NotebookJob"]["VpcConfig"] = vpc_config @@ -58,7 +58,7 @@ def generate_intelligent_default_config(metadata: str) -> dict: config["SageMaker"]["Model"]["VpcConfig"] = vpc_config config["SageMaker"]["ProcessingJob"]["NetworkConfig"] = {"VpcConfig": vpc_config} config["SageMaker"]["TrainingJob"]["VpcConfig"] = vpc_config - + return config From 9faf358eb850caf693d0c57a5661f15dce8ce6f5 Mon Sep 17 00:00:00 2001 From: Clayton Parnell Date: Wed, 27 Aug 2025 17:40:30 +0000 Subject: [PATCH 3/6] Formatting --- src/main.py | 2 +- template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py | 7 ++++++- template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py | 7 ++++++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/main.py b/src/main.py index bb2f68c3f..27b76d9f8 100644 --- a/src/main.py +++ b/src/main.py @@ -263,7 +263,7 @@ def _build_local_images( # Minimal patch build, use .patch Dockerfiles dockerfile = f"./Dockerfile-{image_type}.patch" else: - dockerfile="./Dockerfile" + dockerfile = "./Dockerfile" try: image, log_gen = _docker_client.images.build( path=target_version_dir, dockerfile=dockerfile, rm=True, pull=True, buildargs=config["build_args"] diff --git a/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py b/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py index 48074b1cc..2abb7c136 100644 --- a/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py +++ b/template/v2/dirs/etc/sagemaker/sm_pysdk_default_config.py @@ -36,7 +36,12 @@ def generate_intelligent_default_config(metadata: str) -> dict: "Model": {"ExecutionRoleArn": metadata["UserRoleArn"]}, "ModelPackage": {"ValidationSpecification": {"ValidationRole": metadata["UserRoleArn"]}}, "ProcessingJob": {"RoleArn": metadata["UserRoleArn"]}, - "TrainingJob": {"RoleArn": metadata["UserRoleArn"], "Environment": {"BOTOCORE_EXPERIMENTAL__PLUGINS": "S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin"}}, + "TrainingJob": { + "RoleArn": metadata["UserRoleArn"], + "Environment": { + "BOTOCORE_EXPERIMENTAL__PLUGINS": "S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin" + }, + }, }, } diff --git a/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py b/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py index 69b6cf49f..9a56bd81d 100644 --- a/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py +++ b/template/v3/dirs/etc/sagemaker/sm_pysdk_default_config.py @@ -37,7 +37,12 @@ def generate_intelligent_default_config(metadata: str) -> dict: "Model": {"ExecutionRoleArn": metadata["UserRoleArn"]}, "ModelPackage": {"ValidationSpecification": {"ValidationRole": metadata["UserRoleArn"]}}, "ProcessingJob": {"RoleArn": metadata["UserRoleArn"]}, - "TrainingJob": {"RoleArn": metadata["UserRoleArn"], "Environment": {"BOTOCORE_EXPERIMENTAL__PLUGINS": "S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin"}}, + "TrainingJob": { + "RoleArn": metadata["UserRoleArn"], + "Environment": { + "BOTOCORE_EXPERIMENTAL__PLUGINS": "S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin" + }, + }, }, } From 37ba87d38ecb43bb9914d349357504b7896c48f4 Mon Sep 17 00:00:00 2001 From: Clayton Parnell Date: Wed, 3 Sep 2025 17:15:23 +0000 Subject: [PATCH 4/6] Add to start scripts as well as entrypoint --- template/v2/dirs/usr/local/bin/start-jupyter-server | 6 ++++++ template/v3/dirs/usr/local/bin/start-jupyter-server | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/template/v2/dirs/usr/local/bin/start-jupyter-server b/template/v2/dirs/usr/local/bin/start-jupyter-server index 8d945356f..320baf8d6 100755 --- a/template/v2/dirs/usr/local/bin/start-jupyter-server +++ b/template/v2/dirs/usr/local/bin/start-jupyter-server @@ -14,6 +14,12 @@ else jupyter labextension disable @amzn/sagemaker-data-explorer-jl-plugin sagemaker-data-explorer:plugin amzn/sagemaker-ui-theme-jlplugin @amzn/sagemaker-ui-doc-manager-jl-plugin @amzn/sagemaker-connection-magics-jlextension @amzn/sagemaker_gen_ai_jupyterlab_extension @amzn/sagemaker-post-startup-notification-plugin:plugin @amzn/sagemaker-post-startup-notification-plugin:custom-terminal-launcher-plugin @amzn/sagemaker-studio-scheduler:scheduler @amzn/sagemaker-studio-scheduler:schedulerTelemetry fi +# Enable S3AG plugin if TIP is enabled +if [ -n "$TRUSTED_IDENTITY_PROPOGATION_ENABLED" ]; then + export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin + echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc +fi + # Start Jupyter server in rtc mode for shared spaces