Deploying DeepSeek on AWS requires specific IAM roles and permissions to ensure secure and efficient model deployment and management. Here's a detailed overview of the necessary roles and permissions:
1. Creating an IAM Role for DeepSeek**
To deploy DeepSeek, you need to create an IAM role that allows access to necessary AWS resources. This role should be configured with policies that grant permissions for S3 access, as DeepSeek models are typically stored in S3 buckets.- Trusted Entity Type: AWS Service (specifically, S3 for accessing model files).
- Policy Attachments: Attach policies like AmazonS3FullAccess to allow full access to S3 buckets where your DeepSeek models are stored. If you're using Amazon Bedrock, ensure the role has permissions to import models from S3.
2. Permissions for Model Import in Amazon Bedrock**
When deploying DeepSeek models in Amazon Bedrock, your IAM role needs specific permissions to import models from S3 and interact with Bedrock services.- Actions:
- `s3:GetObject`
- `s3:ListBucket`
- `bedrock:ImportModel`
- Resource: The ARN of your S3 bucket where the DeepSeek model files are stored, e.g., `arn:aws:s3:::your-s3-bucket/*`.
3. Additional Permissions for AWS Services Integration**
If you're integrating DeepSeek with other AWS services like SageMaker or OpenSearch, you'll need additional IAM roles and permissions.- For SageMaker Integration: Create a role that allows OpenSearch to invoke your SageMaker endpoint. This involves setting up a trust relationship for OpenSearch Service and attaching a policy that grants necessary permissions.
- For OpenSearch Integration: Create roles for creating connectors and invoking models. These roles should have permissions to write to OpenSearch Service and invoke SageMaker endpoints.
Example Policy for S3 and Bedrock Access
Here's an example policy that grants necessary permissions for accessing S3 and importing models into Bedrock:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"bedrock:ImportModel"
],
"Resource": [
"arn:aws:s3:::your-s3-bucket/*"
]
}
]
}
Steps to Configure IAM Roles
1. Create an IAM Role: Go to the AWS Management Console, navigate to IAM, and create a new role.
2. Choose Trusted Entity: Select AWS Service, and choose S3 as the use case.
3. Attach Policies: Add policies like AmazonS3FullAccess and any custom policies required for Bedrock or other AWS services.
4. Review and Create: Review the role settings and create the role.
By following these steps and configuring the necessary IAM roles and permissions, you can securely deploy and manage DeepSeek models on AWS.
Citations:
[1] https://tutorialsdojo.com/deepseek-in-amazon-bedrock-a-comprehensive-demo/
[2] https://crossasyst.com/blog/deepseek-r1-on-aws-bedrock/
[3] https://aws.amazon.com/blogs/big-data/use-deepseek-with-amazon-opensearch-service-vector-database-and-amazon-sagemaker/
[4] https://help.deepsecurity.trendmicro.com/aws/aws-iam-role.html
[5] https://aws.amazon.com/blogs/machine-learning/deploy-deepseek-r1-distilled-llama-models-with-amazon-bedrock-custom-model-import/
[6] https://dev.to/fidelisesq/deepseek-r1-deployment-on-aws-via-terraform-github-actions-32jp
[7] https://www.linkedin.com/pulse/deploying-deepseek-r1-aws-comprehensive-guide-ahsan-ziaullah-t7mce
[8] https://www.reddit.com/r/aws/comments/1iejdkq/deepseek_on_aws_now/
[9] https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html