Working with AWS
Constellaxion supports deploying and fine-tuning open-source models on AWS using services like SageMaker, ECR, and S3.
This page explains what IAM resources the CLI sets up under the hood to enable this functionality, and what permissions are required to run it from your local machine.
What Constellaxion Does on AWSβ
When you run a commands like constellaxion init, or constellaxion model deploy, Constellaxion performs a series of actions behind the scenes to enable the right AWS resources to handle the job. Some examples of what Constellaxion might do:
- Launch training jobs via SageMaker
- Push/pull custom containers using ECR
- Read/write datasets and model artifacts in S3
- Create and configure IAM roles automatically
These actions require specific IAM permissions in your AWS account.
π IAM Role: constellaxion-adminβ
After you run constellaxion init, Constellaxion creates (or reuses) an IAM role named:
constellaxion-admin
This role is assumed by AWS services to carry out SageMaker training and ECS-based serving jobs.
π οΈ Role Trust Policyβ
The role allows the following AWS services to assume it:
sagemaker.amazonaws.comβ for training and inferenceecs-tasks.amazonaws.comβ for serving (future support)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"sagemaker.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
β Attached Policiesβ
The following AWS-managed policies are automatically attached to the constellaxion-admin role:
| Policy | Purpose |
|---|---|
| AmazonSageMakerFullAccess | To create, manage, and monitor training and endpoint jobs |
| AmazonEC2ContainerRegistryFullAccess | To push/pull Docker images for custom training and inference containers |
| AmazonS3FullAccess | To read/write training data and model artifacts |
This IAM approach is not ideal for production deployments. We're working on a more secure solution. If you have any urgent needs, please reach out to us at support@constellaxion.ai.
𧩠Inline Policy for ECR Runtime Accessβ
In addition to the managed policies, Constellaxion attaches a custom inline policy to the constellaxion-admin role that explicitly grants ECR runtime access:
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
}
This ensures SageMaker and ECS tasks can pull your custom containers during job execution.
π€ Your User Permissionsβ
To initialize the AWS environment locally using Constellaxion, the identity running the CLI must be able to:
- Create IAM roles and attach policies
- Resolve the current identity using STS
You'll need to ensure that the identity has the following permissions:
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:GetRole",
"sts:GetCallerIdentity"
],
"Resource": "*"
}
You can either grant these permissions directly or run the CLI as a user with AdministratorAccess.
π Region Supportβ
Constellaxion supports any AWS region where SageMaker is available. Specify the region in your model.yaml file under the deploy.aws.region field.
deploy:
aws:
region: us-east-1
π οΈ Summary: What Happens When You Run initβ
- The CLI calls
sts:GetCallerIdentityto determine who you are - It creates the
constellaxion-adminrole (or skips if it already exists) - It attaches the required managed policies
- It adds the inline ECR access policy
- Youβre ready to train or deploy!
π§ͺ Next Stepsβ
Once AWS is set up:
- Create a model directory with model.yaml
- Run
constellaxion init - Youβre ready to deploy, fine-tune, and serve π