Step 2: Set up IAM Access Roles for Lookout for Equipment - Amazon Lookout for Equipment

Step 2: Set up IAM Access Roles for Lookout for Equipment

When you create a data source or set up an inference scheduler, Lookout for Equipment needs access to the AWS resources required to create that Lookout for Equipment resource. You must create an AWS Identity and Access Management (IAM) permissions policy before you create the Lookout for Equipment resource. When you call the operation, you must provide the Amazon Resource Name (ARN) of a role with permissions to perform that operation. For example, if you are calling the CreateInferenceScheduler operation, it requires an Amazon S3 bucket for both the input data and for the output data. You would need to provide Lookout for Equipment with a role with a permissions policy to access the bucket.

The AWS console enables you to create a new IAM role to match your specific needs.

Create an IAM role

An IAM role is an IAM identity that you can create in your account that has specific permissions. It's similar to an IAM user in that it's an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role can be assumed by anyone in your organization who needs it. As well, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, AWS provides you with temporary security credentials for your role session.

Two types of access are discussed here:

  • AWS Management Console access, which is used primarily for accessing the Lookout for Equipment console.

  • SageMaker, which is a managed service that can be used to easily access Lookout for Equipment programmatically when making API calls.

AWS Management Console access: The console always uses your original credentials to authorize a switch to an IAM role. This applies whether you sign in as an IAM user, as a SAML-federated role, or as a web-identity federated role. For example, if you switch to Role A, IAM uses your original user credentials (or those of your federated role) to determine whether you're allowed to assume Role A. If you then switch to Role B while you're using Role A, the console still uses your original user credentials to authorize the switch, not the credentials for Role A.

SageMaker: Amazon SageMaker is a managed service, so it performs operations on your behalf using the hardware that's managed by SageMaker. It can only perform operations that the user permits. In other words, a SageMaker user can grant permissions with an IAM role where the user then passes that role when making an API call. For example, if you want to use the CreateModel operation, you need to pass a RoleArn, which is the ARN of an IAM role with permissions to the data source from which the model is to be created.

The following shows you how to create an IAM role to delegate access to Lookout for Equipment from either the AWS Management Console or from an Amazon SageMaker instance.

To create an IAM role

  1. Open the Lookout for Equipment console at https://console.aws.amazon.com/lookoutforequipment.

  2. Enter IAM in the search bar and then choose IAM Service from the results.

  3. Under Access management on the left navigation pane, choose Roles.

  4. Choose Create role.

  5. Under Select type of trusted entity, choose AWS service.

  6. From the list of services, choose SageMaker, and then choose Next: Permissions.

  7. Choose Next: Tags.

  8. Choose Next: Review.

  9. For Role name, enter l4e-role, and then choose Create Role.

Attach policies to the created IAM role

You now need to attach the access policies that allow Lookout for Equipment to access other required AWS services.

To attach policies to the created IAM role

  1. Search for the created IAM role in the search bar and choose it from the returned results.

  2. Choose Attach policies.

  3. Search for the following additional managed policies and select them from the returned results:

    • AmazonS3FullAccess

    • IAMFullAccess

    • AmazonLookoutEquipmentFullAccess

  4. Enter a name for the policy in the Name, and then choose Create policy

Edit the trust relationship for the created IAM role

A trust relationship defines what entities can assume the role that you've created. When you created the role, you chose SageMaker as a trusted entity. The same role can also be used for Lookout for Equipment Console access. Modify the role so that the trusted relationship is between your AWS account and Lookout for Equipment.

To edit the trust relationship of your created IAM role

Under Access management on the left navigation pane, choose Roles.

  1. Search for the created IAM role in the search bar and choose it from the returned results.

  2. On the Trust relationships tab, choose Edit trust relationship.

  3. Under Policy Document, paste the following policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lookoutequipment.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Next step

Step 3: Set up the AWS Command Line Interface (AWS CLI)