Feature store lakeformation by BassemHalim · Pull Request #5599 · aws/sagemaker-python-sdk

BassemHalim · 2026-03-04T21:23:46Z

Description

This PR adds Lake Formation integration to SageMaker Feature Store, enabling customers to govern access to their offline store data through AWS Lake Formation instead of relying solely on IAM policies.

This simplifies the manual process described in this blog
https://aws.amazon.com/blogs/machine-learning/control-access-to-amazon-sagemaker-feature-store-offline-using-aws-lake-formation/

New Features

LakeFormationConfig — declarative configuration for Lake Formation governance:

class LakeFormationConfig(Base):                                                                                                       
    enabled: bool = False                                                                                                              
    use_service_linked_role: bool = True                                                                                               
    registration_role_arn: Optional[str] = None                                                                                        
    disable_hybrid_access_mode: bool          # Required — no default                                                                  
    acknowledge_risk: bool                    # Required — no default

FeatureGroupManager.create() — added lake_formation_config parameter

Enables Lake Formation governance at Feature Group creation time
Automatically waits for Feature Group to reach "Created" status before configuring Lake Formation

FeatureGroupManager.enable_lake_formation() — new method

Enables Lake Formation on existing Feature Groups
Three-phase setup:
1. Registers S3 location with Lake Formation
2. Grants permissions to the execution role on the Glue table
3. Optionally revokes IAMAllowedPrincipal permissions from the Glue table (controlled by disable_hybrid_access_mode)
Fail-fast behavior with clear error reporting at each phase
Interactive confirmation prompts warn users about risks (controllable via acknowledge_risk)
Logs recommended S3 deny policy as a warning

Usage

Enable at creation:

  from sagemaker.mlops.feature_store import FeatureGroupManager, LakeFormationConfig                                                     
                                                                                                                                         
  lf_config = LakeFormationConfig(                                                                                                       
      enabled=True,                                                                                                                      
      disable_hybrid_access_mode=True,                                                                                                   
      acknowledge_risk=True,  # skip interactive prompt                                                                                  
  )                                                                                                                                      
                                                                                                                                         
  fg = FeatureGroupManager.create(                                                                                                       
      feature_group_name="my-feature-group",                                                                                             
      # ... other params ...                                                                                                             
      lake_formation_config=lf_config,                                                                                                   
  )                                                                                                                                      
                                                                                                                                         
  #Enable on existing Feature Group:                                                                                                      
                                                                                                                                         
  fg = FeatureGroupManager.get("my-feature-group")                                                                                       
  result = fg.enable_lake_formation(                                                                                                     
      disable_hybrid_access_mode=True,                                                                                                   
      acknowledge_risk=True,                                                                                                             
  )

Testing

Unit tests: comprehensive coverage of all new methods, validation logic, and acknowledge_risk behavior
Integration tests: end-to-end tests for both creation workflows and negative scenarios

Notes

S3 deny policy is logged as a recommendation (not applied automatically) to avoid breaking existing workflows
disable_hybrid_access_mode is a required field with no default — users must explicitly choose whether to revoke IAMAllowedPrincipal permissions
acknowledge_risk controls interactive confirmation: None (default) prompts via input(), True skips the prompt, False aborts with RuntimeError

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

nargokul

Please fix integ tests

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group.py

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py

- Remove unused datetime imports - Remove debug print statement from resource registration - Update docstring to clarify S3 deny bucket policy is recommended - Refactor error handling to use fail-fast with deferred warnings pattern - Store phase errors instead of immediately raising to allow all phases to attempt execution - Move warning logs before error re-raise so incomplete steps are reported before exception - Simplify phase execution logic by checking phase_error status before attempting each phase - Improve error messages to guide users on re-running the method after fixing issues

BassemHalim temporarily deployed to auto-approve March 4, 2026 21:24 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 5, 2026 17:27 — with GitHub Actions Inactive

nargokul reviewed Mar 10, 2026

View reviewed changes

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group.py Outdated Show resolved Hide resolved

sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py Show resolved Hide resolved

BassemHalim temporarily deployed to auto-approve March 11, 2026 00:09 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 11, 2026 21:56 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 16, 2026 22:39 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 18, 2026 20:24 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 19, 2026 20:14 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 19, 2026 20:15 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 20, 2026 00:18 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve March 21, 2026 00:41 — with GitHub Actions Inactive

alexyoung13 mentioned this pull request Mar 26, 2026

Feature Store Iceberg Properties #5685

Open

BassemHalim temporarily deployed to auto-approve April 8, 2026 20:13 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 00:02 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from 6f00f8a to 3baff6c Compare April 9, 2026 00:27

BassemHalim temporarily deployed to auto-approve April 9, 2026 00:28 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from 3baff6c to e706a5c Compare April 9, 2026 01:12

BassemHalim temporarily deployed to auto-approve April 9, 2026 01:12 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 19:31 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 9, 2026 22:36 — with GitHub Actions Inactive

feat: Add Feature Store Support to V3

2e4560f

BassemHalim temporarily deployed to auto-approve April 13, 2026 16:43 — with GitHub Actions Inactive

update example notebook with acknowledge_risk field

1fce913

BassemHalim temporarily deployed to auto-approve April 13, 2026 17:01 — with GitHub Actions Inactive

fix(test): Add missing acknowledge_risk param to LF integ tests

b31f02a

BassemHalim temporarily deployed to auto-approve April 13, 2026 19:45 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 14, 2026 16:04 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from c2df25d to 5cff78d Compare April 14, 2026 16:06

BassemHalim temporarily deployed to auto-approve April 14, 2026 16:07 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 14, 2026 17:03 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 14, 2026 17:04 — with GitHub Actions Inactive

BassemHalim force-pushed the feature-store-lakeformation branch from fb11c14 to 14cff87 Compare April 14, 2026 17:35

BassemHalim temporarily deployed to auto-approve April 14, 2026 17:35 — with GitHub Actions Inactive

BassemHalim temporarily deployed to auto-approve April 14, 2026 18:21 — with GitHub Actions Inactive

chore: rename example notebook and add clarifying comments

4f1985d

BassemHalim force-pushed the feature-store-lakeformation branch from 5ae4c90 to 4f1985d Compare April 14, 2026 19:43

BassemHalim temporarily deployed to auto-approve April 14, 2026 19:43 — with GitHub Actions Inactive

Merge branch 'master' into feature-store-lakeformation

c4bd6a2

BassemHalim temporarily deployed to auto-approve April 14, 2026 19:44 — with GitHub Actions Inactive

BassemHalim and others added 2 commits April 14, 2026 13:31

Merge branch 'master' into feature-store-lakeformation

fc44983

nargokul approved these changes Apr 14, 2026

View reviewed changes

mollyheamazon approved these changes Apr 14, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature store lakeformation#5599

Feature store lakeformation#5599
BassemHalim wants to merge 34 commits intoaws:masterfrom
BassemHalim:feature-store-lakeformation

BassemHalim commented Mar 4, 2026 •

edited

Loading

Uh oh!

nargokul left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

BassemHalim commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

New Features

Uh oh!

nargokul left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

BassemHalim commented Mar 4, 2026 •

edited

Loading