Creating and configuring IAM roles for DeepSeek and OpenSearch involves several steps, including setting up roles for both services and integrating them with OpenSearch. Here's a detailed guide on how to do this:
Creating IAM Roles for DeepSeek
To integrate DeepSeek with OpenSearch, you need to create two IAM roles: one for invoking the DeepSeek model and another for creating a connector in OpenSearch.
1. Invoke DeepSeek Role**
1. Create the Role:**
- Go to the AWS IAM Management Console.
- Click on Roles in the left navigation pane.
- Click Create role.
- Choose AWS service as the trusted entity type.
- Select OpenSearch Service as the service that will use the role.
- Proceed to attach permissions.
2. Attach Permissions:**
- Create a new policy or use an existing one that allows OpenSearch to invoke your SageMaker endpoint.
- The policy should include actions like `sagemaker:InvokeEndpoint` for the specific endpoint ARN.
3. Trust Relationship:**
- Ensure the trust policy allows OpenSearch Service to assume the role. This typically involves specifying the OpenSearch Service as the principal in the trust policy.
2. Create Connector Role**
1. Create the Role:**
- Repeat the steps to create a new role.
- This time, choose Another AWS account as the trusted entity if you're using cross-account access, or select the appropriate entity based on your setup.
2. Attach Permissions:**
- Attach a policy that allows writing to OpenSearch Service, such as `es:ESHttpPost` for the specific OpenSearch domain ARN.
3. Trust Relationship:**
- Configure the trust policy to allow the current user or account to assume this role.
Configuring OpenSearch Roles
1. Define OpenSearch Roles**
1. Access OpenSearch Dashboards:**
- Navigate to your OpenSearch domain and access OpenSearch Dashboards.
2. Create a New Role:**
- Go to Security > Roles.
- Click Create role.
- Provide a name for the role and define the necessary permissions (e.g., read/write access to specific indexes).
3. Map Backend Roles:**
- If you're integrating with AWS IAM, you'll need to map the IAM roles to OpenSearch roles.
- Go to the role you created in OpenSearch and select Mapped users > Manage mapping.
- Enter the ARN of the IAM role you created for invoking DeepSeek or creating a connector.
Integrating with AWS IAM Identity Center (Optional)
If you're using AWS IAM Identity Center (formerly AWS Single Sign-On) for identity federation, you can map IAM Identity Center groups to OpenSearch roles using SAML attributes. This allows you to manage access control centrally.
1. Integrate IAM Identity Center with OpenSearch:**
- Set up SAML integration between IAM Identity Center and OpenSearch Service.
- Map groups in IAM Identity Center to predefined OpenSearch roles based on SAML attributes.
2. Configure Backend Role Mapping:**
- Log in to OpenSearch Dashboards as an administrator.
- Configure the mapping for each group to the appropriate OpenSearch role.
By following these steps, you can effectively create and configure IAM roles for DeepSeek and OpenSearch, ensuring secure and controlled access to your resources.
Citations:
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html
[2] https://opensearch.org/docs/latest/security/access-control/users-roles/
[3] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Bedrock.md
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
[5] https://aws.amazon.com/blogs/big-data/role-based-access-control-in-amazon-opensearch-service-via-saml-integration-with-aws-iam-identity-center/
[6] https://aws.amazon.com/blogs/big-data/use-deepseek-with-amazon-opensearch-service-vector-database-and-amazon-sagemaker/
[7] https://docs.aws.amazon.com/managedservices/latest/onboardingguide/create-iam-role.html
[8] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html