Installation
Integrating Karini AI into your secure enterprise environment is a streamlined, efficient process. Our deployment methodology prioritizes security, simplicity, and minimal disruption to your existing infrastructure.
Through our enterprise-grade Terraform implementation, Karini AI can be seamlessly deployed within your Virtual Private Cloud (VPC) with minimal configuration requirements. This infrastructure-as-code approach ensures consistent, repeatable deployments while maintaining the highest security standards.
To begin your deployment journey, simply contact the Karini AI implementation team for personalized deployment instructions and access to our Terraform modules customized for your specific environment.
Our technical specialists will guide you through the deployment process and ensure successful integration with your existing systems, enabling your organization to quickly leverage the full capabilities of our AI solutions.
For the deployment, you can optionally have Administrator role in your AWS account so other resources can be created or a scoped down policy as below
Pre-requisites:
AWS Console User
The AWS console user needs to have the following policy assigned to them:
Substitute <<INSERT TERRAFORM BUCKET NAME PREFIX>> with your own prefix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSClusterManagement",
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:ListClusters",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:ListAddons",
"eks:UpdateAddon",
"eks:CreateNodegroup",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion"
],
"Resource": "*"
},
{
"Sid": "EC2Management",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IAMManagement",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:ListPolicies",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:CreateServiceLinkedRole",
"iam:GetOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListOpenIDConnectProviders",
"iam:TagRole",
"iam:TagPolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:ListInstanceProfiles",
"iam:GetRole"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/eks-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "KMSManagement",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:DescribeKey",
"kms:EnableKey",
"kms:ListKeys",
"kms:PutKeyPolicy",
"kms:ScheduleKeyDeletion",
"kms:CreateAlias",
"kms:DeleteAlias",
"kms:ListAliases",
"kms:UpdateAlias",
"kms:TagResource"
],
"Resource": "*"
},
{
"Sid": "S3Management",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:GetBucketAcl",
"s3:PutBucketAcl",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": "*"
},
{
"Sid": "CloudWatchManagement",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": "*"
},
{
"Sid": "EFSManagement",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:TagResource"
],
"Resource": "*"
},
{
"Sid": "LambdaManagement",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:ListFunctions",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:TagResource"
],
"Resource": "*"
},
{
"Sid": "ECRAccess",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:ListImages"
],
"Resource": "*"
},
{
"Sid": "OpenSearchManagement",
"Effect": "Allow",
"Action": [
"es:CreateDomain",
"es:DeleteDomain",
"es:DescribeDomain",
"es:DescribeDomains",
"es:ListDomainNames",
"es:UpdateDomainConfig",
"es:AddTags",
"es:ESHttpGet",
"es:ESHttpPut",
"es:ESHttpPost",
"es:ESHttpHead"
],
"Resource": "*"
},
{
"Sid": "SecretsManagerManagement",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:TagResource"
],
"Resource": "*"
},
{
"Sid": "ACMManagement",
"Effect": "Allow",
"Action": [
"acm:RequestCertificate",
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:AddTagsToCertificate"
],
"Resource": "*"
},
{
"Sid": "TerraformBackend",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": [
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles",
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles/*",
"arn:aws:dynamodb:*:*:table/<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-lock"
]
}
]
}EC2 Role
The EC2 role needs to have the follwoing policy assigned:
Substitute <<INSERT TERRAFORM BUCKET NAME PREFIX>> with your own prefix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSWorkerNodePermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateRouteTable",
"ec2:CreateInternetGateway",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*"
},
{
"Sid": "IAMManagement",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:ListPolicies",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:CreateServiceLinkedRole",
"iam:GetOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListOpenIDConnectProviders",
"iam:TagRole",
"iam:TagPolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:ListInstanceProfiles",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:ListInstanceProfilesForRole",
"iam:TagOpenIDConnectProvider",
"iam:UpdateAssumeRolePolicy"
],
"Resource": "*"
},
{
"Sid": "SecretsManagerPermissions",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:DeleteSecret",
"secretsmanager:PutSecretValue"
],
"Resource": "*"
},
{
"Sid": "EFSCreatePermissions",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:TagResource",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DeleteMountTarget"
],
"Resource": "*"
},
{
"Sid": "KMSCreatePermissions",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:TagResource",
"kms:DescribeKey",
"kms:CreateAlias",
"kms:ListAliases",
"kms:DeleteAlias"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogsPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:TagResource",
"logs:PutRetentionPolicy",
"logs:ListTagsForResource",
"logs:DeleteLogGroup"
],
"Resource": "*"
},
{
"Sid": "VPCPermissions",
"Effect": "Allow",
"Action": [
"ec2:CreateSubnet",
"ec2:CreateSecurityGroup",
"ec2:CreateRouteTable",
"ec2:CreateInternetGateway",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:ModifyVpcAttribute",
"ec2:CreateVpc",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeAccountAttributes",
"ec2:ModifyVpcTenancy",
"ec2:CreateNatGateway",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:AttachInternetGateway",
"ec2:DetachInternetGateway",
"ec2:ModifySubnetAttribute",
"ec2:DeleteVpc",
"ec2:ReleaseAddress",
"ec2:DeleteInternetGateway",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:CreateNetworkAclEntry",
"ec2:DeleteNetworkAclEntry",
"ec2:DescribeAddresses",
"ec2:DeleteNatGateway",
"ec2:DisassociateRouteTable",
"ec2:DeleteRoute",
"ec2:DisassociateAddress",
"ec2:DeleteNetworkInterface",
"ec2:RunInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DeleteLaunchTemplate"
],
"Resource": "*"
},
{
"Sid": "ECRPermissions",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
},
{
"Sid": "STSPermissions",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "*"
},
{
"Sid": "CloudWatchAgentPermissions",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "KMSTaggingPermissions",
"Effect": "Allow",
"Action": [
"kms:TagResource"
],
"Resource": "*"
},
{
"Sid": "LambdaPermissions",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:ListVersionsByFunction",
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "*"
},
{
"Sid": "EKSPermissions",
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:TagResource",
"eks:DescribeCluster",
"eks:DeleteCluster",
"eks:DescribeAddonVersions",
"eks:CreateAccessEntry",
"eks:DescribeAccessEntry",
"eks:DeleteAccessEntry",
"eks:CreateNodegroup",
"eks:AssociateAccessPolicy",
"eks:ListAssociatedAccessPolicies",
"eks:DisassociateAccessPolicy",
"eks:DescribeNodegroup",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:DeleteNodegroup",
"eks:DescribeUpdate",
"eks:UpdateAddon"
],
"Resource": "*"
},
{
"Sid": "OpenSearchPermissions",
"Effect": "Allow",
"Action": [
"es:CreateDomain",
"es:DeleteDomain",
"es:DescribeDomain",
"es:DescribeDomains",
"es:ListDomainNames",
"es:UpdateDomainConfig",
"es:AddTags",
"es:ESHttpGet",
"es:ESHttpPut",
"es:ESHttpPost",
"es:ESHttpHead",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags"
],
"Resource": "*"
},
{
"Sid": "TerraformBackendPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": [
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles",
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles/*",
"arn:aws:dynamodb:*:*:table/f<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-lock"
]
},
]
}Try Karini AI
Last updated