Add an instance profile to a model serving endpoint

This article demonstrates how to attach an instance profile to a model serving endpoint. Doing so allows customers to access any AWS resources from the model permissible by the instance profile. Learn more about instance profiles.

Requirements

• Create an instance profile.

• Add an instance profile to Databricks.

  • If you have an instance profile already configured for serverless SQL, be sure to change the access policies so that your models have the right access policy to your resources.

Add an instance profile during endpoint creation

When you create a model serving endpoint you can add an instance profile to the endpoint configuration.

Note

The endpoint creator’s permission to an instance profile is validated at endpoint creation time.

• From the Serving UI, you can add an instance profile in Advanced configurations:

  

• For programmatic workflows, use the instance_profile_arn field when you create an endpoint to add an instance profile.

  POST /api/2.0/serving-endpoints
  
  {
    "name": "feed-ads",
    "config":{
    "served_entities": [{
      "entity_name": "ads1",
      "entity_version": "1",
      "workload_size": "Small",
      "scale_to_zero_enabled": true,
      "instance_profile_arn": "arn:aws:iam::<aws-account-id>:instance-profile/<instance-profile-name-1>"
      }]
    }
  }
  

Update an existing endpoint with an instance profile

You can also update an existing model serving endpoint configuration with an instance profile with the instance_profile_arn field.

PUT /api/2.0/serving-endpoints/{name}/config

{
  "served_entities": [{
    "entity_name": "ads1",
    "entity_version": "2",
    "workload_size": "Small",
    "scale_to_zero_enabled": true,
    "instance_profile_arn": "arn:aws:iam::<aws-account-id>:instance-profile/<instance-profile-name-2>"
  }]
}

Limitations

The following limitations apply:

• STS temporary security credentials are used to authenticate data access. It can’t bypass any network restriction.

• If customers edit the instance profile IAM role from the Settings of the Databricks UI, endpoints running with the instance profile continue to use the old IAM role until the endpoint updates.

• If customers delete an instance profile from the Settings of the Databricks UI and that profile is used in running endpoints, the running endpoint is not impacted.

For general model serving endpoint limitations, see Model Serving limits and regions.

Additional resources

• Look up features using the same instance profile that you added to the serving endpoint.

• Configure access to resources from model serving endpoints.