Data Access Permissions

The data plane agent uses a K8s service account called rime-agent-model-tester for read access to the data and models you wish to use.

AWS EKS + S3

Our recommended authentication approach for this pattern is IAM roles for service accounts (IRSA).

1. If not already configured for your cluster, be sure to create an IAM OpenID Connect (OIDC) provider for your cluster to use IAM roles for service accounts.

   • Creating an IAM OIDC provider for your cluster

2. Create a designated S3 bucket for your Robust Intelligence cluster. This will serve as the agent’s default data source.

   • Creating a bucket

3. Create the following read access policy for the designated S3 bucket(s).

   {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "s3:ListBucket"
             ],
             "Resource": "arn:aws:s3:::<YOUR_BUCKET>"
         },
         {
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject"
             ],
             "Resource": "arn:aws:s3:::<YOUR_BUCKET>/*"
         }
     ]
   }
   

4. Create an IAM role that the rime-agent-model-tester K8s service account can assume, and associate it with the policy created in the previous step.

   • Save this ARN. You will need to specify this during the agent setup step.

5. Create a trust relationship to allow the K8s service account to assume the IAM role.

   • Configuring a K8s service account to assume an IAM role

GCP GKE + GCS

Our recommended authentication approach for this pattern is Workload Identity.

1. Ensure that your GKE cluster has Workload Identity enabled.

   • Enable Workload Identity

2. Create a designated GCS bucket for your Robust Intelligence cluster. This will serve as the agent’s default data source.

   • Create buckets

3. Create an IAM service account and grant it role(s) that have storage.buckets.get and storage.objects.get permissions.

   • IAM roles for Cloud Storage

   • Save the service account email. You will need to specify this during the agent setup step.

4. Add IAM policy binding between the IAM service account and the K8s service account rime-agent-model-tester with role roles/iam.workloadIdentityUser.

   • Use Workload Identity

Azure AKS + Blob Storage

Our recommended authentication approach for this pattern is Azure AD Workload Identity.

1. Ensure that your AKS cluster has Workload Identity enabled.

   • Enable Workload Identity

2. Create a designated blob container for your Robust Intelligence cluster. This will serve as the agent’s default data source.

   • Manage containers

3. Create a managed identity and associate it with the blob container from the previous step.

   • Create a managed identity

   • Save the Client ID (and your Tenant ID). You will need to specify these during the agent setup step.

4. Create a role assignment to give your managed identity permissions to read from your blob storage container.

   • A suitable Azure-provided role is Storage Blob Data Reader.

     • Assign an Azure role for access to blob data

   • Assign Azure roles to a managed identity

5. Create a federated identity credential to associate the rime-agent-model-tester service account with your managed identity.

   • Establish federated identity credential

Other Cloud Providers

If you are using a different cloud provider or want to specify the service account directly, you can specify other configurations via the rimeAgent.modelTestJob.serviceAccount Helm values.

Your Solutions Architect can help you through this process.