AWS Role-Based Authentication¶
In Driverless AI, it is possible to enable role-based authentication via the IAM role. This is a two-step process that involves setting up AWS IAM and then starting Driverless AI by specifying the role in the config.toml file or by setting the AWS_USE_EC2_ROLE_CREDENTIALS
environment variable to True
.
AWS IAM Setup¶
Create an IAM role. This IAM role should have a Trust Relationship with Principal Trust Entity set to your Account ID. For example: trust relationship for Account ID 524466471676 would look like:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::524466471676:root" }, "Action": "sts:AssumeRole" } ] }
Create a new policy that lets users assume the role:
Assign the policy to the user.
Test role switching here: https://signin.aws.amazon.com/switchrole. (Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role.)
Driverless AI Setup¶
Update the aws_use_ec2_role_credentials
config variable in the config.toml file or start Driverless AI using the AWS_USE_EC2_ROLE_CREDENTIALS
environment variable.
Resources¶
Granting a User Permissions to Switch Roles: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
Creating a Role to Delegate Permissions to an IAM User: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
Assuming an IAM Role in the AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html