Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon What permissions should be included in the IAM role for DeepSeek


What permissions should be included in the IAM role for DeepSeek


To create an IAM role for DeepSeek, especially when deploying models on Amazon Bedrock or using AWS services like S3, you need to ensure the role includes specific permissions. Here's a detailed breakdown of the necessary permissions:

For Deploying DeepSeek on Amazon Bedrock

1. Access to Bedrock Models: The IAM role should have permission to invoke models on Bedrock. This includes the `bedrock:InvokeModel` action. Ensure that the resource is set to the ARN of your DeepSeek model.

2. S3 Bucket Access: If your model files are stored in an S3 bucket, the role needs permissions to access the bucket. This includes actions like `s3:GetObject` and `s3:ListBucket`. The resource should be set to the ARN of your S3 bucket.

3. Model Import Permissions: If you are importing models from S3 into Bedrock, include the `bedrock:ImportModel` action in your policy.

Example policy snippet for Bedrock and S3 access:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:ImportModel"
      ],
      "Resource": [
        "your_DeepSeek_R1_model_ARN",
        "arn:aws:s3:::your-s3-bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-s3-bucket/*"
      ]
    }
  ]
}

For General AWS Services

1. Trust Policy: Ensure the IAM role has a trust policy that allows the appropriate AWS service (e.g., `es.amazonaws.com` for OpenSearch or `ec2.amazonaws.com` for EC2) to assume the role.

2. Additional Permissions: Depending on your setup, you might need additional permissions for services like OpenSearch (e.g., `es:ESHttpPost`) or EC2 (e.g., `ec2:DescribeInstances`).

Example Trust Policy for OpenSearch

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "es.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Example Trust Policy for EC2

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Additional Considerations

- Least Privilege Principle: Ensure that your IAM roles adhere to the least privilege principle by granting only the necessary permissions required for your application to function.
- Role Naming and Management: Use descriptive names for your IAM roles (e.g., `my_invoke_bedrock_deepseek_model_role`) and keep track of their ARNs for future reference.
- Temporary Credentials: If using temporary credentials (e.g., via `aws sts assume-role`), ensure they are properly configured and updated in your AWS CLI settings.

Citations:
[1] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Bedrock.md
[2] https://help.deepsecurity.trendmicro.com/aws/aws-iam-role.html
[3] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Sagemaker.md
[4] https://tutorialsdojo.com/deepseek-in-amazon-bedrock-a-comprehensive-demo/
[5] https://community.aws/content/2sEuHQlpyIFSwCkzmx585JckSgN/deploying-deepseek-r1-14b-on-amazon-ec2?lang=en
[6] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html
[7] https://crossasyst.com/blog/deepseek-r1-on-aws-bedrock/
[8] https://www.reddit.com/r/googlecloud/comments/1j8w4ua/how_to_grant_ownership_to_default_database_to_iam/