AWS Machine Learning Blog

This post is co-authored by Daryl Martis, Director of Product, Salesforce Einstein AI.
This is the second post in a series discussing the integration of Salesforce Data Cloud and Amazon SageMaker. In Part 1, we show how the Salesforce Data Cloud and Einstein Studio integration with SageMaker allows businesses to access their Salesforce data securely using SageMaker and use its tools to build, train, and deploy models to endpoints hosted on SageMaker. The endpoints are then registered to the Salesforce Data Cloud to activate predictions in Salesforce.
In this post, we expand on this topic to demonstrate how to use Einstein Studio for product recommendations. You can use this integration for traditional models as well as large language models (LLMs).
Solution overview
In this post, we demonstrate how to create a predictive model in SageMaker to recommend the next best product to your customers by using historical data such as customer demographics, marketing engagements, and purchase history from Salesforce Data Cloud.
We use the following sample dataset. To use this dataset in your Data Cloud, refer to Create Amazon S3 Data Stream in Data Cloud.
The following attributes are needed to create the model:
Club Member – If the customer is a club member
Campaign – The campaign the customer is a part of
State – The state or province the customer resides in
Month – The month of purchase
Case Count – The number of cases raised by the customer
Case Type Return – Whether the customer returned any product within the last year
Case Type Shipment Damaged – Whether the customer had any shipments damaged in the last year
Engagement Score – The level of engagement the customer has (response to mailing campaigns, logins to the online store, and so on)
Tenure – The tenure of the customer relationship with the company
Clicks – The average number of clicks the customer has made within a week prior to purchase
Pages Visited – The average number of pages the customer has visited within a week prior to purchase
Product Purchased – The actual product purchased
Id – The ID of the record
DateTime – The timestamp of the dataset
The product recommendation model is built and deployed on SageMaker and is trained using data in the Salesforce Data Cloud. The following steps give an overview of how to use the new capabilities launched in SageMaker for Salesforce to enable the overall integration:
Set up the Amazon SageMaker Studio domain and OAuth between Salesforce and the AWS accounts.
Use the newly launched capability of the Amazon SageMaker Data Wrangler connector for Salesforce Data Cloud to prepare the data in SageMaker without copying the data from Salesforce Data Cloud.
Train a recommendation model in SageMaker Studio using training data that was prepared using SageMaker Data Wrangler.
Package the SageMaker Data Wrangler container and the trained recommendation model container in an inference pipeline so the inference request can use the same data preparation steps you created to preprocess the training data. The real-time inference call data is first passed to the SageMaker Data Wrangler container in the inference pipeline, where it is preprocessed and passed to the trained model for product recommendation. For more information about this process, refer to New — Introducing Support for Real-Time and Batch Inference in Amazon SageMaker Data Wrangler. Although we use a specific algorithm to train the model in our example, you can use any algorithm that you find appropriate for your use case.
Use the newly launched SageMaker provided project template for Salesforce Data Cloud integration to streamline implementing the preceding steps by providing the following templates:
An example notebook showcasing data preparation, building, training, and registering the model.
The SageMaker provided project template for Salesforce Data Cloud integration, which automates creating a SageMaker endpoint hosting the inference pipeline model. When a version of the model in the Amazon SageMaker Model Registry is approved, the endpoint is exposed as an API with Amazon API Gateway using a custom Salesforce JSON Web Token (JWT) authorizer. API Gateway is required to allow Salesforce Data Cloud to make predictions against the SageMaker endpoint using a JWT token that Salesforce creates and passes with the request when making predictions from Salesforce. JWT can be used as a part of OpenID Connect (OIDC) and OAuth 2.0 frameworks to restrict client access to your APIs.

After you create the API, we recommend registering the model endpoint in Salesforce Einstein Studio. For instructions, refer to Bring Your Own AI Models to Salesforce with Einstein Studio
The following diagram illustrates the solution architecture.

Create a SageMaker Studio domain
First, create a SageMaker Studio domain. For instructions, refer to Onboard to Amazon SageMaker Domain. You should note down the domain ID and execution role that is created and will be used by your user profile. You add permissions to this role in subsequent steps.
The following screenshot shows the domain we created for this post.

The following screenshot shows the example user profile for this post.

