This tutorial guides you on how to use the Amazon SageMaker Orb to orchestrate model deployment to endpoints across different environments. It also shows how to use the CircleCI platform to monitor and manage promotions and rollbacks. It will use an example project repository to walk you through every step, from training a new model package version to deploying your model across multiple environments.

Setting up a release integration token

First you’ll want to set up a Release Integration token, so you can leverage the CircleCI UI to monitor your releases. (Please note that you must be an org admin to do this.) Navigate to the Releases section. Select Add Release Environment.

2023-11-27-blank-releases

Select Amazon SageMaker as your environment, add a name, and click Create Environment.

2023-11-27-modal-create-new-environment

Select your environment:

2023-11-27-release-env

And click Create New Token.

2023-11-27-release-create-key

Make sure to save this token for later – we’ll pop it into an environment variable.

Setting up Amazon SageMaker access

OIDC — identity provider

The Amazon SageMaker Orb uses OIDC. If you are not familiar with setting that up, no worries! Let’s walk through it.

Skip this section if you already have this set up.

First we create an IAM > Identity Provider in your AWS IAM for CircleCI OIDC Provider.

To do that, you will need your CircleCI organization ID. Go to your Organization Settings in CCI and copy your organization ID.

Organization Settings page in CircleCI

Now go to your AWS Management Console. Go to IAM > Access management > Identity providers. Select Add Provider.

2023-11-27-oidc-identity-providers

Enter your provider URL and audience:

  • Provider URL: Enter https://oidc.circleci.com/org/<your-organization-id>, where your-organization-id is the ID of your CircleCI organization.

  • Audience: Enter your organization ID.

2023-11-27-oidc-add-identity-provider

Click Get Thumbprint then Add Provider.

If you are interested in more details around our OIDC functionality, see the guide on Using OIDC tokens in jobs for a deeper dive.

Next, let’s tackle making a role.

Role

You will need an IAM > Role with the following permissions policy.

Note: We have organized the permissions into two groups:

  • The OrbPermissions and S3Access statements are used for the deployment of the model to the endpoints.
  • The S3AccessTrainModel and SageMakerTrainModel statements are needed if you want to train the demo model we provide.

Update the S3 bucket information to match your setup. (That means create a bucket if one doesn’t exist!)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OrbPermissions",
            "Effect": "Allow",
            "Action": [
                "sagemaker:AddTags",
                "sagemaker:CreateEndpointConfig",
                "sagemaker:CreateModel",
                "sagemaker:DescribeEndpoint",
	 	        "sagemaker:DescribeEndpointConfig",
                "sagemaker:ListEndpoints",
                "sagemaker:ListModelPackages",
                "sagemaker:ListTags",
                "sagemaker:UpdateEndpoint",
                "iam:PassRole"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3Access",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_FOR_MODEL_ASSETS>/*"
            ]
        },
        {
            "Sid": "S3AccessTrainModel",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::sagemaker-sample-files/*",
                "arn:aws:s3:::circleci-sagemaker-pipeline",
                "arn:aws:s3:::circleci-sagemaker-pipeline/*"
            ]
        },
        {
            "Sid": "SageMakerTrainModel",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateTrainingJob",
                "sagemaker:DescribeTrainingJob",
                "logs:DescribeLogStreams",
                "sagemaker:ListModelPackageGroups",
                "sagemaker:CreateModelPackage",
                "sagemaker:UpdateModelPackage"
            ],
            "Resource": "*"
        }
    ]
}

Then set up the trust relationship between the role and the CircleCI OIDC provider. Here is an example policy:

{
	"Version": "2012-10-17",
	"Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS-ACCOUNT-ID>:oidc-provider/oidc.circleci.com/org/<CIRCLECI-ORG-ID>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "oidc.circleci.com/org/<CIRCLECI-ORG-ID>:sub": "org/<CIRCLECI-ORG-ID>/project/<CIRCLECI-PROJECT-ID>/user/*"
                }
            }
        },
        {
			"Effect": "Allow",
			"Principal": {
				"Service": "sagemaker.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}

    ]
}

Note: You must replace the placeholders <CIRCLECI-ORG-ID> and <CIRCLECI-PROJECT-ID> with your proper info.

Go copy the role ARN.

Arrow pointing to copy button for ARN

We’ll need that next.

Adding environment variables

There are some required environment variables for the orb to function. (Which is exactly what we want, so let’s go add them.)

Go to your project’s settings, click Environment Variables, then click Add Variable to enter a name and value of the new environment variable. The orb will use these when you run the workflow. For more information, check out the Guide on setting environment variables in CircleCI.

2023-11-27-env-vars

Let’s look at the two environment variables added above:

  • CCI_RELEASE_INTEGRATION_TOKEN: The orb also works with CircleCI Releases. This will give you visibility into the endpoint configuration updates, and what is currently active.

  • SAGEMAKER_EXECUTION_ROLE_ARN: This is the role you have configured with the necessary SageMaker permissions and has the OIDC trust relationship set up.

