Machine Learning with the ACK SageMaker Controller

Train a machine learning model with the ACK service controller for Amazon SageMaker using Amazon Elastic Kubernetes Service

The SageMaker ACK service controller makes it easier for machine learning developers and data scientists who use Kubernetes as their control plane to train, tune, and deploy machine learning models in Amazon SageMaker without logging into the SageMaker console.

The following steps will guide you through the setup and use of the Amazon SageMaker ACK service controller for training a machine learning model.


Although it is not necessary to use Amazon Elastic Kubernetes Service (Amazon EKS) with ACK, this guide assumes that you have access to an Amazon EKS cluster. If this is your first time creating an Amazon EKS cluster, see Amazon EKS Setup. For automated cluster creation using eksctl, see Getting started with Amazon EKS - eksctl and create your cluster with Amazon EC2 Linux managed nodes.


This guide assumes that you have:

  • Created an EKS cluster with Kubernetes version 1.16 or higher.
  • AWS IAM permissions to create roles and attach policies to roles.
  • Installed the following tools on the client machine used to access your Kubernetes cluster:
    • AWS CLI - A command line tool for interacting with AWS services.
    • kubectl - A command line tool for working with Kubernetes clusters.
    • eksctl - A command line tool for working with EKS clusters.
    • yq - A command line tool for YAML processing. (For Linux environments, use the wget plain binary installation)
    • Helm 3.7+ - A tool for installing and managing Kubernetes applications.
    • curl - A command line tool for transmitting data with URLs.

Configure IAM permissions

Create an IAM role and attach an IAM policy to that role to ensure that your SageMaker service controller has access to the appropriate AWS resources. First, check to make sure that you are connected to an Amazon EKS cluster.

aws eks update-kubeconfig --name $CLUSTER_NAME --region $SERVICE_REGION
kubectl config get-contexts
# Ensure cluster has compute
kubectl get nodes

Before you can deploy your SageMaker service controller using an IAM role, associate an OpenID Connect (OIDC) provider with your IAM role to authenticate your cluster with the IAM service.

eksctl utils associate-iam-oidc-provider --cluster ${CLUSTER_NAME} \
--region ${SERVICE_REGION} --approve

Get the following OIDC information for future reference:

export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
export OIDC_PROVIDER_URL=$(aws eks describe-cluster --name $CLUSTER_NAME --region $SERVICE_REGION \
--query "cluster.identity.oidc.issuer" --output text | cut -c9-)

In your working directory, create a file named trust.json using the following trust relationship code block:

printf '{
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::'$AWS_ACCOUNT_ID':oidc-provider/'$OIDC_PROVIDER_URL'"
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "'$OIDC_PROVIDER_URL':aud": "",
          "'$OIDC_PROVIDER_URL':sub": [
' > ./trust.json

Run the iam create-role command to create an IAM role with the trust relationship you just defined in trust.json. This IAM role enables the Amazon EKS cluster to get and refresh credentials from IAM.

export OIDC_ROLE_NAME=ack-controller-role-$CLUSTER_NAME
aws --region $SERVICE_REGION iam create-role --role-name $OIDC_ROLE_NAME --assume-role-policy-document file://trust.json

Attach the AmazonSageMakerFullAccess Policy to the IAM Role to ensure that your SageMaker service controller has access to the appropriate resources.

aws --region $SERVICE_REGION iam attach-role-policy --role-name $OIDC_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
export IAM_ROLE_ARN_FOR_IRSA=$(aws --region $SERVICE_REGION iam get-role --role-name $OIDC_ROLE_NAME --output text --query 'Role.Arn')

AmazonSageMakerFullAccess policy does not include permissions required to manage Domain, UserProfile or App resource. Create and attach the following Policy to the IAM Role to ensure that your SageMaker service controller has access to these resources.

printf '{
  "Version": "2012-10-17",
  "Statement": [
      "Sid": "SagemakerStudioAccess",
      "Effect": "Allow",
      "Action": [
      "Resource": [
' > ./sagemaker_studio_access.json
aws --region $SERVICE_REGION iam put-role-policy --role-name $OIDC_ROLE_NAME --policy-name SagemakerStudioAccess --policy-document file://sagemaker_studio_access.json

For more information on authorization and access for ACK service controllers, including details regarding recommended IAM policies, see Configure Permissions.

