How to Create New Roles in AWS IAM
Better to understand IAM role management first before dive into AWS deployment
Dec 1, 2021 by Yan Ding
1. What is IAM?
AWS IAM (Identity and Access Management) is used to control access across AWS resources and services. AWS requires us to provide the IAM Role ARN when we need to use services, e.g. creating a new notebook in SageMaker, or launching a new instance on EC2.
In this article, we will go through how to create new roles in IAM.
2. Create new IAM role for SageMaker
First, we need to launch into our AWS management console and find the IAM. Go to IAM.
Click create role. Select AWS Service as type of trusted entity. Suppose we want to use this role to create a new notebook in SageMaker. So we need to choose SageMaker for use case.
Click next. You will see the policy of AmazonSageMakerFullAccess is automatically attached because we choose it for use case.
Click Next and create. I named this role the 'test-role'. Now go to this role. We can see the summary. Here I also want to use the AWS S3 bucket in my SageMaker notebook. We can attach S3 policy to this role. Click attach policies.
You could use the search tool to get the policy. Here we can type 's3' and get the AmazonS3FullAccess policy and click attach policy.
Now let's take a look at our role 'test-role'. You could see there are 2 policies attached to this role.
If I use this role to create a notebook in SageMaker, I can also store and get files from my S3 buckets.
3. Create IAM role for Lambda
What about creating a role for Lambda use case? For example, we want to deploy a deep learning model on AWS Cloud. If you are interested in it, you could refer to this blog. When we create function in Lambda, we need to configure the execution role otherwise a new role will be created automatically in IAM.
Click 'change default execution role', select 'using an existing role'.
We need first create this role for Lambda.Go back to IAM and create role. Here please select Lambda as use case and create.
We need to invoke SageMaker endpoint from Lambda. So we need to attach a custom policy here. Edit the JSON file of new policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sagemaker:InvokeEndpoint", "Resource": "*" } ] }
Now we can invoke endpoint in SageMaker from Lambda. Furthermore, we can also attach S3PutObjectPolicy to this role. So we can store files to our S3 bucket.
Go to Lambda and click this fresh button. You can select the role just created in IAM.
Great! We have created a role for Lambda which can invoke endpoint in SageMaker.
4. Summary
In this article, we go through 2 cases of creating IAM roles. The first one is used for SageMaker and can read, write to S3 bucket in SageMaker. The second one is used for Lambda use case. We need to invoke endpoint in SageMaker from Lambda. So we need to attach extra policies such as ‘invoke endpoint’ to the role. I hope this can help you better understand the logic of AWS IAM. If you have any questions, please leave your comments below. Thank you for reading!