To create an IAM role for DeepSeek, especially when deploying models on Amazon Bedrock or using AWS services like S3, you need to ensure the role includes specific permissions. Here's a detailed breakdown of the necessary permissions:
For Deploying DeepSeek on Amazon Bedrock
1. Access to Bedrock Models: The IAM role should have permission to invoke models on Bedrock. This includes the `bedrock:InvokeModel` action. Ensure that the resource is set to the ARN of your DeepSeek model.
2. S3 Bucket Access: If your model files are stored in an S3 bucket, the role needs permissions to access the bucket. This includes actions like `s3:GetObject` and `s3:ListBucket`. The resource should be set to the ARN of your S3 bucket.
3. Model Import Permissions: If you are importing models from S3 into Bedrock, include the `bedrock:ImportModel` action in your policy.
Example policy snippet for Bedrock and S3 access:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:ImportModel"
],
"Resource": [
"your_DeepSeek_R1_model_ARN",
"arn:aws:s3:::your-s3-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-s3-bucket/*"
]
}
]
}
For General AWS Services
1. Trust Policy: Ensure the IAM role has a trust policy that allows the appropriate AWS service (e.g., `es.amazonaws.com` for OpenSearch or `ec2.amazonaws.com` for EC2) to assume the role.
2. Additional Permissions: Depending on your setup, you might need additional permissions for services like OpenSearch (e.g., `es:ESHttpPost`) or EC2 (e.g., `ec2:DescribeInstances`).
Example Trust Policy for OpenSearch
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Example Trust Policy for EC2
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Additional Considerations
- Least Privilege Principle: Ensure that your IAM roles adhere to the least privilege principle by granting only the necessary permissions required for your application to function.
- Role Naming and Management: Use descriptive names for your IAM roles (e.g., `my_invoke_bedrock_deepseek_model_role`) and keep track of their ARNs for future reference.
- Temporary Credentials: If using temporary credentials (e.g., via `aws sts assume-role`), ensure they are properly configured and updated in your AWS CLI settings.
Citations:
[1] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Bedrock.md
[2] https://help.deepsecurity.trendmicro.com/aws/aws-iam-role.html
[3] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Sagemaker.md
[4] https://tutorialsdojo.com/deepseek-in-amazon-bedrock-a-comprehensive-demo/
[5] https://community.aws/content/2sEuHQlpyIFSwCkzmx585JckSgN/deploying-deepseek-r1-14b-on-amazon-ec2?lang=en
[6] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html
[7] https://crossasyst.com/blog/deepseek-r1-on-aws-bedrock/
[8] https://www.reddit.com/r/googlecloud/comments/1j8w4ua/how_to_grant_ownership_to_default_database_to_iam/