Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon How do I configure the trust relationship for the IAM role used with DeepSeek


How do I configure the trust relationship for the IAM role used with DeepSeek


Configuring a trust relationship for an IAM role used with DeepSeek involves defining which entities can assume the role. Here's a step-by-step guide to set up the trust relationship:

1. Create an IAM Role**

First, you need to create an IAM role specifically for DeepSeek. This role will be used to manage access to your resources. For example, if you are using OpenSearch with DeepSeek, you might create roles like `my_create_deepseek_connector_role` or `my_invoke_sagemaker_deepseek_model_role` depending on your setup[1][3][4].

2. Define the Trust Policy**

The trust policy specifies which principals can assume the role. Here's how you can define it:

- For User Assumption: If you want an IAM user to assume the role, the trust policy should look like this: 

json
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::your_account_id:user/your_user_name"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

Replace `your_account_id` and `your_user_name` with your actual AWS account ID and the name of the user who will assume the role[1][3].

- For Service Assumption: If a service like OpenSearch Service needs to assume the role, the trust policy should specify the service as the principal: 

json
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "es.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

This allows OpenSearch Service to assume the role[4].

3. Assign Permissions**

After defining the trust policy, you need to assign the necessary permissions to the role. This includes actions like `es:ESHttpPost` for OpenSearch operations or `sagemaker:InvokeEndpoint` if you are using SageMaker[3][4].

4. Map the Role in OpenSearch (If Applicable)**

If you are using OpenSearch, you need to map the IAM role to an OpenSearch role. This involves logging into OpenSearch Dashboards, selecting the Security section, choosing the ml_full_access role, and mapping the IAM role ARN to it[1][3].

5. Test the Configuration**

Finally, test your configuration by attempting to assume the role or perform actions that require the role's permissions. This ensures that the trust relationship and permissions are correctly set up.

By following these steps, you can effectively configure the trust relationship for an IAM role used with DeepSeek, ensuring secure and controlled access to your AWS resources.

Citations:
[1] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Bedrock.md
[2] https://help.alteryx.com/smc/r87/en/admin/admin-tasks/access-management-tasks/insert-trust-relationship-in-aws-iam-role.html
[3] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_Chat_model.md
[4] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Sagemaker.md
[5] https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
[6] https://repost.aws/questions/QUiK9bvkk6SJ2nwJOnK6HSnQ/please-tell-if-i-need-to-set-up-trust-policy-while-creating-roles-and-policy-for-user
[7] https://aws.amazon.com/blogs/big-data/use-deepseek-with-amazon-opensearch-service-vector-database-and-amazon-sagemaker/
[8] https://docs.aws.amazon.com/directoryservice/latest/admin-guide/edit_trust.html
[9] https://repost.aws/questions/QUj_LoUz5hTW2KVEE9apa-dA/role-assumption-trust-policy