Add an instance profile to a model serving endpoint

Preview

This feature is in Public Preview.

This article demonstrates how to attach an instance profile to a model serving endpoint. Doing so allows customers to access any AWS resources from the model permissible by the instance profile. Learn more about instance profiles.

Requirements

• Instance profiles on model serving endpoints is in Public Preview. To enroll your workspace in the Public Preview, reach out to your Databricks representative or submit the instance profile preview enrollment form.

• This functionality is only available using the serving endpoints API. If an endpoint is updated through the Serving endpoints UI, all instance profiles are purged.

• Create an instance profile.

• Add an instance profile to Databricks.

  • If you have an instance profile already configured for serverless SQL, be sure to change the access policies so that your models have the right access policy to your resources.

Add an instance profile during endpoint creation

When you create a model serving endpoint you can add an instance profile to the endpoint configuration with the instance_profile_arn field.

Note

The endpoint creator’s permission to an instance profile is validated at endpoint creation time.

POST /api/2.0/serving-endpoints

{
  "name": "feed-ads",
  "config":{
   "served_models": [{
     "model_name": "ads1",
     "model_version": "1",
     "workload_size": "Small",
     "scale_to_zero_enabled": true,
     "instance_profile_arn": "arn:aws:iam::<aws-account-id>:instance-profile/<instance-profile-name-1>"
    }]
  }
}

Update an existing endpoint with an instance profile

You can also update an existing model serving endpoint configuration with an instance profile with the instance_profile_arn field.

PUT /api/2.0/serving-endpoints/{name}/config

{
  "served_models": [{
    "model_name": "ads1",
    "model_version": "2",
    "workload_size": "Small",
    "scale_to_zero_enabled": true,
    "instance_profile_arn": "arn:aws:iam::<aws-account-id>:instance-profile/<instance-profile-name-2>"
  }]
}

Limitations

The following limitations apply during the Public Preview:

• Instance profile additions are only supported for CPU workloads.

• STS temporary security credentials are used to authenticate data access. It can’t bypass any network restriction.

• If customers edit the instance profile IAM role from the Admin settings of the Databricks UI, endpoints running with the instance profile continue to use the old IAM role until the endpoint updates.

• If customers delete an instance profile from the Admin settings of the Databricks UI and that profile is used in running endpoints, the running endpoint is not impacted.

Additional resources

• Look up features using the same instance profile that you added to the serving endpoint.

• Configure access to resources from model serving endpoints