AWS Role-Based Authentication

In Driverless AI, it is possible to enable role-based authentication via the IAM role. This is a two-step process that involves setting up AWS IAM and then starting Driverless AI by specifying the role in the config.toml file or by setting the AWS_USE_EC2_ROLE_CREDENTIALS environment variable to True.

AWS IAM Setup

  1. Create an IAM role. This IAM role should have a Trust Relationship with Principal Trust Entity set to your Account ID. For example: trust relationship for Account ID 524466471676 would look like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::524466471676:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
../_images/aws_iam_role_create.png
  1. Create a new policy that lets users assume the role:

../_images/aws_iam_policy_create.png
  1. Assign the policy to the user.

../_images/aws_iam_policy_assign.png
  1. Test role switching here: https://signin.aws.amazon.com/switchrole. (Refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role.)

Driverless AI Setup

Update the aws_use_ec2_role_credentials config variable in the config.toml file or start Driverless AI using the AWS_USE_EC2_ROLE_CREDENTIALS environment variable.