为了能够部署跨账号Sagemaker端点，需要确保在源Sagemaker账号的IAM角色中授予目标账号的IAM角色访问权限，并同时从目标账号中调用该角色的ARN。在以下示例中，我们可以看到如何通过添加Sagemaker提供的Policy来授予所需的访问权限:

import boto3

# 访问源Sagemaker账号
source_sm_client = boto3.client('sagemaker', region_name=source_region)
iam = boto3.client('iam')

# 授予访问源Sagemaker账号所需角色的权限
pipeline_role_arn = 
cross_account_role = 
iam.attach_role_policy(RoleName=pipeline_role, PolicyArn='arn:aws-cn:iam::aws:policy/AmazonSageMakerFullAccess')

在目标账号的Sagemaker Notebook或其他应用程序中，您还需要添加允许您的IAM角色调用另一个账号中IAM角色的代码，例如:

import boto3
from botocore.config import Config

# 访问目标账号
cross_account_role = 
boto_config = Config(signature_version='v4', region_name=region)
sts_connection = boto3.client('sts', config=boto_config)
assumed_role = sts_connection.assume_role(
    RoleArn= cross_account_role,
    RoleSessionName= "cross_account_lambda"
)

# 检索Role的临时身份
ACCESS_KEY = assumed_role['Credentials']['AccessKeyId']
SECRET_KEY = assumed_role['Credentials']['SecretAccessKey']
SESSION_TOKEN = assumed_role['Credentials']['SessionToken']

# 将临时凭证传递给目标账号的Sagemaker Client
cross_sm_client = boto3.client('sagemaker',region_name=region,
                      aws_access_key_id=ACCESS_KEY,
                      aws_secret_access_key=SECRET_KEY