-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature]: Add OIDC test for Circle CI -> Amazon Bedrock #3578
Comments
See #3499 for the config. Note: the screenshot incorrectly shows me entering the |
@ishaan-jaff re: d77aea7 You need to add this as an OIDC provider on the AWS IAM side first: https://oidc.circleci.com/org/c5a99188-154f-4f69-8da2-b442b1bf78dd After that, we can create a role that matches on both the v1 and v2 token. What branches do you want to allow accessing your Bedrock account? |
The AWS IAM trust policy should be like for CircleCI V2: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012_REPLACE_ME:oidc-provider/oidc.circleci.com/org/c5a99188-154f-4f69-8da2-b442b1bf78dd"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"oidc.circleci.com/org/c5a99188-154f-4f69-8da2-b442b1bf78dd:sub": "org/c5a99188-154f-4f69-8da2-b442b1bf78dd/project/*/user/*/vcs-origin/github.com/BerriAI/litellm/vcs-ref/refs/heads/*"
}
}
}
]
} BerriAI might need to be lowercase, not 100% sure. You can replace the last wildcard with like "main" if you only want to allow the policy to allow running on the main branch instead of all. |
And that same AWS IAM role can have these inline permissions: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": "*"
}
]
} Side note: You could restrict/deny access to specific model resources if needed, though I'm not sure that's what you'd want to do for test infrastructure like this. 🙂 https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-deny-inference |
We've had previous regressions due to untested flows (thinking of cloudflare). Would help to have something for this
Originally posted by @krrishdholakia in #3507 (comment)
The text was updated successfully, but these errors were encountered: