Add an instance profile to a model serving endpoint
This article demonstrates how to attach an instance profile to a model serving endpoint. Doing so allows customers to access any AWS resources from the model permissible by the instance profile. Learn more about instance profiles.
Requirements
Add an instance profile to Databricks.
If you have an instance profile already configured for serverless SQL, be sure to change the access policies so that your models have the right access policy to your resources.
Add an instance profile during endpoint creation
When you create a model serving endpoint you can add an instance profile to the endpoint configuration.
Note
The endpoint creator’s permission to an instance profile is validated at endpoint creation time.
From the Serving UI, you can add an instance profile in Advanced configurations:
For programmatic workflows, use the
instance_profile_arn
field when you create an endpoint to add an instance profile.POST /api/2.0/serving-endpoints { "name": "feed-ads", "config":{ "served_entities": [{ "entity_name": "ads1", "entity_version": "1", "workload_size": "Small", "scale_to_zero_enabled": true, "instance_profile_arn": "arn:aws:iam::<aws-account-id>:instance-profile/<instance-profile-name-1>" }] } }
Update an existing endpoint with an instance profile
You can also update an existing model serving endpoint configuration with an instance profile with the instance_profile_arn
field.
PUT /api/2.0/serving-endpoints/{name}/config
{
"served_entities": [{
"entity_name": "ads1",
"entity_version": "2",
"workload_size": "Small",
"scale_to_zero_enabled": true,
"instance_profile_arn": "arn:aws:iam::<aws-account-id>:instance-profile/<instance-profile-name-2>"
}]
}
Limitations
The following limitations apply:
STS temporary security credentials are used to authenticate data access. It can’t bypass any network restriction.
If customers edit the instance profile IAM role from the Settings of the Databricks UI, endpoints running with the instance profile continue to use the old IAM role until the endpoint updates.
If customers delete an instance profile from the Settings of the Databricks UI and that profile is used in running endpoints, the running endpoint is not impacted.
For general model serving endpoint limitations, see Model Serving limits and regions.
Additional resources
Look up features using the same instance profile that you added to the serving endpoint.