When using DeepSeek with OpenSearch, you typically need to configure IAM roles to manage access and permissions effectively. Here's a detailed overview of the policies you might need:
1. Custom Trust Policy for IAM Role**
To create an IAM role for signing the create connector request, you need a custom trust policy. This policy allows a specific IAM user to assume the role. Here's an example:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "your_iam_user_arn"
},
"Action": "sts:AssumeRole"
}
]
}
Replace `"your_iam_user_arn"` with the ARN of the IAM user that will run the `aws sts assume-role` command.
2. Permissions Policy for IAM Role**
The permissions policy for this IAM role should include actions to pass the role and perform HTTP POST operations on your OpenSearch domain. Here's an example:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "your_iam_role_arn_created_in_step1"
},
{
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "your_opensearch_domain_arn_created_in_step0"
}
]
}
Replace `"your_iam_role_arn_created_in_step1"` with the ARN of the role you created in the previous step, and `"your_opensearch_domain_arn_created_in_step0"` with the ARN of your OpenSearch domain.
3. Mapping Backend Role in OpenSearch**
After creating the IAM role, you need to map it to a backend role in OpenSearch Dashboards:
1. Log in to OpenSearch Dashboards.
2. Navigate to Security > Roles.
3. Select the ml_full_access role.
4. On the role details page, select Mapped users, then Manage mapping.
5. Enter the ARN of the IAM role you created and select Map.
4. Additional Policies for DeepSeek with SageMaker**
If you're using DeepSeek with Amazon SageMaker, you'll need an additional IAM role that allows OpenSearch to invoke your SageMaker endpoint. This role should have a trust relationship with OpenSearch Service and permissions to invoke the SageMaker endpoint.
5. Resource-Based Policies for OpenSearch**
Ensure that your OpenSearch domain's access policy allows access from the IAM role attached to your EC2 instance or the user making requests. This involves setting an "Allow" statement in the OpenSearch access policy for the IAM user or role.
Conclusion
When using DeepSeek with OpenSearch, you need to configure IAM roles with specific trust and permissions policies. Additionally, ensure that your OpenSearch domain's access policy allows access from these roles. Mapping these roles to backend roles in OpenSearch Dashboards completes the setup for secure and controlled access.
Citations:
[1] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Bedrock.md
[2] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_R1_model_on_Sagemaker.md
[3] https://aws.amazon.com/blogs/big-data/role-based-access-control-in-amazon-opensearch-service-via-saml-integration-with-aws-iam-identity-center/
[4] https://repost.aws/questions/QURkaAE2RyQx2pjg6dzDBzMQ/use-identity-based-policy-for-access-to-opensearch-domain
[5] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/RAG_with_DeepSeek_Chat_model.md
[6] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/pipeline-security-overview.html
[7] https://stackoverflow.com/questions/76413909/access-to-aws-opensearch-in-a-vpc-using-iam-role-ec2-instance-profile
[8] https://github.com/opensearch-project/ml-commons/blob/main/docs/tutorials/aws/DeepSeek_demo_notebook_for_RAG.ipynb
[9] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html
[10] https://aws.amazon.com/blogs/big-data/use-deepseek-with-amazon-opensearch-service-vector-database-and-amazon-sagemaker/
[11] https://stackoverflow.com/questions/77438258/how-to-set-up-iam-role-to-access-aws-opensearch-service-domain-through-terraform