Data Access Permissions

The data plane agent uses two K8s service accounts for read access to the data and models you wish to use:

rime-agent-rime-cross-plane-server
rime-agent-model-tester

If you use the log archival feature, you’ll need to add another service account, rime-agent-operator.

AWS EKS + S3

Our recommended authentication approach for this pattern is IAM roles for service accounts (IRSA). Note that if you use a different authentication framework, such as KIAM, you may need to edit your Helm charts to add *.annotations.* values to support that framework.

  1. If not already configured for your cluster, be sure to create an IAM OpenID Connect (OIDC) provider for your cluster to use IAM roles for service accounts.

  2. Create a designated S3 bucket for your Robust Intelligence cluster. This will serve as the agent’s default data source.

  3. Create the following read access policy for the designated S3 bucket(s).

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "s3:ListBucket"
              ],
              "Resource": "arn:aws:s3:::<YOUR_BUCKET>"
          },
          {
              "Effect": "Allow",
              "Action": [
                  "s3:GetObject"
              ],
              "Resource": "arn:aws:s3:::<YOUR_BUCKET>/*"
          }
      ]
    }
    
  4. Create an IAM role that the two K8s service accounts (see top of page) can assume, and associate it with the policy created in the previous step.

    • Save this ARN. You will need to specify this during the agent setup step.

  5. Create a trust relationship to allow the two K8s service accounts to assume the IAM role.

    • Configuring a K8s service account to assume an IAM role

    • Your trust relationship should have a similar definition as this template below (note the two K8s service accounts in the subject field):

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "Federated": "arn:aws:iam::111122223333:oidc-provider/oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                      "StringEquals": {
                          "oidc.eks.region-code.amazonaws.com/id/EXAMPLED539D4633E53DE1B71EXAMPLE:sub": [
                              "system:serviceaccount:$AGENT_NAMESPACE:rime-agent-rime-cross-plane-server",
                              "system:serviceaccount:$AGENT_NAMESPACE:rime-agent-model-tester"
                          ]
                      }
                  }
              }
          ]
      }
      

GCP GKE + GCS

Our recommended authentication approach for this pattern is Workload Identity.

  1. Ensure that your GKE cluster has Workload Identity enabled.

  2. Create a designated GCS bucket for your Robust Intelligence cluster. This will serve as the agent’s default data source.

  3. Create an IAM service account and grant it role(s) that have storage.buckets.get and storage.objects.get permissions.

  4. Add IAM policy binding between the IAM service account and each of the two K8s service accounts (see top of page) with role roles/iam.workloadIdentityUser.

Azure AKS + Blob Storage

Our recommended authentication approach for this pattern is Azure AD Workload Identity.

  1. Ensure that your AKS cluster has Workload Identity enabled.

  2. Create a designated blob container for your Robust Intelligence cluster. This will serve as the agent’s default data source.

  3. Create a managed identity and associate it with the blob container from the previous step.

  4. Create a role assignment to give your managed identity permissions to read from your blob storage container.

  5. Using your managed identity, create a federated identity credential for each of the two K8s service accounts (see top of page).

Other Cloud Providers

If you are using a different cloud provider or want to specify the service account directly, you can specify other configurations via the rimeAgent.operator.modelTestJob.serviceAccount Helm values.

Your Solutions Architect can help you through this process.