Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IT-3988: Add role to invoke model and move inline sso policy to managed policy #1277

Merged
merged 8 commits into from
Nov 13, 2024
Merged

IT-3988: Add role to invoke model and move inline sso policy to managed policy #1277

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
44ecb01
Add role
xschildw Nov 7, 2024
92f7d2f
Move policy from inline to managed
xschildw Nov 7, 2024
425e5f5
Rename stack/policy
xschildw Nov 7, 2024
bde215d
Fix per review
xschildw Nov 11, 2024
186507c
Rename stack
xschildw Nov 11, 2024
ffdc3e1
Restore inline policy per review
xschildw Nov 11, 2024
e5631ba
Create agent role in all accounts per review
xschildw Nov 12, 2024
8cab8d7
Rename output per review
xschildw Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions org-formation/600-access/_tasks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,3 +388,31 @@ SynapseAthenaUserAccessPolicy:
]
}
PolicyName: SynapseAthenaUserAccessPolicy

SynapseLlmBedrockAgentPolicy:
Copy link
Contributor Author

@xschildw xschildw Nov 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zaro0508 , wondering if I should have the policy here or if I should move it as a resource alongside the bedrock agent role below.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zaro0508 , wondering if I should have the policy here or if I should move it as a resource alongside the bedrock agent role below.

You'll notice that existing policy definitions created in here are meant to be applied to all accounts (Account: '*') because some AWS features require us to apply the same policy. If you are intending to apply this to one account then I would say that it's more appropriate to setup this policy with the resource that needs it.

Type: update-stacks
Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml
StackName: synapsellm-bedrock-agent-policy
DefaultOrganizationBinding:
IncludeMasterAccount: true
Account:
- SynapseLlmProdAccount
Region: !Ref primaryRegion
Parameters:
PolicyDocument: >-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::cf-template*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
PolicyName: SynapseLlmBedrockAgentPolicyName
12 changes: 0 additions & 12 deletions org-formation/700-aws-sso/_tasks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -641,18 +641,6 @@ SsoLlmDeveloper:
managedPolicies:
- 'arn:aws:iam::aws:policy/AmazonBedrockFullAccess'
- 'arn:aws:iam::aws:policy/AWSCloudFormationFullAccess'
# https://stackoverflow.com/questions/58125181/cloud-formation-cant-upload-template-file
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving to a managed policy with the hope we can tweak it manually until we get what we need. Inline, we get an error because it's under AWS control.

inlinePolicy: >-
xschildw marked this conversation as resolved.
Show resolved Hide resolved
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::cf-template*"
}
]
}
sessionDuration: 'PT12H'

# Role for a user that can only access AWS Athena in the Synapse Dev account
Expand Down
14 changes: 14 additions & 0 deletions org-formation/745-bedrock-agent-role/_tasks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Parameters:
<<: !Include '../_parameters.yaml'

appName:
Type: String
Default: 'BedrockAgentRole'

BedrockAgentRole:
Type: update-stacks
Template: ./bedrock-agent-role.yaml
StackName: !Sub '${resourcePrefix}-${appName}-BedrockAgentRole'
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
Account: !Ref SynapseLlmProdAccount
35 changes: 35 additions & 0 deletions org-formation/745-bedrock-agent-role/bedrock-agent-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
AWSTemplateFormatVersion: '2010-09-09'
Description: Enables executing a Bedrock model

Resources:
bedrockAgentRole:
Type: AWS::IAM::Role
xschildw marked this conversation as resolved.
Show resolved Hide resolved
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:SourceAccount: !Ref AWS::AccountId
ArnLike:
aws:SourceArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*"
Policies:
- PolicyName: bedrockAgentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "bedrock:InvokeModel"
Resource:
- !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/*"

Outputs:
BedrockAgentRoleArn:
Description: The ARN of the Bedrock Agent Role
Value: !GetAtt bedrockAgentRole.Arn
Export:
Name: BedrockAgentRoleArn
Loading