Installation
Integrating Karini AI into your secure enterprise environment is a streamlined, efficient process. Our deployment methodology prioritizes security, simplicity, and minimal disruption to your existing infrastructure.
Through our enterprise-grade Terraform implementation, Karini AI can be seamlessly deployed within your Virtual Private Cloud (VPC) with minimal configuration requirements. This infrastructure-as-code approach ensures consistent, repeatable deployments while maintaining the highest security standards.
To begin your deployment journey, simply contact the Karini AI implementation team for personalized deployment instructions and access to our Terraform modules customized for your specific environment.
Our technical specialists will guide you through the deployment process and ensure successful integration with your existing systems, enabling your organization to quickly leverage the full capabilities of our AI solutions.
For the deployment, you can optionally have Administrator role in your AWS account so other resources can be created or a scoped down policy as below
Pre-requisites:
AWS Console User
The AWS console user needs to have the following policy assigned to them:
Substitute <<INSERT TERRAFORM BUCKET NAME PREFIX>> with your own prefix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSClusterManagement",
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:ListClusters",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:ListAddons",
"eks:UpdateAddon",
"eks:CreateNodegroup",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion"
],
"Resource": "*"
},
{
"Sid": "EC2Management",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IAMManagement",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:ListPolicies",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:CreateServiceLinkedRole",
"iam:GetOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListOpenIDConnectProviders",
"iam:TagRole",
"iam:TagPolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:ListInstanceProfiles",
"iam:GetRole"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/eks-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": ["eks.amazonaws.com", "ec2.amazonaws.com"]
}
}
},
{
"Sid": "KMSManagement",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:DescribeKey",
"kms:EnableKey",
"kms:ListKeys",
"kms:PutKeyPolicy",
"kms:ScheduleKeyDeletion",
"kms:CreateAlias",
"kms:DeleteAlias",
"kms:ListAliases",
"kms:UpdateAlias",
"kms:TagResource"
],
"Resource": "*"
},
{
"Sid": "S3Management",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:GetBucketAcl",
"s3:PutBucketAcl",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": "*"
},
{
"Sid": "CloudWatchManagement",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": "*"
},
{
"Sid": "EFSManagement",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:TagResource"
],
"Resource": "*"
},
{
"Sid": "LambdaManagement",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:ListFunctions",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:TagResource"
],
"Resource": "*"
},
{
"Sid": "ECRAccess",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:ListImages"
],
"Resource": "*"
},
{
"Sid": "OpenSearchManagement",
"Effect": "Allow",
"Action": [
"es:CreateDomain",
"es:DeleteDomain",
"es:DescribeDomain",
"es:DescribeDomains",
"es:ListDomainNames",
"es:UpdateDomainConfig",
"es:AddTags",
"es:ESHttpGet",
"es:ESHttpPut",
"es:ESHttpPost",
"es:ESHttpHead"
],
"Resource": "*"
},
{
"Sid": "SecretsManagerManagement",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:TagResource"
],
"Resource": "*"
},
{
"Sid": "ACMManagement",
"Effect": "Allow",
"Action": [
"acm:RequestCertificate",
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:AddTagsToCertificate"
],
"Resource": "*"
},
{
"Sid": "TerraformBackend",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": [
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles",
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles/*",
"arn:aws:dynamodb:*:*:table/<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-lock"
]
},
{
"Sid": "BedrockAgentCoreFullAccess",
"Effect": "Allow",
"Action": ["bedrock-agentcore:*"],
"Resource": "arn:aws:bedrock-agentcore:*:*:*"
},
{
"Sid": "IAMListAccess",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles"
],
"Resource": "arn:aws:iam::*:role/*"
},
{
"Sid": "BedrockAgentCorePassRoleAccess",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*BedrockAgentCore*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock-agentcore.amazonaws.com"
}
}
},
{
"Sid": "SecretsManagerAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue",
"secretsmanager:DeleteSecret"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:bedrock-agentcore*"
},
{
"Sid": "BedrockAgentCoreKMSReadAccess",
"Effect": "Allow",
"Action": ["kms:ListKeys", "kms:DescribeKey"],
"Resource": ["arn:aws:kms:*:*:key/*"],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockAgentCoreKMSAccess",
"Effect": "Allow",
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": ["arn:aws:kms:*:*:key/*"],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": ["bedrock-agentcore.amazonaws.com"]
}
}
},
{
"Sid": "BedrockAgentCoreS3Access",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::bedrock-agentcore-gateway-*"],
"Condition": {
"StringEquals": {
"aws:CalledViaLast": "bedrock-agentcore.amazonaws.com",
"s3:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "BedrockAgentCoreGatewayLambdaAccess",
"Effect": "Allow",
"Action": ["lambda:ListFunctions"],
"Resource": ["arn:aws:lambda:*:*:*"]
},
{
"Sid": "LoggingAccess",
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:StartQuery",
"logs:StopQuery",
"logs:Describe*",
"logs:TestMetricFilter",
"logs:FilterLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/bedrock-agentcore/*",
"arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
"arn:aws:logs:*:*:log-group:aws/spans:*"
]
},
{
"Sid": "ObservabilityReadOnlyPermissions",
"Effect": "Allow",
"Action": [
"application-autoscaling:DescribeScalingPolicies",
"application-signals:BatchGet*",
"application-signals:Get*",
"application-signals:List*",
"autoscaling:Describe*",
"cloudwatch:BatchGet*",
"cloudwatch:Describe*",
"cloudwatch:GenerateQuery",
"cloudwatch:Get*",
"cloudwatch:List*",
"oam:ListSinks",
"rum:BatchGet*",
"rum:Get*",
"rum:List*",
"synthetics:Describe*",
"synthetics:Get*",
"synthetics:List*",
"xray:BatchGet*",
"xray:Get*",
"xray:List*",
"xray:StartTraceRetrieval",
"xray:CancelTraceRetrieval",
"logs:DescribeLogGroups",
"logs:StartLiveTail",
"logs:StopLiveTail"
],
"Resource": "*"
},
{
"Sid": "TransactionSearchXRayPermissions",
"Effect": "Allow",
"Action": [
"xray:GetTraceSegmentDestination",
"xray:UpdateTraceSegmentDestination",
"xray:GetIndexingRules",
"xray:UpdateIndexingRule"
],
"Resource": "*"
},
{
"Sid": "TransactionSearchLogGroupPermissions",
"Effect": "Allow",
"Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutRetentionPolicy"],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
"arn:aws:logs:*:*:log-group:aws/spans:*"
]
},
{
"Sid": "TransactionSearchLogsPermissions",
"Effect": "Allow",
"Action": ["logs:DescribeResourcePolicies"],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "TransactionSearchApplicationSignalsPermissions",
"Effect": "Allow",
"Action": ["application-signals:StartDiscovery"],
"Resource": "*"
},
{
"Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com"
}
}
},
{
"Sid": "CloudWatchApplicationSignalsGetRolePermissions",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals"
}
]
}
EC2 Role
The EC2 role needs to have the follwoing policy assigned:
Substitute <<INSERT TERRAFORM BUCKET NAME PREFIX>> with your own prefix
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSWorkerNodePermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateRouteTable",
"ec2:CreateInternetGateway",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*"
},
{
"Sid": "IAMManagement",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:ListPolicies",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:CreateServiceLinkedRole",
"iam:GetOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:ListOpenIDConnectProviders",
"iam:TagRole",
"iam:TagPolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:ListInstanceProfiles",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:ListInstanceProfilesForRole",
"iam:TagOpenIDConnectProvider",
"iam:UpdateAssumeRolePolicy"
],
"Resource": "*"
},
{
"Sid": "SecretsManagerPermissions",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:CreateSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:DeleteSecret",
"secretsmanager:PutSecretValue"
],
"Resource": "*"
},
{
"Sid": "EFSCreatePermissions",
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:TagResource",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DeleteMountTarget"
],
"Resource": "*"
},
{
"Sid": "KMSCreatePermissions",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:TagResource",
"kms:DescribeKey",
"kms:CreateAlias",
"kms:ListAliases",
"kms:DeleteAlias"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogsPermissions",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:TagResource",
"logs:PutRetentionPolicy",
"logs:ListTagsForResource",
"logs:DeleteLogGroup"
],
"Resource": "*"
},
{
"Sid": "VPCPermissions",
"Effect": "Allow",
"Action": [
"ec2:CreateSubnet",
"ec2:CreateSecurityGroup",
"ec2:CreateRouteTable",
"ec2:CreateInternetGateway",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:ModifyVpcAttribute",
"ec2:CreateVpc",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeAccountAttributes",
"ec2:ModifyVpcTenancy",
"ec2:CreateNatGateway",
"ec2:AllocateAddress",
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:AttachInternetGateway",
"ec2:DetachInternetGateway",
"ec2:ModifySubnetAttribute",
"ec2:DeleteVpc",
"ec2:ReleaseAddress",
"ec2:DeleteInternetGateway",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:CreateNetworkAclEntry",
"ec2:DeleteNetworkAclEntry",
"ec2:DescribeAddresses",
"ec2:DeleteNatGateway",
"ec2:DisassociateRouteTable",
"ec2:DeleteRoute",
"ec2:DisassociateAddress",
"ec2:DeleteNetworkInterface",
"ec2:RunInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DeleteLaunchTemplate"
],
"Resource": "*"
},
{
"Sid": "ECRPermissions",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
},
{
"Sid": "STSPermissions",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "*"
},
{
"Sid": "CloudWatchAgentPermissions",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "KMSTaggingPermissions",
"Effect": "Allow",
"Action": [
"kms:TagResource"
],
"Resource": "*"
},
{
"Sid": "LambdaPermissions",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:ListVersionsByFunction",
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "*"
},
{
"Sid": "EKSPermissions",
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:TagResource",
"eks:DescribeCluster",
"eks:DeleteCluster",
"eks:DescribeAddonVersions",
"eks:CreateAccessEntry",
"eks:DescribeAccessEntry",
"eks:DeleteAccessEntry",
"eks:CreateNodegroup",
"eks:AssociateAccessPolicy",
"eks:ListAssociatedAccessPolicies",
"eks:DisassociateAccessPolicy",
"eks:DescribeNodegroup",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:DeleteNodegroup",
"eks:DescribeUpdate",
"eks:UpdateAddon"
],
"Resource": "*"
},
{
"Sid": "OpenSearchPermissions",
"Effect": "Allow",
"Action": [
"es:CreateDomain",
"es:DeleteDomain",
"es:DescribeDomain",
"es:DescribeDomains",
"es:ListDomainNames",
"es:UpdateDomainConfig",
"es:AddTags",
"es:ESHttpGet",
"es:ESHttpPut",
"es:ESHttpPost",
"es:ESHttpHead",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags"
],
"Resource": "*"
},
{
"Sid": "TerraformBackendPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem"
],
"Resource": [
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles",
"arn:aws:s3:::<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-statefiles/*",
"arn:aws:dynamodb:*:*:table/f<<INSERT TERRAFORM BUCKET NAME PREFIX>>-terraform-lock"
]
},
]
}Try Karini AI
Last updated