IAM role permissions for SageMaker resources
If you want to give more granular permissions, the full list of permissions required for each SageMaker resource can be found here : SageMaker API permissions

Install the SageMaker ACK service controller

Get the SageMaker Helm chart and make it available on the client machine with the following commands:

export SERVICE=sagemaker
export RELEASE_VERSION=$(curl -sL${SERVICE}-controller/releases/latest | jq -r '.tag_name | ltrimstr("v")')

if [[ -z "$RELEASE_VERSION" ]]; then

export CHART_EXPORT_PATH=/tmp/chart
export CHART_REF=$SERVICE-chart


helm pull oci://$CHART_REPO --version $RELEASE_VERSION -d $CHART_EXPORT_PATH

Update the Helm chart values for a cluster-scoped installation.

# Update the following values in the Helm chart
yq e '.aws.region = env(SERVICE_REGION)' -i values.yaml
yq e '.serviceAccount.annotations."" = env(IAM_ROLE_ARN_FOR_IRSA)' -i values.yaml
cd -

Install the relevant custom resource definitions (CRDs) for the SageMaker ACK service controller.

kubectl apply -f $CHART_EXPORT_PATH/$SERVICE-chart/crds

Create a namespace and install the SageMaker ACK service controller with the Helm chart.

export ACK_K8S_NAMESPACE=ack-system
helm install -n $ACK_K8S_NAMESPACE --create-namespace --skip-crds ack-$SERVICE-controller \

Verify that the CRDs and Helm charts were deployed with the following commands:

kubectl get crds | grep ""
kubectl get pods -n $ACK_K8S_NAMESPACE

Train an XGBoost model

Prepare your data

For training a model with SageMaker, we will need an S3 bucket to store the dataset and model training artifacts. For this example, we will use MNIST data stored in LIBSVM format.

First, create a variable for the S3 bucket:

export ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
export SAGEMAKER_BUCKET=ack-sagemaker-bucket-$ACCOUNT_ID

Then, create a file named with the following code block:

printf '
#!/usr/bin/env bash
# Create the S3 bucket
if [[ $SERVICE_REGION != "us-east-1" ]]; then
  aws s3api create-bucket --bucket "$SAGEMAKER_BUCKET" --region "$SERVICE_REGION" --create-bucket-configuration LocationConstraint="$SERVICE_REGION"
  aws s3api create-bucket --bucket "$SAGEMAKER_BUCKET" --region "$SERVICE_REGION"
fi' > ./

Run the script to create an S3 bucket.

chmod +x

Copy the MNIST data into your S3 bucket.


Configure permissions for your training job

The SageMaker training job that we execute will need an IAM role to access Amazon S3 and Amazon SageMaker. Run the following commands to create a SageMaker execution IAM role that will be used by SageMaker to access the appropriate AWS resources:

export SAGEMAKER_EXECUTION_ROLE_NAME=ack-sagemaker-execution-role-$ACCOUNT_ID

TRUST="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"\" }, \"Action\": \"sts:AssumeRole\" } ] }"
aws iam create-role --role-name ${SAGEMAKER_EXECUTION_ROLE_NAME} --assume-role-policy-document "$TRUST"
aws iam attach-role-policy --role-name ${SAGEMAKER_EXECUTION_ROLE_NAME} --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
aws iam attach-role-policy --role-name ${SAGEMAKER_EXECUTION_ROLE_NAME} --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

SAGEMAKER_EXECUTION_ROLE_ARN=$(aws iam get-role --role-name ${SAGEMAKER_EXECUTION_ROLE_NAME} --output text --query 'Role.Arn')


Create a SageMaker training job

Give your SageMaker training job a unique name:

export JOB_NAME=ack-xgboost-training-job-$ACCOUNT_ID

Specify your region-specific XGBoost image URI:

Change XGBoost image URI based on region
IMPORTANT: If your SERVICE_REGION is not us-east-1, you must change the XGBOOST_IMAGE URI. To find your region-specific XGBoost image URI, choose your region in the SageMaker Docker Registry Paths page, and then select XGBoost (algorithm). For this example, use version 1.2-1.

