-
Notifications
You must be signed in to change notification settings - Fork 0
/
create_iam_role.sh
executable file
·112 lines (99 loc) · 3.66 KB
/
create_iam_role.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/bin/bash
# Ensure AWS_ACCOUNT_ID and AWS_REGION are set
if [ -z "$AWS_ACCOUNT_ID" ] || [ -z "$AWS_REGION" ] || [ -z "$ADMIN_API_KEY" ]; then
echo "Please set the environment variables AWS_ACCOUNT_ID, AWS_REGION and ADMIN_API_KEY before running this script."
exit 1
fi
# Create apprunner-trust-policy.json
cat > apprunner-trust-policy.json << EOL
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "build.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOL
# Create apprunner-exe-trust-policy.json
cat > apprunner-exe-trust-policy.json << EOL
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "tasks.apprunner.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOL
# Create apprunner-beckrock-policy.json to allow InvokeModel action on bedrock model resource
cat > apprunner-beckrock-policy.json << EOL
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "bedrock:InvokeModel",
"Resource": "arn:aws:bedrock:${AWS_REGION}::foundation-model/*"
},
{
"Effect": "Allow",
"Action": "bedrock:InvokeModelWithResponseStream",
"Resource": "arn:aws:bedrock:${AWS_REGION}::foundation-model/*"
}
]
}
EOL
# create apprunner-bedrock-secret-manager.json to allow read and write permission to secret manager to all secrets
# Create the IAM apprunner-beckrock-policy
aws iam create-policy --policy-name AppRunnerServiceRoleExecutionPolicy --policy-document file://apprunner-beckrock-policy.json
# Create the IAM role
aws iam create-role --role-name AppRunnerServiceRoleForECRAccess --assume-role-policy-document file://apprunner-trust-policy.json
aws iam create-role --role-name AppRunnerServiceRoleForExecution --assume-role-policy-document file://apprunner-exe-trust-policy.json
# Attach the required policies
aws iam attach-role-policy --role-name AppRunnerServiceRoleForECRAccess --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
aws iam attach-role-policy --role-name AppRunnerServiceRoleForECRAccess --policy-arn arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess
aws iam attach-role-policy --role-name AppRunnerServiceRoleForExecution --policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/AppRunnerServiceRoleExecutionPolicy
aws iam attach-role-policy --role-name AppRunnerServiceRoleForExecution --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite
# Get the ARN of the created role
ROLE_ARN=$(aws iam get-role --role-name AppRunnerServiceRoleForECRAccess --query 'Role.Arn' --output text)
INSTANCE_ROLE_ARN=$(aws iam get-role --role-name AppRunnerServiceRoleForExecution --query 'Role.Arn' --output text)
# Update the apprunner-service.json file with the ARN of the created role
cat > apprunner-service.json << EOL
{
"SourceConfiguration": {
"AuthenticationConfiguration": {
"AccessRoleArn": "${ROLE_ARN}"
},
"ImageRepository": {
"ImageIdentifier": "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/bedrock-rest:latest",
"ImageRepositoryType": "ECR",
"ImageConfiguration": {
"Port": "8080",
"RuntimeEnvironmentVariables": {
"ADMIN_API_KEY": "${ADMIN_API_KEY}"
}
}
}
},
"InstanceConfiguration": {
"Cpu": "1 vCPU",
"Memory": "2 GB",
"InstanceRoleArn": "${INSTANCE_ROLE_ARN}"
},
"ServiceName": "bedrock-rest"
}
EOL
# Clean up
rm apprunner-trust-policy.json
rm apprunner-beckrock-policy.json
rm apprunner-exe-trust-policy.json
echo "The IAM role has been created and the apprunner-service.json file has been updated."