Optional ReadonlyassociatedOptional ReadonlyblueprintExternally-defined IAM roles for blueprint provisioning. A base blueprint provisioning policy is attached; blueprint-specific permissions must be attached directly to the role.
Use cases: Custom blueprint provisioning roles; External role integration
AWS: IAM roles for DataZone blueprint provisioning
Validation: Optional; array of valid MdaaRoleRef
Optional ReadonlycustomCustom blueprints with CloudFormation templates to enable in the domain. Each blueprint can specify a local path or S3 URL for the template.
Use cases: Custom blueprint deployment; Organization-specific environment types
AWS: DataZone custom blueprint configurations
Validation: Optional; map of blueprint name to CustomBlueprintProps
ReadonlydataIAM role with administrative privileges over the domain. Used for user management, resource configuration, and governance policy administration. Resolved via MDAA role helper.
Use cases: Domain administration; Governance policy management; Resource configuration
AWS: IAM role granted DataZone domain admin permissions
Validation: Required; valid MdaaRoleRef
Optional ReadonlydescriptionHuman-readable description of the domain's purpose and scope.
Use cases: Domain documentation; Organizational context
AWS: DataZone domain description
Validation: Optional; string
Optional ReadonlydomainHierarchical domain units for organizing projects and governance scopes within the domain.
Use cases: Organizational hierarchy; Project grouping; Governance scope isolation
AWS: DataZone domain units
Validation: Optional; valid NamedDomainUnits
Optional ReadonlyenabledAdditional managed blueprints to enable with optional parameter values and domain unit authorization (e.g., LakehouseCatalog, CustomAwsService).
Use cases: Managed blueprint enablement; Blueprint parameter configuration
AWS: DataZone managed blueprint configurations
Validation: Optional; map of blueprint name to EnabledBlueprintProps
Optional ReadonlygroupsNamed groups to be added to the domain. Groups are SSO-only and identified by a friendly name mapped to an SSO group ID.
Use cases: Team-based domain access; SSO group provisioning
AWS: DataZone group profiles (SSO)
Validation: Optional; valid NamedDataZoneGroups
Optional ReadonlyownerAssociated account names granted ownership of the root domain unit, allowing project creation at the domain root. Names must match entries in the domain's associatedAccounts config.
Use cases: Cross-account root ownership; Delegated domain administration
AWS: DataZone root domain unit owner (account)
Validation: Optional; string array; names must match associatedAccounts keys
Optional ReadonlyownerGroup names granted ownership of the root domain unit. Names must match entries in the domain's groups config.
Use cases: Root-level domain administration; Team-based ownership
AWS: DataZone root domain unit owner (group)
Validation: Optional; string array; names must match domain groups keys
Optional ReadonlyownerUser names granted ownership of the root domain unit. Names must match entries in the domain's users config.
Use cases: Root-level domain administration; User-based ownership
AWS: DataZone root domain unit owner (user)
Validation: Optional; string array; names must match domain users keys
ReadonlytoolingRequired Tooling blueprint configuration including VPC and subnet settings for SageMaker environment provisioning.
Use cases: SageMaker Tooling blueprint setup; VPC-based environment provisioning
AWS: SageMaker Tooling blueprint with VPC configuration
Validation: Required; valid ToolingBlueprintProps
Optional ReadonlyuserControls how users are assigned to the domain. MANUAL requires explicit assignment; AUTOMATIC assigns users based on organizational policies.
Use cases: User provisioning control; Automated vs. manual user onboarding
AWS: DataZone domain user assignment mode
Validation: Optional; 'MANUAL' | 'AUTOMATIC'
Optional ReadonlyusersNamed users to be added to the domain. Each user is identified by a friendly name and can be IAM-based or SSO-based.
Use cases: Individual domain access; IAM and SSO user provisioning
AWS: DataZone user profiles (IAM or SSO)
Validation: Optional; valid NamedDataZoneUsers
Additional AWS accounts associated with this SageMaker domain for cross-account governance. Each account can have its own tooling config, blueprint provisioning roles, Glue catalog encryption, and LF roles.
Use cases: Multi-account SageMaker governance; Cross-account blueprint provisioning
AWS: SageMaker (DataZone V2) cross-account domain associations
Validation: Optional; valid NamedSageMakerAssociatedAccounts