if [ -n "$SAGEMAKER_APP_TYPE_LOWERCASE" ] && [ "$SAGEMAKER_SPACE_TYPE_LOWERCASE" == "shared" ]; then jupyter labextension enable @jupyter/collaboration-extension diff --git a/template/v3/dirs/usr/local/bin/start-jupyter-server b/template/v3/dirs/usr/local/bin/start-jupyter-server index b88e3cfb1..8062dcc65 100755 --- a/template/v3/dirs/usr/local/bin/start-jupyter-server +++ b/template/v3/dirs/usr/local/bin/start-jupyter-server @@ -14,6 +14,12 @@ else jupyter labextension disable @amzn/sagemaker-data-explorer-jl-plugin sagemaker-data-explorer:plugin amzn/sagemaker-ui-theme-jlplugin @amzn/sagemaker-ui-doc-manager-jl-plugin @amzn/sagemaker-connection-magics-jlextension @amzn/sagemaker_gen_ai_jupyterlab_extension @amzn/sagemaker-post-startup-notification-plugin:plugin @amzn/sagemaker-post-startup-notification-plugin:custom-terminal-launcher-plugin @amzn/sagemaker-studio-scheduler:scheduler @amzn/sagemaker-studio-scheduler:schedulerTelemetry fi +# Enable S3AG plugin if TIP is enabled +if [ -n "$TRUSTED_IDENTITY_PROPOGATION_ENABLED" ]; then + export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin + echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc +fi + # Start Jupyter server in rtc mode for shared spaces if [ -n "$SAGEMAKER_APP_TYPE_LOWERCASE" ] && [ "$SAGEMAKER_SPACE_TYPE_LOWERCASE" == "shared" ]; then jupyter labextension enable @jupyter/collaboration-extension From 68664289becd27a420b768c408a85ecab396bfc7 Mon Sep 17 00:00:00 2001 From: Clayton Parnell Date: Thu, 4 Sep 2025 18:39:14 +0000 Subject: [PATCH 5/6] Just set the variable in the start- scripts --- .../v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh | 4 ---- template/v2/dirs/usr/local/bin/entrypoint-jupyter-server | 6 ------ .../dirs/usr/local/bin/start-sagemaker-ui-jupyter-server | 8 ++++++-- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh b/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh index a8821fb52..ed42b2fff 100644 --- a/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh +++ b/template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh @@ -55,10 +55,6 @@ dataZoneDomainRegion=$(jq -r '.AdditionalMetadata.DataZoneDomainRegion' < $sourc set +e -# Enable S3 Access Grant plugin by default -export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin -echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc - # Remove the ~/.aws/config file to start clean when space restart rm -f /home/sagemaker-user/.aws/config echo "Successfully removed the ~/.aws/config file" diff --git a/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server b/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server index bfd668bfa..5b8c3ad4a 100755 --- a/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server +++ b/template/v2/dirs/usr/local/bin/entrypoint-jupyter-server @@ -15,12 +15,6 @@ else micromamba activate base fi -# Enable S3AG plugin if TIP is enabled -if [ -n "$TRUSTED_IDENTITY_PROPOGATION_ENABLED" ]; then - export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin - echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc -fi - # Set up SAGEMAKER_APP_TYPE_LOWERCASE based on SAGEMAKER_APP_TYPE export SAGEMAKER_APP_TYPE_LOWERCASE=$(echo $SAGEMAKER_APP_TYPE | tr '[:upper:]' '[:lower:]') diff --git a/template/v2/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server b/template/v2/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server index 0d6482f26..5067d7861 100755 --- a/template/v2/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server +++ b/template/v2/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server @@ -3,7 +3,7 @@ set -e eval "$(micromamba shell hook --shell=bash)" -# Activate conda environment depending on if we are in Recovery or Standard mode. +# Activate conda environment depending on if we are in Recovery or Standard mode. if [ -n "$SAGEMAKER_RECOVERY_MODE" ]; then # Activate conda environment `sagemaker-recovery-mode` micromamba activate sagemaker-recovery-mode @@ -37,6 +37,10 @@ if [[ $(jupyter kernelspec list | grep glue_pyspark) ]]; then jupyter-kernelspec remove -f -y glue_pyspark fi +# Enable S3 Access Grant plugin by default +export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin +echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc + if [ -n "$SAGEMAKER_RECOVERY_MODE" ]; then # Disabling collaboration and identity_provider_class flags for recovery mode jupyter lab --ip 0.0.0.0 --port 8888 \ @@ -46,7 +50,7 @@ if [ -n "$SAGEMAKER_RECOVERY_MODE" ]; then --SchedulerApp.db_url='sqlite:////tmp/.jupyter_scheduler_do_not_delete.sqlite' \ --SQLiteYStore.db_path='/tmp/.ydoc_db_do_not_delete.sqlite' \ --ArbitraryFileIdManager.db_path='/tmp/.fileid_do_not_delete.sqlite' -else +else jupyter lab --ip 0.0.0.0 --port 8888 \ --ServerApp.base_url="/$SAGEMAKER_APP_TYPE_LOWERCASE/default" \ --ServerApp.token='' \ From 1f06c3cbadabc41bcda8a7d720c685fae41bac17 Mon Sep 17 00:00:00 2001 From: Clayton Parnell Date: Thu, 4 Sep 2025 18:41:02 +0000 Subject: [PATCH 6/6] same changes for v3 --- .../etc/sagemaker-ui/sagemaker_ui_post_startup.sh | 4 ---- .../dirs/usr/local/bin/entrypoint-jupyter-server | 6 ------ .../local/bin/start-sagemaker-ui-jupyter-server | 14 +++++++++----- 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh b/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh index 792a05d1d..9ed986f36 100755 --- a/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh +++ b/template/v3/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh @@ -55,10 +55,6 @@ dataZoneDomainRegion=$(jq -r '.AdditionalMetadata.DataZoneDomainRegion' < $sourc set +e -# Enable S3 Access Grant plugin by default -export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin -echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc - # Remove the ~/.aws/config file to start clean when space restart rm -f /home/sagemaker-user/.aws/config echo "Successfully removed the ~/.aws/config file" diff --git a/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server b/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server index 737603d56..f71e97f79 100755 --- a/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server +++ b/template/v3/dirs/usr/local/bin/entrypoint-jupyter-server @@ -15,12 +15,6 @@ else micromamba activate base fi -# Enable S3AG plugin if TIP is enabled -if [ -n "$TRUSTED_IDENTITY_PROPOGATION_ENABLED" ]; then - export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin - echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc -fi - # Set up SAGEMAKER_APP_TYPE_LOWERCASE based on SAGEMAKER_APP_TYPE export SAGEMAKER_APP_TYPE_LOWERCASE=$(echo $SAGEMAKER_APP_TYPE | tr '[:upper:]' '[:lower:]') diff --git a/template/v3/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server b/template/v3/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server index c9862bd07..9826e6f1b 100755 --- a/template/v3/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server +++ b/template/v3/dirs/usr/local/bin/start-sagemaker-ui-jupyter-server @@ -3,7 +3,7 @@ set -e eval "$(micromamba shell hook --shell=bash)" -# Activate conda environment depending on if we are in Recovery or Standard mode. +# Activate conda environment depending on if we are in Recovery or Standard mode. if [ -n "$SAGEMAKER_RECOVERY_MODE" ]; then # Activate conda environment `sagemaker-recovery-mode` micromamba activate sagemaker-recovery-mode @@ -13,7 +13,7 @@ else # Disable jupyter-ai in favor of sagemaker_gen_ai_jupyterlab_extension jupyter labextension disable @jupyter-ai/core - + # Enable RTC to allow async Q file updates jupyter labextension enable @jupyter/docprovider-extension fi @@ -40,6 +40,10 @@ if [[ $(jupyter kernelspec list | grep glue_pyspark) ]]; then jupyter-kernelspec remove -f -y glue_pyspark fi +# Enable S3 Access Grant plugin by default +export BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin +echo BOTOCORE_EXPERIMENTAL__PLUGINS=S3AccessGrantsPlugin=aws_s3_access_grants_boto3_plugin.s3_access_grants_plugin >> ~/.bashrc + if [ -n "$SAGEMAKER_RECOVERY_MODE" ]; then # Disabling collaboration and identity_provider_class flags for recovery mode jupyter lab --ip 0.0.0.0 --port 8888 \ @@ -47,12 +51,12 @@ if [ -n "$SAGEMAKER_RECOVERY_MODE" ]; then --ServerApp.token='' \ --ServerApp.allow_origin='*' \ --SchedulerApp.db_url='sqlite:////tmp/.jupyter_scheduler_do_not_delete.sqlite' -else +else jupyter lab --ip 0.0.0.0 --port 8888 \ --ServerApp.base_url="/$SAGEMAKER_APP_TYPE_LOWERCASE/default" \ --ServerApp.token='' \ --ServerApp.allow_origin='*' \ --SchedulerApp.db_url='sqlite:////tmp/.jupyter_scheduler_do_not_delete.sqlite' \ --collaborative \ - --ServerApp.identity_provider_class='sagemaker_jupyter_server_extension.identity.SageMakerIdentityProvider' -fi \ No newline at end of file + --ServerApp.identity_provider_class='sagemaker_jupyter_server_extension.identity.SageMakerIdentityProvider' +fi \ No newline at end of file