## EKS/Kubflow 에 AWS SageMaker 연결

아래 노트북은 원본 노트북에 설명을 추가 하였습니다.
- 실제 실행시에 여기의 셀의 "결과 값" 과 일치하는지를 확인하면서 실행 하십시오.
- 만일 에러등이 발생하면 확인하시고 다시 실행 해야 합니다.
    - https://github.com/data-science-on-aws/workshop/blob/master/12_kubeflow/00_04_Setup_Kubeflow_EKS_Credentials.ipynb

# Setup AWS Credentials in EKS cluster

AWS credentials are required to save a model in S3. These credentials are stored in the EKS cluster as a Kubernetes secret.

Create an IAM user `s3user`, attach the S3 access policy, and retrieve temporary credentials

In [1]:
%%bash

source ~/.bash_profile

aws iam create-user --user-name s3user
aws iam attach-user-policy --user-name s3user --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam attach-user-policy --user-name s3user --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess
aws iam attach-user-policy --user-name s3user --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess

{
    "User": {
        "Path": "/",
        "UserName": "s3user",
        "UserId": "AIDARFCVQQUI6IHJPSHKS",
        "Arn": "arn:aws:iam::079636235537:user/s3user",
        "CreateDate": "2021-04-04T14:03:53Z"
    }
}


In [2]:
%%bash

source ~/.bash_profile

aws iam create-access-key --user-name s3user > /tmp/create_output.json

# Create `aws-secret` to Allow Kubernetes/Kubeflow to Access Amazon SageMaker

In [3]:
%%bash

source ~/.bash_profile

export AWS_ACCESS_KEY_ID_VALUE=$(jq -j .AccessKey.AccessKeyId /tmp/create_output.json | base64)
echo "export AWS_ACCESS_KEY_ID_VALUE=${AWS_ACCESS_KEY_ID_VALUE}" | tee -a ~/.bash_profile

export AWS_SECRET_ACCESS_KEY_VALUE=$(jq -j .AccessKey.SecretAccessKey /tmp/create_output.json | base64)
echo "export AWS_SECRET_ACCESS_KEY_VALUE=${AWS_SECRET_ACCESS_KEY_VALUE}" | tee -a ~/.bash_profile

#### Apply to EKS cluster.

#### Add the secret to the `kubeflow` namespace.  This is needed until KF Pipelines support namespaces.
cat <<EOF | kubectl apply --namespace kubeflow -f -
apiVersion: v1
kind: Secret
metadata:
  name: aws-secret
type: Opaque
data:
  AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID_VALUE
  AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY_VALUE
EOF

export AWS_ACCESS_KEY_ID_VALUE=QUtJQVJGQ1ZRUVVJNkNZUlVZVVA=
export AWS_SECRET_ACCESS_KEY_VALUE=QzVJWmlXbk9FQUY5RVVkbG9RQkJGeXl3cG9rR21nUHozTzU2cGdnYg==
secret/aws-secret created


# Add More Roles/Policies for Kubernetes/Kubeflow to Access SageMaker

In [4]:
%%bash

source ~/.bash_profile

TRUST="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"sagemaker.amazonaws.com\" }, \"Action\": \"sts:AssumeRole\" } ] }"
aws iam create-role --role-name workshop-sagemaker-kfp-role --assume-role-policy-document "$TRUST"
aws iam attach-role-policy --role-name workshop-sagemaker-kfp-role --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam attach-role-policy --role-name workshop-sagemaker-kfp-role --policy-arn arn:aws:iam::aws:policy/AmazonSageMakerFullAccess

export SAGEMAKER_ROLE_ARN=$(aws iam get-role --role-name workshop-sagemaker-kfp-role --output text --query 'Role.Arn')
echo "export SAGEMAKER_ROLE_ARN=${SAGEMAKER_ROLE_ARN}" | tee -a ~/.bash_profile

cat <<EoF > sagemaker-invoke.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:InvokeEndpoint"
            ],
            "Resource": "*"
        }
    ]
}
EoF

aws iam put-role-policy --role-name workshop-sagemaker-kfp-role --policy-name sagemaker-invoke-for-worker --policy-document file://sagemaker-invoke.json
aws iam put-role-policy --role-name ${INSTANCE_ROLE_NAME} --policy-name sagemaker-invoke-for-worker --policy-document file://sagemaker-invoke.json

{
    "Role": {
        "Path": "/",
        "RoleName": "workshop-sagemaker-kfp-role",
        "RoleId": "AROARFCVQQUIZ5DIE7HDQ",
        "Arn": "arn:aws:iam::079636235537:role/workshop-sagemaker-kfp-role",
        "CreateDate": "2021-04-04T14:04:08Z",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "sagemaker.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}
export SAGEMAKER_ROLE_ARN=arn:aws:iam::079636235537:role/workshop-sagemaker-kfp-role


In [5]:
!cat sagemaker-invoke.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sagemaker:InvokeEndpoint"
            ],
            "Resource": "*"
        }
    ]
}


# Add More Roles/Policies for Kubernetes/Kubeflow to Access S3

In [6]:
%%bash

source ~/.bash_profile

aws iam attach-role-policy --role-name ${INSTANCE_ROLE_NAME} --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess