Role-based Access Rules for EC2-based Jupyter Notebooks

Question

Pulumi · Accepted Answer

To set up role-based access rules for EC2-based Jupyter Notebooks, we'll employ several AWS resources. To accomplish this, you will need an AWS EC2 instance to host your Jupyter Notebook, an IAM role to attach to the EC2 instance that defines the permissions, and an instance profile that allows us to attach the role to the EC2 instance.

Let's break down the steps:

1. **EC2 Instance**: This serves as the host for your Jupyter Notebook server.
2. **IAM Role and Policies**: Define the permissions the Notebook needs to access other AWS services.
3. **Instance Profile**: Links the IAM role to the EC2 instance.

We will create these resources using Pulumi, which will allow us to define our infrastructure in a programmatic way.

To get started, you'll need to have Pulumi installed and configured for use with your AWS account. You'll also need Python installed on your machine to run the Pulumi program.

Below is a Pulumi program written in Python that gets you started with setting up an EC2 instance with an IAM role attached to it for running Jupyter notebooks.

```python
import pulumi
import pulumi_aws as aws

# Create an IAM role that the EC2 instance will adopt
iam_role = aws.iam.Role("jupyterIamRole",
    assume_role_policy="""{
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            }
        }]
    }"""
)

# Define a policy that the role should have that allows describing EC2 instances, for example.
# You will need to adjust the policy according to what your Jupyter Notebook requires.
policy_document = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["ec2:DescribeInstances"],
    effect="Allow",
    resources=["*"],
)])

policy = aws.iam.Policy("jupyterPolicy",
    policy=policy_document.json,
)

# Attach the policy to the IAM role
role_policy_attachment = aws.iam.RolePolicyAttachment("jupyterRolePolicyAttachment",
    policy_arn=policy.arn,
    role=iam_role.name,
)

# Create an EC2 Instance Profile that will carry the IAM role
instance_profile = aws.iam.InstanceProfile("jupyterInstanceProfile",
    role=iam_role.name,
)

# Define the EC2 instance
instance = aws.ec2.Instance("jupyterInstance",
    instance_type="t2.micro",
    ami="ami-0c55b159cbfafe1f0",  # This is an Amazon Linux 2 AMI, you may need a different one
    iam_instance_profile=instance_profile.arn,
    # The key_name needs to be replaced with the name of your own SSH key pair
    # To create a new key pair, you can use the AWS console or AWS CLI
    key_name="my-key-pair",
    tags={
        "Name": "JupyterNotebookInstance",
    },
)

# Export the EC2 instance public IP to access the Jupyter Notebook later
pulumi.export("instance_public_ip", instance.public_ip)
```

In the program above:
- We set up an IAM role that can be assumed by an EC2 instance (`iam_role`).
- We then create a policy that allows the notebook to describe other EC2 instances, as an example of an allowed operation (`policy_document` and `policy`).
- We attach this policy to the IAM role (`role_policy_attachment`).
- We create an instance profile which is used to associate the IAM role with our EC2 instance (`instance_profile`).
- We then define the EC2 instance that will run the Jupyter Notebook (`instance`). Make sure you replace `"ami-0c55b159cbfafe1f0"` with the appropriate AMI ID for your needs, you can find the AMI IDs in the AWS Console or by using the AWS CLI.

You would also need to install Jupyter and configure it on the EC2 instance. This can be done by connecting to the instance via SSH and setting it up manually or by using a user data script in the `user_data` parameter when creating an `aws.ec2.Instance`.

To further enhance security:
- Refine the IAM policy to grant only the permissions required for the tasks your Jupyter Notebook performs.
- Use security groups to control what traffic can reach your Jupyter Notebook instance.
- Implement authentication in Jupyter Notebook to ensure only authorized users can access it.

Once everything is set up, you'll be able to access the Jupyter Notebook by navigating to the public IP of the EC2 instance in your web browser. Remember that for production systems, you should make sure to configure proper security settings, not expose the Jupyter Notebook to the public internet, and ensure secure access, potentially via a VPN or other secure tunnel.