Most teams hit the same wall: the data scientists want freedom, the DevOps folks want guardrails, and neither wants another approval email. AWS CDK Domino Data Lab is where those boundaries stop being a fight and start being infrastructure.
AWS CDK (Cloud Development Kit) lets engineers define AWS resources with real code, not YAML therapy. Domino Data Lab is the enterprise platform that turns AI and model development into a managed workflow with versioned experiments, shared environments, and governed data access. Together, they combine automation and reproducibility with fine-grained permissions.
Here is the basic logic. AWS CDK captures your infrastructure blueprints as Python or TypeScript classes. You can generate every networking rule, compute instance, or secret store as part of a deployment pipeline. Domino Data Lab then runs those same artifacts inside secured project spaces. Connecting them means the same IAM roles and environment parameters used in CDK become the runtime policies Domino enforces when launching a job. No manual sync. No guessing which key belongs to which notebook.
To wire this integration right, you start with identity. Map your AWS IAM roles into Domino using OIDC or Okta-backed connectors. Then bind Domino workspaces to CDK-managed VPCs where data lakes or S3 buckets live. The result is isolation that actually behaves like code: traceable, diffable, and deployable. When a developer spins up a new model training run, the environment is defined by your CDK constructs—networking, security groups, and storage all locked to compliance terms you can audit.
Best practices worth noting:
- Rotate AWS secrets through CDK constructs so Domino jobs never persist raw keys.
- Use environment variables and parameter stores instead of embedding policies in notebooks.
- Enforce RBAC in Domino at the project level; CDK handles resources, Domino handles users.
Benefits you can count:
- Config drift drops to zero since infrastructure and data access share one source of truth.
- Compliance audits shrink from days to minutes.
- Experiment reproducibility moves from hope to guarantee.
- Developer velocity increases because provisioning is scripted, not ticketed.
- Incident response becomes mechanical—rollback the stack, not the spreadsheet.
Platform tools like hoop.dev turn those access rules into guardrails that enforce policy automatically. Rather than write a dozen Lambda wrappers for security, you can delegate session enforcement and identity checks to hoop.dev and keep CDK focused on infrastructure definition.
How do I connect AWS CDK constructs to Domino Data Lab projects?
Define your AWS resources in CDK, export environment parameters (ARNs, endpoints, policies), then attach them in Domino’s environment configuration. Make sure your identity providers align—AWS IAM, Okta, or Keycloak—so your roles translate cleanly across both systems.
This pairing fits well in AI operations too. When ML models trigger automated deployments or receive dynamic data requests, the CDK templates verify permissions and data residency before Domino executes any code. It is clean compliance plus fast iteration—exactly what high-security AI teams need.
The takeaway: AWS CDK and Domino Data Lab create a tightly governed, developer-friendly data environment when configured with proper identity and automation links. Less waiting, fewer policies, more reproducible results.
See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.