Delegating Permissions for AI Service Accounts with AWS IAM Roles

Question

Pulumi · Accepted Answer

To delegate permissions to AI service accounts with AWS IAM roles, you typically create an IAM role with the appropriate permissions and then allow the AI service account to assume that role. The process involves creating an IAM role and defining an assume role policy that allows the AI service account to assume this role.

Below is a Pulumi Python program that demonstrates how to create an IAM role tailored for use by an AI service you may wish to use (like Amazon SageMaker, Lex, Polly, Rekognition, etc.), and a policy that defines the permissions that the role provides. Note that the permissions granted by the role should be carefully considered to follow the principle of least privilege.

To accomplish this:
1. Define an IAM role with a trust relationship policy to allow an AI service to assume the role.
2. Create a policy document that outlines the permissions the role has.
3. Attach the policy to the role.

Here's how you can create an IAM role and attach a policy to it with Pulumi:

```python
import pulumi
import pulumi_aws as aws

# Replace this with the appropriate AI service principal for your use case (e.g., sagemaker.amazonaws.com for SageMaker)
ai_service_principal = "ai-service.amazonaws.com"

# Create an IAM Role to be assumed by the AI Service
ai_service_role = aws.iam.Role("aiServiceRole",
    assume_role_policy=pulumi.Output.all(ai_service_principal).apply(lambda principal: aws.iam.get_policy_document(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["sts:AssumeRole"],
            principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                type="Service",
                identifiers=[principal],
            )],
        ),
    ]).json)
)

# Define the policy for the role, which grants needed permissions for the AI service
# Make sure to replace the actions and resources with appropriate permissions for the AI service you are using.
ai_service_policy_document = aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        actions=["s3:GetObject", "s3:PutObject"],  # Example permissions
        resources=["arn:aws:s3:::example-bucket/*"],  # Specify your resource ARNs
    ),
])

# Create the policy and attach it to the role
ai_service_policy = aws.iam.Policy("aiServicePolicy",
    policy=ai_service_policy_document.json,
)

aws.iam.RolePolicyAttachment("aiServicePolicyAttachment",
    role=ai_service_role.name,
    policy_arn=ai_service_policy.arn,
)

# Export the role name and ARN of the created IAM role so that they can be used outside Pulumi
pulumi.export('ai_service_role_name', ai_service_role.name)
pulumi.export('ai_service_role_arn', ai_service_role.arn)
```

In the script above:
- `ai_service_principal` is the service principal that corresponds to the AI service that will be consuming this role. This must be specific to the service you are using.
- `ai_service_role` is the IAM role resource created with an assume role policy document to be assumed by the AI service principal.
- The policy statement in `ai_service_policy_document` needs to be tailored with the specific permissions that your AI service needs to function correctly. Make sure you follow the principle of least privilege. This example uses S3 permissions just as a placeholder.
- `ai_service_policy` creates the actual policy resource with the defined permissions.
- `RolePolicyAttachment` attaches the policy to the role so that when the AI service assumes the role, it has the permissions defined in the policy.

The Pulumi program will provision these resources in your AWS account. When executed, the IAM role and policy required for your AI service account will then be set up and ready for use. Please replace the example actions and resources with the ones required by your specific AI service.