AWS SageMaker Org Template · Service Catalog

CDK · GitHub Actions OIDC · Multi‑environment MLOps platform

Enterprise‑ready AWS AI platform provisioning using CDK, Service Catalog, and SageMaker Organization Templates with secure CI/CD (GitHub Actions + OIDC). Enables governed, repeatable ML workspace setup across Dev/Pre‑Prod/Prod.

Project summary

Pipeline‑1: IaC foundation

Industry

Cross‑Industry · Enterprise AI Platform

Domain

AI Platform Engineering / MLOps Infrastructure

Keywords

AWS CDK (Python)GitHub ActionsOIDC (GitHub→AWS) IAM least‑privilegeSageMaker Domain/Projects Service CatalogCloudFormationS3 / KMS SSM Parameter StoreMulti‑env IaCCDK Bootstrap/Synth/Deploy

Problem & objective

Problem

Inconsistent SageMaker environments across teams
Security gaps (IAM/KMS) and non‑reproducible infra
Slow onboarding and brittle CI/CD wiring for ML

Objective

Automate AWS AI platform with CDK + Service Catalog
Secure CI/CD (GitHub OIDC) + least‑privilege IAM
Repeatable ML workspace setup across environments

Solution & architecture

Overview

Provision enterprise‑grade SageMaker Domain, Organization Templates (Service Catalog), IAM/KMS, S3, and environment stacks via AWS CDK. CI/CD with GitHub Actions + OIDC ensures secure, repeatable deployments. Foundation for training (Pipeline‑2) and deployment (Pipeline‑3).

1

GitHub IaC repo

2

GitHub Actions + OIDC

3

CDK synth/deploy

4

CloudFormation

5

SageMaker Domain + Org Templates

Key components

AWS CDK (Python)
SageMaker Domain, Projects, Org Templates
Service Catalog product registration
IAM OIDC roles (GitHub)
KMS encryption, S3 assets, SSM config

Scalability & reliability

IaC multi‑account/env ready
Stateless CI/CD (no static creds)
Quota‑aware provisioning
CloudFormation rollback
Least‑privilege IAM + KMS reduce blast radius

AI/ML & DevOps details

ML type / automation

DevOps / MLOps platform engineering — Infrastructure automation (no models in Pipeline‑1). SageMaker Domains, Org Templates, IAM/KMS, CI/CD wiring.

CI/CD & orchestration

GitHub Actions + OIDC (no long‑lived secrets)
AWS CDK (Python) pipeline as code
CloudFormation backend, Docker asset bundling

Observability & optimisation

GitHub Actions logs, CloudFormation stack events
IAM change tracking via CDK diff
AWS Budgets & quota checks
Automatic rollback on failure

Skills & technologies

Primary (advanced)

AWS CDK (Python)
AWS IAM, OIDC, KMS, least‑privilege
SageMaker platform setup (Domain, Org Templates)
GitHub Actions CI/CD
CloudFormation / IaC

Secondary tools

S3 · SSM Parameter Store · KMS
Docker (CDK asset bundling)
Node.js / npm · Python virtualenv
Git, YAML, Bash

Cloud & DevOps

AWS (SageMaker, IAM, KMS, S3, SSM, CloudFormation)AWS CDKGitHub ActionsOIDCService Catalog

Challenges & resolutions

Reusable SageMaker Org Templates → modular CDK stacks, environment‑agnostic constructs.
OIDC secure auth → IAM roles for GitHub Actions, no static keys.
IAM least‑privilege → iteratively refined via CDK diff and deployment logs.
Service Quota constraints → documented pre‑approved quotas.
Multi‑env config → SSM Parameter Store + env vars, no hardcoding.

CI/CD Architecture & YAML mapping

Architecture Block	AWS CI/CD Construct
Source Repository	GitHub (IaC repo)
Trigger	GitHub Actions (push / workflow_dispatch)
CI Runner	ubuntu-latest + OIDC assume role
IaC Execution	aws-actions/configure-aws-credentials → cdk bootstrap/synth/deploy
Backend	AWS CloudFormation
Artifact Storage	Amazon S3 (CDK assets)
Provisioning Target	SageMaker Domain + Service Catalog (Org Templates)
Security & Auth	OIDC + IAM roles, KMS, SSM

Assets & references

Production‑grade details

IAM policies, CDK stacks, multi‑env setup, quota planning.

View snippets

Outputs of Pipeline‑1

Service Catalog product registered (SageMaker Org Template)
SageMaker Domain + Studio available
Seed repos created (train/deploy)
IAM roles + OIDC wired

Study material resources

CDK templates, IAM policies, architecture diagrams (restricted access)

Request Study Material