Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IT-3988: Add role to invoke model and move inline sso policy to managed policy #1277

Merged
merged 8 commits into from
Nov 13, 2024
Merged

IT-3988: Add role to invoke model and move inline sso policy to managed policy #1277

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
44ecb01
Add role
xschildw Nov 7, 2024
92f7d2f
Move policy from inline to managed
xschildw Nov 7, 2024
425e5f5
Rename stack/policy
xschildw Nov 7, 2024
bde215d
Fix per review
xschildw Nov 11, 2024
186507c
Rename stack
xschildw Nov 11, 2024
ffdc3e1
Restore inline policy per review
xschildw Nov 11, 2024
e5631ba
Create agent role in all accounts per review
xschildw Nov 12, 2024
8cab8d7
Rename output per review
xschildw Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions org-formation/600-access/_tasks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,3 +388,39 @@ SynapseAthenaUserAccessPolicy:
]
}
PolicyName: SynapseAthenaUserAccessPolicy

SynapseLlmDeveloperPolicy:
Type: update-stacks
Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml
StackName: synapsellm-developer-policy
DefaultOrganizationBinding:
IncludeMasterAccount: true
Account:
- SynapseLlmProdAccount
Region: !Ref primaryRegion
Parameters:
PolicyDocument: >-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::cf-template*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
PolicyName: SynapseLlmDeveloperPolicy

BedrockAgentRole:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this role necessary when the goal is to only fix the developer role?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the policy for the user (sso-llmdeveloper) to be able to work in the console/cloudformation to create an agent.

Type: update-stacks
Template: ./bedrock-agent-role.yaml
StackName: bedrock-agent-role
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
Account: !Ref SynapseLlmProdAccount
35 changes: 35 additions & 0 deletions org-formation/600-access/bedrock-agent-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
AWSTemplateFormatVersion: '2010-09-09'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the role used by the agent when it's running. It has the right to execute a model.

Description: Enables executing a Bedrock model

Resources:
bedrockAgentRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:SourceAccount: !Ref AWS::AccountId
ArnLike:
aws:SourceArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*"
Policies:
- PolicyName: bedrockAgentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "bedrock:InvokeModel"
Resource:
- !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/*"

Outputs:
BedrockAgentRoleArn:
Description: The ARN of the Bedrock Agent Role
Value: !GetAtt bedrockAgentRole.Arn
Export:
Name: BedrockAgentRoleArn
12 changes: 0 additions & 12 deletions org-formation/700-aws-sso/_tasks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -641,18 +641,6 @@ SsoLlmDeveloper:
managedPolicies:
- 'arn:aws:iam::aws:policy/AmazonBedrockFullAccess'
- 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess'
# https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving to a managed policy with the hope we can tweak it manually until we get what we need. Inline, we get an error because it's under AWS control.

inlinePolicy: >-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::cf-template*"
}
]
}
sessionDuration: 'PT12H'

# Role for a user that can only access AWS Athena in the Synapse Dev account
Expand Down
Loading