Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon What are the exact steps to create the IAM role for DeepSeek


What are the exact steps to create the IAM role for DeepSeek


Creating an IAM role for DeepSeek involves several steps to ensure that the role has the necessary permissions to access and invoke the model on AWS Bedrock. Here are the detailed steps:

Step 1: Access the AWS Management Console

Navigate to the AWS Management Console and go to the IAM dashboard. Click on "Roles" and then select "Create role."

Step 2: Choose the Trusted Entity Type

In the "Create role" wizard, select "AWS service" as the trusted entity type. For DeepSeek on Bedrock, you might choose "Custom" if you're not using a specific AWS service directly, but typically, you would select a service like "S3" if you're storing model artifacts there.

Step 3: Define the Trust Policy

For a role that will be used by an AWS service like OpenSearch to invoke a model on Bedrock, you need a custom trust policy. This policy allows the service to assume the role. Here is an example for OpenSearch: 

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "es.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Step 4: Attach Permissions Policies

You need to attach policies that grant the necessary permissions. For invoking a model on Bedrock, you need a policy like this: 

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "bedrock:InvokeModel"
      ],
      "Effect": "Allow",
      "Resource": "your_DeepSeek_R1_model_ARN_"
    }
  ]
}

If your model artifacts are stored in S3, ensure you have permissions to access them: 

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-s3-bucket/*"
      ]
    }
  ]
}

Step 5: Name and Review the Role

Give your role a descriptive name, such as `my_invoke_bedrock_deepseek_model_role`. Review the settings to ensure everything is correct, then click "Create role."

Step 6: Note the Role ARN

After creating the role, note down the ARN of the role. You will need this ARN in subsequent steps to configure access to your OpenSearch cluster or other services.

Step 7: Configure Role Mapping in OpenSearch (If Necessary)

If you're integrating this role with OpenSearch, you'll need to map it to a role in OpenSearch Dashboards. Go to the Security section, select Roles, choose the `ml_full_access` role, and map the IAM role ARN to it under Mapped users.

These steps ensure that your IAM role is properly configured to invoke the DeepSeek model on AWS Bedrock and integrate with other AWS services like OpenSearch.

Citations:
[1] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Bedrock.md
[2] https://crossasyst.com/blog/deepseek-r1-on-aws-bedrock/
[3] https://tutorialsdojo.com/deepseek-in-amazon-bedrock-a-comprehensive-demo/
[4] https://aws.amazon.com/blogs/big-data/use-deepseek-with-amazon-opensearch-service-vector-database-and-amazon-sagemaker/
[5] https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-deepseek.html
[6] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html
[7] https://community.aws/content/2sEuHQlpyIFSwCkzmx585JckSgN/deploying-deepseek-r1-14b-on-amazon-ec2?lang=en
[8] https://repost.aws/articles/ARDaRTyEVQR9iWfVdek2CQwg/get-started-with-deepseek-r1-on-aws-inferentia-and-trainium