update example notebooks and fix minor bug

BassemHalim · BassemHalim · commit 9bfbbd3f3310 · 2026-04-15T16:35:49.000-07:00
diff --git a/sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py b/sagemaker-mlops/src/sagemaker/mlops/feature_store/feature_group_manager.py
@@ -613,12 +613,12 @@ def enable_lake_formation(
                 "Lake Formation permissions were not granted to the "
                 "execution role. Re-run enable_lake_formation() after fixing the issue."
             )
-        if results["hybrid_access_mode_enabled"]:
+        if not hybrid_access_mode_enabled and results["hybrid_access_mode_enabled"]:
             logger.warning(
-                "Hybrid access mode is still enabled. IAM-based access "
+                "Failed to disable hybrid access mode. IAM-based access "
                 "to the Glue table is still allowed alongside Lake "
-                "Formation permissions. To disable, re-run with "
-                "hybrid_access_mode_enabled=False. For more info: "
+                "Formation permissions. Re-run with "
+                "hybrid_access_mode_enabled=False to retry. For more info: "
                 "https://docs.aws.amazon.com/lake-formation/latest/dg/hybrid-access-mode.html"
             )
 
diff --git a/v3-examples/ml-ops-examples/v3-feature-store-examples/v3-feature-store-lake-formation-cross-account.ipynb b/v3-examples/ml-ops-examples/v3-feature-store-examples/v3-feature-store-lake-formation-cross-account.ipynb
@@ -222,7 +222,7 @@
     "    enabled=True,\n",
     "    use_service_linked_role=False,\n",
     "    registration_role_arn=acc_to_role_arn[central_account],\n",
-    "    disable_hybrid_access_mode=True,\n",
+    "    hybrid_access_mode_enabled=False,\n",
     "    acknowledge_risk=True # You acknowledge that IAM based access to the glue table will stop working\n",
     ")\n",
     "\n",
diff --git a/v3-examples/ml-ops-examples/v3-feature-store-examples/v3-feature-store-lake-formation.ipynb b/v3-examples/ml-ops-examples/v3-feature-store-examples/v3-feature-store-lake-formation.ipynb
@@ -25,13 +25,13 @@
     "lake_formation_config = LakeFormationConfig(\n",
     "    enabled=True,                    # Enable Lake Formation governance\n",
     "    use_service_linked_role=True,    # Use LF service-linked role (default)\n",
-    "    registration_role_arn=None,      # Role used by LF to access your resources\n",
-    "    disable_hybrid_access_mode       # Revoke IAMAllowedPrincipal permissions (REQUIRED)\n",
-    "    acknowledge_risk                 # Controls confirmation behavior for risky Lake Formation operations.\n",
+    "    registration_role_arn=None,      # Role used by LF to access your S3 bucket\n",
+    "    hybrid_access_mode_enabled       # Keep or revoke IAMAllowedPrincipal permissions (REQUIRED)\n",
+    "    acknowledge_risk                 # Controls confirmation behavior for risky Lake Formation operations. (REQUIRED)\n",
     ")\n",
     "```\n",
     "\n",
-    "> **Note:** `disable_hybrid_access_mode` is a required field with no default. When `True`, IAMAllowedPrincipal permissions are revoked from the Glue table, enforcing Lake Formation-only governance. **Warning:** this may break existing jobs (e.g., training, processing, ETL) that access the table via IAM-based permissions. After this change, all principals must be granted access through Lake Formation. When `False`, an interactive prompt asks the user to confirm proceeding with hybrid access mode.\n",
+    "> **Note:** `hybrid_access_mode_enabled` is a required field with no default. When `False`, IAMAllowedPrincipal permissions are revoked from the Glue table, enforcing Lake Formation-only governance. **Warning:** this may break existing jobs (e.g., training, processing, ETL) that access the table via IAM-based permissions. After this change, all principals must be granted access through Lake Formation.\n",
     "\n",
     "### New Parameter in `FeatureGroupManager.create()`: `lake_formation_config`\n",
     "\n",
@@ -51,8 +51,8 @@
     "\n",
     "```python\n",
     "fg.enable_lake_formation(\n",
-    "    disable_hybrid_access_mode=True,  # Revoke IAMAllowedPrincipal permissions (REQUIRED)\n",
-    "    acknowledge_risk=None,            # None=interactive prompt, True=skip prompt, False=abort\n",
+    "    hybrid_access_mode_enabled,       # Revoke IAMAllowedPrincipal permissions (REQUIRED)\n",
+    "    acknowledge_risk,                 # True=proceed, False=abort (REQUIRED)\n",
     "    use_service_linked_role=True,     # Use LF service-linked role (default)\n",
     "    registration_role_arn=None,       # Custom role ARN (if not using SLR)\n",
     "    wait_for_active=False,            # Wait for Feature Group to be Created\n",
@@ -65,7 +65,7 @@
     "{\n",
     "    \"s3_location_registered\": True,\n",
     "    \"lf_permissions_granted\": True,\n",
