AWS Role-Based Authentication

In Driverless AI, it is possible to enable role-based authentication via the IAM role. This is a two-step process that involves setting up AWS IAM and then starting Driverless AI by specifying the role in the config.toml file or by setting the AWS_USE_EC2_ROLE_CREDENTIALS environment variable to True.

AWS IAM Setup

1. Create an IAM role. This IAM role should have a Trust Relationship with Principal Trust Entity set to your Account ID. For example: trust relationship for Account ID 524466471676 would look like:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::524466471676:root"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   

2. Create a new policy that allows users to assume the role:

3. Assign the policy to the user.

4. Test role switching here: https://signin.aws.amazon.com/switchrole. (Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role.)

Driverless AI Setup

Update the aws_use_ec2_role_credentials config variable in the config.toml file or start Driverless AI using the AWS_USE_EC2_ROLE_CREDENTIALS environment variable.

Resources

1. Granting a User Permissions to Switch Roles: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
2. Creating a Role to Delegate Permissions to an IAM User: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
3. Assuming an IAM Role in the AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html