Skip to content
For Self-Managed AI Platform users running v11.1, see the on-premise platform documentation

IRSA role

Self-managed installation and maintenance > Installation and configuration guide > Amazon Elastic Kubernetes Service (EKS) > IRSA role

IRSA role

In accordance with AWS best practices for Amazon EKS, DataRobot recommends implementing IAM Roles for service accounts (IRSA). This enables the DataRobot platform to securely communicate with AWS APIs.

The following policy is an example of a Trust Relationship that allows DataRobot in-cluster service accounts to perform the sts:AssumeRoleWithWebIdentity action with your cluster's OIDC provider:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::AWS_ACCOUNT_NUMBER:oidc-provider/oidc.eks.AWS_REGION.amazonaws.com/id/AWS_OIDC_PROVIDER_ID"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "oidc.eks.AWS_REGION.amazonaws.com/id/AWS_OIDC_PROVIDER_ID:sub": "system:serviceaccount:*"
                }
            }
        }
    ]
}

Note

  • Replace AWS_OIDC_PROVIDER_ID with the IAM OIDC provider for your EKS cluster.
  • Replace AWS_ACCOUNT_NUMBER with your AWS account ID.
  • Replace AWS_REGION with your actual AWS region.

The policy above indicates that all service accounts in any namespace (system:serviceaccount:*:*) configured to use this role can perform the sts:AssumeRoleWithWebIdentity action. To further limit access, adjust the Condition key as shown in the examples below.

Note

The examples use StringLike for wildcards (*) and StringEquals for specific service accounts. StringLike is required for partial string matches. For more information, see IAM JSON policy elements: Condition operators.

Only allow ServiceAccounts in the DataRobot namespace

            "Condition": {
                "StringLike": {
                    "oidc.eks.us-east-1.amazonaws.com/id/AWS_OIDC_PROVIDER_ID:sub": "system:serviceaccount:DATAROBOT_NAMESPACE:*"
                }
            }

Note

  • Replace AWS_OIDC_PROVIDER_ID with the IAM OIDC provider for your EKS cluster.
  • Replace DATAROBOT_NAMESPACE with your DataRobot namespace.

Only allow specific ServiceAccounts in the DataRobot namespace

            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/AWS_OIDC_PROVIDER_ID:sub": "system:serviceaccount:DATAROBOT_NAMESPACE:datarobot-storage-access",
                    "oidc.eks.us-east-1.amazonaws.com/id/AWS_OIDC_PROVIDER_ID:sub": "system:serviceaccount:DATAROBOT_NAMESPACE:build-service",
                    "oidc.eks.us-east-1.amazonaws.com/id/AWS_OIDC_PROVIDER_ID:sub": "system:serviceaccount:DATAROBOT_NAMESPACE:build-service-image-builder",
                    "oidc.eks.us-east-1.amazonaws.com/id/AWS_OIDC_PROVIDER_ID:sub": "system:serviceaccount:DATAROBOT_NAMESPACE:dr-lrs-operator"
                }
            }

Note

  • Replace AWS_OIDC_PROVIDER_ID with the IAM OIDC provider for your EKS cluster.
  • Replace DATAROBOT_NAMESPACE with your DataRobot namespace.

Write to ECR

To allow the build-service to write custom model container images to Amazon Elastic Container Registry (ECR), the AWS IRSA role requires the following AWS-managed policy:

  • Policy ARN: arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
  • Description: Provides full access to Amazon EC2 Container Registry repositories, but does not allow repository deletion or policy changes.

For information on configuring DataRobot to use a KMS key, see Server-side encryption settings in the object storage configuration section.