Next, create a training.yaml file to specify the parameters for your SageMaker training job. This file specifies your SageMaker training job name, any relevant hyperparameters, and the location of your training and validation data. You can also use this document to specify which Amazon Elastic Container Registry (ECR) image to use for training.

printf '
kind: TrainingJob
  name: '$JOB_NAME'
  # Name that will appear in the SageMaker console
  trainingJobName: '$JOB_NAME'
    max_depth: "5"
    gamma: "4"
    eta: "0.2"
    min_child_weight: "6"
    objective: "multi:softmax"
    num_class: "10"
    num_round: "10"
    # The URL and tag of your ECR container
    trainingImage: '$XGBOOST_IMAGE'
    trainingInputMode: File
  # A role with SageMaker and S3 access
    # The output path of your model
    s3OutputPath: s3://'$SAGEMAKER_BUCKET' 
    instanceCount: 1
    instanceType: ml.m4.xlarge
    volumeSizeInGB: 5
    maxRuntimeInSeconds: 86400
    - channelName: train
          s3DataType: S3Prefix
          # The input path of your train data 
          s3URI: s3://'$SAGEMAKER_BUCKET'/sagemaker/xgboost/train
          s3DataDistributionType: FullyReplicated
      contentType: text/libsvm
      compressionType: None
    - channelName: validation
          s3DataType: S3Prefix
          # The input path of your validation data 
          s3URI: s3://'$SAGEMAKER_BUCKET'/sagemaker/xgboost/validation
          s3DataDistributionType: FullyReplicated
      contentType: text/libsvm
      compressionType: None
' > ./training.yaml

Use your training.yaml file to create a SageMaker training job:

kubectl apply -f training.yaml

After applying your training.yaml file, you should see that your training job was successfully created: created

You can watch the status of the training job with the following command:

kubectl get trainingjob.sagemaker --watch

It will a take a few minutes for TRAININGJOBSTATUS to be Completed.

ack-xgboost-training-job-7420   Starting          InProgress
ack-xgboost-training-job-7420   Downloading       InProgress
ack-xgboost-training-job-7420   Training          InProgress
ack-xgboost-training-job-7420   Completed         Completed

To see details about your training job, run the following command:

kubectl describe trainingjobs $JOB_NAME

If your training job completed successfully, you can find the model location under status.modelArtifacts.s3ModelArtifacts. If your training job failed, look to the status.failureReason for more information.

Next steps

For more examples on how to use the SageMaker ACK service controller, see the SageMaker controller samples repository.

To deploy your trained SageMaker model and scale it with the Application Auto Scaling ACK service controller, see Scale SageMaker Workloads with Application Auto Scaling.


You can delete your SageMaker training job with the kubectl delete command.

kubectl delete trainingjob $JOB_NAME

To remove the SageMaker ACK service controller, related CRDs, and namespaces see ACK Cleanup.

It is recommended to delete any additional resources such as S3 buckets, IAM roles, and IAM policies when you no longer need them. You can delete these resources with the following commands or directly in the AWS console.

# Delete S3 bucket
aws s3 rb s3://$SAGEMAKER_BUCKET --force

# Delete SageMaker execution role
aws iam detach-role-policy --role-name $SAGEMAKER_EXECUTION_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
aws iam detach-role-policy --role-name $SAGEMAKER_EXECUTION_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam delete-role --role-name $SAGEMAKER_EXECUTION_ROLE_NAME

# Delete IAM role created for IRSA
aws iam detach-role-policy --role-name $OIDC_ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
aws iam delete-role --role-name $OIDC_ROLE_NAME

To delete your EKS clusters, see Amazon EKS - Deleting a cluster.

Edit this page on GitHub