Data Access Permissions
The data plane agent uses two K8s service accounts for read access to the data and models you wish to use:
rime-agent-rime-cross-plane-server
rime-agent-model-tester
If you use the log archival
feature, you’ll need to add another service account,
rime-agent-operator.
AWS EKS + S3
Our recommended authentication approach for this pattern is IAM roles for service accounts (IRSA).
Note that if you use a different authentication framework, such as
KIAM, you may need to edit your Helm charts to add *.annotations.*
values to support that framework.
If not already configured for your cluster, be sure to create an IAM OpenID Connect (OIDC) provider for your cluster to use IAM roles for service accounts.
Create a designated S3 bucket for your Robust Intelligence cluster. This will serve as the agent’s default data source.
Create the following read access policy for the designated S3 bucket(s).
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::<YOUR_BUCKET>" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::<YOUR_BUCKET>/*" } ] }
Create an IAM role that the two K8s service accounts (see top of page) can assume, and associate it with the policy created in the previous step.
Save this ARN. You will need to specify this during the agent setup step.
Create a trust relationship to allow the two K8s service accounts to assume the IAM role.
Your trust relationship should have a similar definition as this template below (note the two K8s service accounts in the subject field):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": [ "system:serviceaccount:$AGENT_NAMESPACE:rime-agent-rime-cross-plane-server", "system:serviceaccount:$AGENT_NAMESPACE:rime-agent-model-tester" ] } } } ] }
GCP GKE + GCS
Our recommended authentication approach for this pattern is Workload Identity.
Ensure that your GKE cluster has Workload Identity enabled.
Create a designated GCS bucket for your Robust Intelligence cluster. This will serve as the agent’s default data source.
Create an IAM service account and grant it role(s) that have
storage.buckets.getandstorage.objects.getpermissions.Save the service account email. You will need to specify this during the agent setup step.
Add IAM policy binding between the IAM service account and each of the two K8s service accounts (see top of page) with role
roles/iam.workloadIdentityUser.
Azure AKS + Blob Storage
Our recommended authentication approach for this pattern is Azure AD Workload Identity.
Ensure that your AKS cluster has Workload Identity enabled.
Create a designated blob container for your Robust Intelligence cluster. This will serve as the agent’s default data source.
Create a managed identity and associate it with the blob container from the previous step.
Save the Client ID (and your Tenant ID). You will need to specify these during the agent setup step.
Create a role assignment to give your managed identity permissions to read from your blob storage container.
A suitable Azure-provided role is
Storage Blob Data Reader.
Using your managed identity, create a federated identity credential for each of the two K8s service accounts (see top of page).
Other Cloud Providers
If you are using a different cloud provider or want to specify the service account directly, you can specify other configurations via the rimeAgent.operator.modelTestJob.serviceAccount Helm values.
Your Solutions Architect can help you through this process.