Feature store lakeformation by BassemHalim · Pull Request #5599 · aws/sagemaker-python-sdk

BassemHalim · 2026-03-04T21:23:46Z

Description

This PR adds Lake Formation integration to SageMaker Feature Store, enabling customers to govern access to their offline store data through AWS Lake Formation instead of relying solely on IAM policies.

This simplifies the manual process described in this blog
https://aws.amazon.com/blogs/machine-learning/control-access-to-amazon-sagemaker-feature-store-offline-using-aws-lake-formation/

New Features

LakeFormationConfig — declarative configuration for Lake Formation governance:

class LakeFormationConfig(Base):                                                                                                       
    enabled: bool = False                                                                                                              
    use_service_linked_role: bool = True                                                                                               
    registration_role_arn: Optional[str] = None                                                                                        
    disable_hybrid_access_mode: bool          # Required — no default                                                                  
    acknowledge_risk: Optional[bool] = None   # None=interactive prompt, True=skip, False=abort

FeatureGroupManager.create() — added lake_formation_config parameter

Enables Lake Formation governance at Feature Group creation time
Automatically waits for Feature Group to reach "Created" status before configuring Lake Formation

FeatureGroupManager.enable_lake_formation() — new method

Enables Lake Formation on existing Feature Groups
Three-phase setup:
1. Registers S3 location with Lake Formation
2. Grants permissions to the execution role on the Glue table
3. Optionally revokes IAMAllowedPrincipal permissions from the Glue table (controlled by disable_hybrid_access_mode)
Fail-fast behavior with clear error reporting at each phase
Interactive confirmation prompts warn users about risks (controllable via acknowledge_risk)
Logs recommended S3 deny policy as a warning

Usage

Enable at creation:

  from sagemaker.mlops.feature_store import FeatureGroupManager, LakeFormationConfig                                                     
                                                                                                                                         
  lf_config = LakeFormationConfig(                                                                                                       
      enabled=True,                                                                                                                      
      disable_hybrid_access_mode=True,                                                                                                   
      acknowledge_risk=True,  # skip interactive prompt                                                                                  
  )                                                                                                                                      
                                                                                                                                         
  fg = FeatureGroupManager.create(                                                                                                       
      feature_group_name="my-feature-group",                                                                                             
      # ... other params ...                                                                                                             
      lake_formation_config=lf_config,                                                                                                   
  )                                                                                                                                      
                                                                                                                                         
  #Enable on existing Feature Group:                                                                                                      
                                                                                                                                         
  fg = FeatureGroupManager.get("my-feature-group")                                                                                       
  result = fg.enable_lake_formation(                                                                                                     
      disable_hybrid_access_mode=True,                                                                                                   
      acknowledge_risk=True,                                                                                                             
  )

Testing

Unit tests: comprehensive coverage of all new methods, validation logic, and acknowledge_risk behavior
Integration tests: end-to-end tests for both creation workflows and negative scenarios

Notes

S3 deny policy is logged as a recommendation (not applied automatically) to avoid breaking existing workflows
disable_hybrid_access_mode is a required field with no default — users must explicitly choose whether to revoke IAMAllowedPrincipal permissions
acknowledge_risk controls interactive confirmation: None (default) prompts via input(), True skips the prompt, False aborts with RuntimeError

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

nargokul

Please fix integ tests

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group.py

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py

Remove _lf_client_cache and _s3_client_cache instance caches from _get_lake_formation_client and _get_s3_client. Each call now creates a fresh boto3 client directly. Remove corresponding cache-specific unit tests (cache reuse and different-region tests). --- X-AI-Prompt: remove client caching for lf and s3 in feature_group_manager and update tests X-AI-Tool: kiro-cli

… notebooks/tests

Add acknowledge_risk: Optional[bool] = None to enable_lake_formation() and LakeFormationConfig. None triggers interactive input() prompt, True proceeds without prompting, False aborts with RuntimeError. Removes all builtins.input mocking from unit and integration tests. Tests now pass acknowledge_risk=True or False directly. Removes one duplicate test that became identical after the refactor. --- X-AI-Prompt: add y/n confirmation for disable_hybrid_access_mode=True, then refactor to use acknowledge_risk param instead of input() X-AI-Tool: kiro-cli