-    "    \"hybrid_access_mode_disabled\": True  # Only True when disable_hybrid_access_mode=True\n",
+    "    \"hybrid_access_mode_enabled\": False  # Only False when hybrid_access_mode_enabled=False\n",
     "}\n",
     "```\n",
     "\n",
@@ -100,14 +100,14 @@
     "\n",
     "### Step 3: Revoke IAMAllowedPrincipal Permissions (conditional)\n",
     "\n",
-    "This step only executes when `disable_hybrid_access_mode=True`. By default, Glue tables allow access to any IAM principal with appropriate IAM permissions (`IAMAllowedPrincipal`). This step revokes that default permission, ensuring that:\n",
+    "This step only executes when `hybrid_access_mode_enabled=False`. By default, Glue tables allow access to any IAM principal with appropriate IAM permissions (`IAMAllowedPrincipal`). This step revokes that default permission, ensuring that:\n",
     "\n",
     "- Access is now controlled exclusively through Lake Formation\n",
     "- Only principals explicitly granted permissions via Lake Formation can access the data\n",
     "\n",
     "**Warning:** Revoking IAMAllowedPrincipal may break existing jobs (e.g., training, processing, ETL) that access the table via IAM-based permissions. After this change, all principals must be granted access through Lake Formation.\n",
     "\n",
-    "When `disable_hybrid_access_mode=False`, this step is skipped and an interactive prompt asks the user to confirm proceeding with hybrid access mode (IAM + Lake Formation permissions coexist).\n",
+    "When `hybrid_access_mode_enabled=True`, this step is skipped and hybrid access mode remains active (IAM + Lake Formation permissions coexist). The `acknowledge_risk=True` parameter confirms acceptance of this configuration.\n",
     "\n",
     "### Step 4: Recommended S3 Deny Policy (always logged)\n",
     "\n",
@@ -409,22 +409,6 @@
     "Grant your Execution role permission to create and describe tables under `sagemaker_featurestore` database"
    ]
   },
-  {
-   "cell_type": "code",
-   "execution_count": null,
-   "metadata": {},
-   "outputs": [],
-   "source": [
-    "lf_client.grant_permissions(\n",
-    "    Principal={\"DataLakePrincipalIdentifier\": EXECUTION_ROLE_ARN},\n",
-    "    Resource={\n",
-    "        \"Database\": {\"Name\": \"sagemaker_featurestore\"}\n",
-    "    },\n",
-    "    Permissions=[\"CREATE_TABLE\", \"DESCRIBE\"],\n",
-    "    PermissionsWithGrantOption=[],\n",
-    ")\n"
-   ]
-  },
   {
    "cell_type": "markdown",
    "metadata": {},
@@ -599,7 +583,7 @@
     "lake_formation_config = LakeFormationConfig(\n",
     "    enabled=True,\n",
     "    use_service_linked_role=True,\n",
-    "    disable_hybrid_access_mode=False,\n",
+    "    hybrid_access_mode_enabled=True,\n",
     "    acknowledge_risk=True\n",
     ")\n",
     "print(\"\\nLake Formation Config:\")\n",
@@ -830,7 +814,7 @@
     "feature_group = FeatureGroupManager.get(FG_NAME_WORKFLOW2, session=boto_session)\n",
     "result = feature_group.enable_lake_formation( # new method\n",
     "    use_service_linked_role=True,\n",
-    "    disable_hybrid_access_mode=True,\n",
+    "    hybrid_access_mode_enabled=False,\n",
     "    acknowledge_risk=True\n",
     ")\n",
     "data_catalog_config_2 = feature_group.offline_store_config.data_catalog_config\n",
@@ -839,7 +823,7 @@
     "print(f\"\\nLake Formation setup results:\")\n",
     "print(f\"  s3_location_registered: {result['s3_location_registered']}\")\n",
     "print(f\"  lf_permissions_granted: {result['lf_permissions_granted']}\")\n",
-    "print(f\"  hybrid_access_mode_disabled: {result['hybrid_access_mode_disabled']}\")"
+    "print(f\"  hybrid_access_mode_enabled: {result['hybrid_access_mode_enabled']}\")"
    ]
   },
   {
@@ -891,6 +875,22 @@
     "### Grant Data Scientist Permission to Query the Table"
    ]
   },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "we try to query before granting lakeformation permissions. Should fail unless the data scientist role was already granted lakefomration permission\n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "query_offline_store(str(data_catalog_config_2.database), str(data_catalog_config_2.table_name), data_scientist_session)"
+   ]
+  },
   {
    "cell_type": "code",
    "execution_count": null,
@@ -1086,7 +1086,7 @@
  ],
  "metadata": {
   "kernelspec": {
-   "display_name": "v3-lf",
+   "display_name": "Python 3 (ipykernel)",
    "language": "python",
    "name": "python3"
   },
@@ -1105,7 +1105,13 @@
   "widgets": {
    "application/vnd.jupyter.widget-state+json": {
     "state": {
-     "cbfddeb610c74e7886a4dcff89f2eb2e": {
+     "9293a7c9ef3d4430b61a6abe6a434fa7": {
+      "model_module": "@jupyter-widgets/base",
+      "model_module_version": "2.0.0",
+      "model_name": "LayoutModel",
+      "state": {}
+     },
+     "e1dbeb64626e41b7bedd11144f50f168": {
       "model_module": "@jupyter-widgets/base",
       "model_module_version": "2.0.0",
       "model_name": "LayoutModel",