Set up the Salesforce connected app
Next, we create a Salesforce connected app to enable the OAuth flow from SageMaker Studio to Salesforce Data Cloud. Complete the following steps:
Log in to Salesforce and navigate to Setup.
Search for App Manager and create a new connected app.
Provide the following inputs:
For Connected App Name, enter a name.
For API Name, leave as default (it’s automatically populated).
For Contact Email, enter your contact email address.
Select Enable OAuth Settings.
For Callback URL, enter https://.studio..sagemaker.aws/jupyter/default/lab, and provide the domain ID that you captured while creating the SageMaker domain and the Region of your SageMaker domain.

Under Selected OAuth Scopes, move the following from Available OAuth Scopes to Selected OAuth Scopes and choose Save:
Manage user data via APIs (api)
Perform requests at any time (refresh_token, offline_access)
Perform ANSI SQL queries on Salesforce Data Cloud data (Data Cloud_query_api)
Manage Salesforce Customer Data Platform profile data (Data Cloud_profile_api
Access the identity URL service (id, profile, email, address, phone)
Access unique user identifiers (openid)

For more information about creating a connected app, refer to Create a Connected App.

Return to the connected app and navigate to Consumer Key and Secret.
Choose Manage Consumer Details.
Copy the key and secret.
You may be asked to log in to your Salesforce org as part of the two-factor authentication here.

Navigate back to the Manage Connected Apps page.
Open the connected app you created and choose Manage.
Choose Edit Policies and change IP Relaxation to Relax IP restrictions, then save your settings.
Configure SageMaker permissions and lifecycle rules
In this section, we walk through the steps to configure SageMaker permissions and lifecycle management rules.
Create a secret in AWS Secrets Manager
Enable OAuth integration with Salesforce Data Cloud by storing credentials from your Salesforce connected app in AWS Secrets Manager:
On the Secrets Manager console, choose Store a new secret.
Select Other type of secret.
Create your secret with the following key-value pairs:

{
“identity_provider”: “SALESFORCE”,
“authorization_url”: “https://login.salesforce.com/services/oauth2/authorize”,
“token_url”: “https://login.salesforce.com/services/oauth2/token”,
“client_id”: “”,
“client_secret”: “”
“issue_url”: “”
}

Add a tag with the key sagemaker:partner and your choice of value.
Save the secret and note the ARN of the secret.
Configure a SageMaker lifecycle rule
The SageMaker Studio domain execution role will require AWS Identity and Access Management (IAM) permissions to access the secret created in the previous step. For more information, refer to Creating roles and attaching policies (console).
On the IAM console, attach the following polices to their respective roles (these roles will be used by the SageMaker project for deployment):
Add the policy AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy to the service role AmazonSageMakerServiceCatalogProductsCloudformationRole.
Add the policy AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy to the service role AmazonSageMakerServiceCatalogProductsApiGatewayRole.
Add the policy AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy to the service role AmazonSageMakerServiceCatalogProductsLambdaRole.

On the IAM console, navigate to the SageMaker domain execution role.
Choose Add permissions and select Create an inline policy.
Enter the following policy in the JSON policy editor:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“secretsmanager:GetSecretValue”,
“secretsmanager:PutSecretValue”
],
“Resource”: “arn:aws:secretsmanager:*:*:secret:*”,
“Condition”: {
“ForAnyValue:StringLike”: {
“aws:ResourceTag/sagemaker:partner”: “*”
}
}
},
{
“Effect”: “Allow”,
“Action”: [
“secretsmanager:UpdateSecret”
],
“Resource”: “arn:aws:secretsmanager:*:*:secret:AmazonSageMaker-*”
}
]
}

SageMaker Studio lifecycle configuration provides shell scripts that run when a notebook is created or started. The lifecycle configuration will be used to retrieve the secret and import it to the SageMaker runtime.
On the SageMaker console, choose Lifecycle configurations in the navigation pane.
Choose Create configuration.
Leave the default selection Jupyter Server App and choose Next.
Give the configuration a name.
Enter the following script in the editor, providing the ARN for the secret you created earlier:

#!/bin/bash
set -eux

cat > ~/.sfgenie_identity_provider_oauth_config
Go to Source
04/08/2023 – 18:02 /Daryl Martis
Twitter: @hoffeldtcom