- Use assumed role session for lf_client, glue_client, and athena_client instead of default boto3 session - Move client initialization to setup/configuration cell - Add session=boto_session to get_record in Example 2 - Fix print statements: "execution role" -> "offline store role" - Remove unused get_execution_role import - Remove misleading LakeFormationDataLakeAdmin comment - Fix typo: "Exectution" -> "Execution" - Fix PascalCase variables to snake_case - Fix "lakeformation" -> "Lake Formation" in markdown - Fix bold markdown formatting - Add missing space in ARN print - Remove duplicate boto3 and time imports - Scope cleanup IAM policy to lf-demo-* resources - Fix cleanup variable to use correct reference - Remove empty trailing markdown cell

mollyheamazon · 2026-04-10T19:26:51Z

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py

+                    "Hybrid access mode is not disabled. IAM-based access to the Glue table will "
+                    "still be allowed. Do you want to proceed without revoking IAMAllowedPrincipal "
+                    "permissions? (y/n): "
+                ).strip().lower() == "y"


input() is not safe for non-interactive environments (CI, pipelines, SageMaker jobs).
Please require acknowledge_risk to be explicitly set to True or False and remove the None interactive path.

mollyheamazon · 2026-04-10T19:27:03Z

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py

+                proceed = input(
+                    "This will revoke IAMAllowedPrincipal permissions and may break existing jobs "
+                    "that rely on IAM-based access. Do you want to proceed? (y/n): "
+                ).strip().lower() == "y"


Same comment as above:
input() is not safe for non-interactive environments (CI, pipelines, SageMaker jobs).
Please require acknowledge_risk to be explicitly set to True or False and remove the None interactive path.

BassemHalim temporarily deployed to auto-approve March 4, 2026 21:24 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 5, 2026 17:27 — with GitHub Actions Inactive

nargokul reviewed Mar 10, 2026

View reviewed changes

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group.py Outdated Show resolved Hide resolved

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py Show resolved Hide resolved

BassemHalim temporarily deployed to auto-approve March 11, 2026 00:09 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 11, 2026 21:56 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 16, 2026 22:39 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 18, 2026 20:24 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 19, 2026 20:14 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 19, 2026 20:15 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 20, 2026 00:18 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 21, 2026 00:41 — with GitHub Actions Inactive

alexyoung13 mentioned this pull request Mar 26, 2026

Feature Store Iceberg Properties #5685

Open

BassemHalim temporarily deployed to auto-approve April 8, 2026 20:13 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 00:02 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from 6f00f8a to 3baff6c Compare April 9, 2026 00:27

BassemHalim temporarily deployed to auto-approve April 9, 2026 00:28 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from 3baff6c to e706a5c Compare April 9, 2026 01:12

BassemHalim temporarily deployed to auto-approve April 9, 2026 01:12 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 19:31 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 22:36 — with GitHub Actions Inactive

feat: Add Feature Store Support to V3

2e4560f

BassemHalim added 5 commits April 9, 2026 15:43

SNAPSHOT [cloudtrail approach]

c3314f2

Refactor: make disable_hybrid_access_mode a required field and update…

0d9a028

… notebooks/tests

(docs): add cross account feature group example notebook

6159b6a

BassemHalim force-pushed the feature-store-lakeformation branch from 952fab7 to d926cbb Compare April 9, 2026 22:51

BassemHalim temporarily deployed to auto-approve April 9, 2026 22:51 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 23:04 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from 4ae73ab to 7f6e22b Compare April 9, 2026 23:06

BassemHalim temporarily deployed to auto-approve April 9, 2026 23:06 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from 7f6e22b to d9f3e55 Compare April 9, 2026 23:06

BassemHalim temporarily deployed to auto-approve April 9, 2026 23:06 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 23:07 — with GitHub Actions Inactive

BassemHalim added 3 commits April 9, 2026 16:18

remove duplicate Feature Store from docs template

c67f31e

rebase fixes

d12f036

BassemHalim force-pushed the feature-store-lakeformation branch from d9f3e55 to d12f036 Compare April 9, 2026 23:18

BassemHalim temporarily deployed to auto-approve April 9, 2026 23:18 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 23:19 — with GitHub Actions Inactive

BassemHalim marked this pull request as ready for review April 10, 2026 00:39

refactor lakeformation notebook

11eecff

BassemHalim temporarily deployed to auto-approve April 10, 2026 16:29 — with GitHub Actions Inactive

nargokul approved these changes Apr 10, 2026

View reviewed changes

BassemHalim self-assigned this Apr 10, 2026

BassemHalim added the component: feature store Relates to the SageMaker Feature Store Platform label Apr 10, 2026

mollyheamazon approved these changes Apr 10, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature store lakeformation#5599

Feature store lakeformation#5599
BassemHalim wants to merge 27 commits intoaws:masterfrom
BassemHalim:feature-store-lakeformation

BassemHalim commented Mar 4, 2026 •

edited

Loading

Uh oh!

nargokul left a comment

Uh oh!

Uh oh!

Uh oh!

mollyheamazon Apr 10, 2026

Uh oh!

mollyheamazon Apr 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

BassemHalim commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

New Features

Uh oh!

nargokul left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

mollyheamazon Apr 10, 2026

Choose a reason for hiding this comment

Uh oh!

mollyheamazon Apr 10, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

BassemHalim commented Mar 4, 2026 •

edited

Loading