Setting up our config.yml

Now we go look at our .circleci/config.yml and set some parameters. You will update the defaults for each parameter.

parameters:
  bucket:
    type: string
    default: <BUCKET_FOR_MODEL_ASSETS> # You set this up in the Role Policy
  model_desc:
    type: string
    default: "<Description about your Model.>"
  model_name:
    type: string
    default: <MODEL_NAME> # This is the name of the model, model package.
  project_id:
    type: string
    default: "<CIRCLECI_PROJECT_ID>" #found on the Project Settings page in CCI
  region_name:
    type: string
    default: <REGION> #eg: us-east-1

Selecting models

For this tutorial, we’ve taken a model commonly found in AWS documentation, Abalone, and renamed it.

If you already have your own model, feel free to adapt the configuration file to use that one instead. Update the model_name parameter and you should be good to go.

If you don’t have your own model, you too can use the example model used in this tutorial. Assuming you are using our example repo, we have a workflow configured to run on the branch model-train. So checkout that branch, push it up to git, and this workflow will make a new model package version in the model registry. If the model package doesn’t already exist, it will create it.

Every time you run this workflow, it will create a new model version.

Using the orb

Let’s break down the deploy-model-through-to-prod workflow. Our first job is:

- aws-sagemaker/create_model:
    # job name that will show in Workflow DAG
    name: create-model
    # s3 bucket where asset will be stored
    bucket: << pipeline.parameters.bucket >>
    # Name of the model in SageMaker that we will be deploying.
    model_name: << pipeline.parameters.model_name >>
    # We use the pipeline.id as the unique identifier for some of the configs we create
    circle_pipeline_id: << pipeline.id >>
    # Region where we are deploying to
    region_name: << pipeline.parameters.region_name >>
    filters: *main-branch-only

This step creates a model from your latest Model Package in the registry. This will be what we then deploy to the inference endpoints.

Some things to notice: Aside from name and filters, all other parameters are passed in from our pipeline parameters.

2023-11-27-dag-pt1

name controls the name of this job on the DAG. filters allows you to control what branch the job runs on.

In general, create-model just needs to be called one time at the beginning of your workflow.

Next, we have to create the endpoint configuration. Lucky us! We have a command for that too.

- aws-sagemaker/create_endpoint_configuration:
    name: dev:create-model-endpoint-config
    bucket: << pipeline.parameters.bucket >>
    deploy_environment: dev
    model_name: << pipeline.parameters.model_name >>
    circle_pipeline_id: << pipeline.id >>
    circle_project_id: << pipeline.parameters.project_id >>
    region_name: << pipeline.parameters.region_name >>
    requires:
        - create-model
    filters: *main-branch-only

Aha! A new parameter enters the battle — deploy_environment. This is basically an arbitrary string you can use to bucket your model releases into, for example dev, staging, testing, prod. In our example config, you can see we are only using two: dev and prod.

Last but not least, we need to push out this updated configuration.

    - aws-sagemaker/deploy_endpoint:
        name: dev:deploy-model-to-endpoint
        bucket: << pipeline.parameters.bucket >>
        deploy_environment: dev
        model_name: << pipeline.parameters.model_name >>
        # Description for the model. q: can we make it optional?
        model_desc: << pipeline.parameters.model_desc >>
        pipeline_id: << pipeline.id >>
        # You can find this value in the Project Settings in CircleCI
        project_id: << pipeline.parameters.project_id >>
        region_name: << pipeline.parameters.region_name >>
        requires:
            - dev:create-model-endpoint-config
        filters: *main-branch-only

No surprises here, we have an aws-sagemaker/deploy_endpoint job in the orb. The only thing to set here is also the deploy_environment so we know what endpoint_configuration to use. This will deploy your endpoint configuration.

We then throw in an approval job, which will stop our workflow from deploying to production without a human approving it.

- promote-model-to-prod-endpoint:
        type: approval
    requires:
        - dev:deploy-model-to-endpoint
    filters: *main-branch-only

2023-11-27-job-approval-rating

At which point, we then repeat the above steps of aws-sagemaker/create_endpoint_configuration and aws-sagemaker/deploy_endpoint but with deploy_environment set to prod.

Checking in on your model release

The CircleCI Releases page offers you a single pane of glass to monitor all your deployments across environments. You can view deployment progress in real time, see what versions are currently deployed, and navigate easily to the SageMaker console.

If you navigate to the Releases section, you should now see something along the lines of the below images.

2023-11-27-releases

Click on the component name, and it will fetch some details about the component, including the number of instances deployed. From this interface, you can easily navigate to SageMaker for more live information on your endpoint.

2023-11-27-component-view

If you select the Version, you will see the details page about this version being released.

Clicking on the specific versions lets you monitor in real time the release progress.

2023-11-27-wait-for-availability

Coming soon: One-click model rollbacks

One-click rollback from the CircleCI platform is going to become available very soon.

2023-11-27-rollback-example

This feature will let you revert to a previous version of your model simply by clicking a button in the Releases page. For more information and to sign up for the beta release, click the link below.

Support

Stuck? Need help? Visit our forums, contact us directly at sagemaker-integration-feedback@circleci.com, or come visit on Discord.

To get updates on CircleCI’s AI roadmap and early access to new features that accelerate your AI and ML projects, sign up for the waitlist.