feat: support API key for model accessing (#118)

* feat: add api key for model invoking

* fix: go mod update

* fix: update permissions

* feat: add output for api-key

* fix: update output and cleanup

* fix: update descriptions

* fix: update status output

* chore: cleanup

Author: yanbasic

docs/en/installation.md

@@ -49,7 +49,7 @@ Extra parameters passed to the model deployment. extra-params should be a Json o
   }
 }
 ```
-To learn some practice examples, please refer to the [Best Deployment Practices](docs/en/best_deployment_practices.md).
+To learn some practice examples, please refer to the [Best Deployment Practices](https://aws-samples.github.io/easy-model-deployer/en/best_deployment_practices/).
 
 
 

src/emd/cfn/codepipeline/template.yaml

@@ -64,6 +64,10 @@ Resources:
                   - logs:*
                   - elasticloadbalancing:*
                   - application-autoscaling:*
+                  - secretsmanager:GetSecretValue
+                  - secretsmanager:PutSecretValue
+                  - secretsmanager:CreateSecret
+                  - secretsmanager:UpdateSecret
                 Resource:
                   - "*"
       ManagedPolicyArns:
@@ -246,6 +250,12 @@ Resources:
               - parameters.json
               - template.yaml
 
+  EMDAPIKeySecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: EMD-APIKey-Secrets
+      Description: Easy Model Deployer model API keys secrets
+
   Pipeline:
     Type: AWS::CodePipeline::Pipeline
     Properties:

src/emd/cfn/ecs/template.yaml

@@ -86,6 +86,18 @@ Parameters:
   Region:
     Type: String
     Description: Not used currently
+  APIKey:
+    Type: String
+    Default: ""
+    NoEcho: true
+    Description: API key to be used for invoking the model
+
+Conditions:
+  HasAPIKey: !Not [!Equals [!Ref APIKey, ""]]
+  IsChinaRegion: !Or
+    - !Equals [!Ref "AWS::Region", "cn-north-1"]
+    - !Equals [!Ref "AWS::Region", "cn-northwest-1"]
+
 Resources:
   ECSAutoScalingGroup:
     Type: AWS::AutoScaling::AutoScalingGroup
@@ -174,6 +186,13 @@ Resources:
     Properties:
       ServiceToken: !Ref LambdaDeploymentHelperArn
       ModelName: !Join ['', [!Ref ModelId, '/', !Ref ModelTag]]
+  SetApiKey:
+    Type: Custom::SetApiKey
+    Condition: HasAPIKey
+    Properties:
+      ServiceToken: !Ref LambdaDeploymentHelperArn
+      ModelName: !Join ['', [!Ref ModelId, '/', !Ref ModelTag]]
+      APIKey: !Ref APIKey
 
   ContainerHostSecurityGroup:
     Type: AWS::EC2::SecurityGroup
@@ -369,25 +388,6 @@ Resources:
         GroupId: !Ref ServiceSecurityGroup
         IpProtocol: -1
         SourceSecurityGroupId: !Ref PublicLoadBalancerSecurityGroup
-  ListenerRulePath:
-    Type: AWS::ElasticLoadBalancingV2::ListenerRule
-    Properties:
-      ListenerArn: !Ref PublicLoadBalancerListenerArn
-      Priority: !GetAtt GetPriorityNumber.Priority
-      Conditions:
-        - Field: path-pattern
-          PathPatternConfig:
-            Values:
-              - !Join
-                - ''
-                - - '/'
-                  - !Ref ModelId
-                  - '/'
-                  - !Ref ModelTag
-                  - '/*'
-      Actions:
-        - Type: forward
-          TargetGroupArn: !Ref ServiceTargetGroup
 
   ForceApiRouterDeployment:
     Type: Custom::ForceApiRouterDeployment
@@ -397,11 +397,18 @@ Resources:
 
 Outputs:
   Model:
-    Description: Model ID used to generate the response.
+    Description: The unique model ID that determines which model will process your request in the OpenAI-compatible API.
     Value: !Join ['', [!Ref ModelId, '/', !Ref ModelTag]]
   BaseURL:
     Description: Please use this URL for the OpenAI-compatible model API, like /v1/chat/completions. To use HTTPS, create an SSL certificate in AWS Certificate Manager and attach it to the load balancer.
     Value: !Join ['', ['http://', !Ref DNSName]]
   ECSServiceConnect:
     Description: Service Connect allows for service-to-service communications with automatic discovery using short names and standard ports.
     Value: !Join ['', ['http://', !GetAtt ConvertDnsName.DnsName, ':', !Ref ContainerPort]]
+  ModelAPIKey:
+    Condition: HasAPIKey
+    Description: "API key for accessing model is securely stored in AWS Secrets Manager and can be managed through the provided link."
+    Value: !If
+      - IsChinaRegion
+      - !Sub "https://console.amazonaws.cn/secretsmanager/secret?name=EMD-APIKey-Secrets&region=${AWS::Region}"
+      - !Sub "https://console.aws.amazon.com/secretsmanager/secret?name=EMD-APIKey-Secrets&region=${AWS::Region}"

src/emd/cfn/sagemaker_async/template.yaml

@@ -29,6 +29,21 @@ Parameters:
   Region:
     Type: String
     Description: The region to be used for the SageMaker Endpoint
+  LambdaDeploymentHelperArn:
+    Type: String
+    Description: The ARN of the Lambda function for capacity provider association
+  APIKey:
+    Type: String
+    Default: ""
+    NoEcho: true
+    Description: API key to be used for invoking the model
+
+Conditions:
+  HasAPIKey: !Not [!Equals [!Ref APIKey, ""]]
+  IsChinaRegion: !Or
+    - !Equals [!Ref "AWS::Region", "cn-north-1"]
+    - !Equals [!Ref "AWS::Region", "cn-northwest-1"]
+
 Resources:
   ExecutionRole:
     Type: AWS::IAM::Role
@@ -92,10 +107,25 @@ Resources:
       EndpointName: !Sub '${AWS::StackName}-endpoint'
       EndpointConfigName: !GetAtt SageMakerEndpointConfig.EndpointConfigName
 
+  SetApiKey:
+    Type: Custom::SetApiKey
+    Condition: HasAPIKey
+    Properties:
+      ServiceToken: !Ref LambdaDeploymentHelperArn
+      ModelName: !Join ['', [!Ref ModelId, '/', !Ref ModelTag]]
+      APIKey: !Ref APIKey
+
 Outputs:
   Model:
-    Description: Model ID used to generate the response
+    Description: The unique model ID that determines which model will process your request in the OpenAI-compatible API.
     Value: !Join ['', [!Ref ModelId, '/', !Ref ModelTag]]
   SageMakerEndpointName:
     Description: The name of the SageMaker Endpoint
     Value: !GetAtt SageMakerEndpoint.EndpointName
+  ModelAPIKey:
+    Condition: HasAPIKey
+    Description: "API key for accessing model is securely stored in AWS Secrets Manager and can be managed through the provided link."
+    Value: !If
+      - IsChinaRegion
+      - !Sub "https://console.amazonaws.cn/secretsmanager/secret?name=EMD-APIKey-Secrets&region=${AWS::Region}"
+      - !Sub "https://console.aws.amazon.com/secretsmanager/secret?name=EMD-APIKey-Secrets&region=${AWS::Region}"

src/emd/cfn/sagemaker_realtime/template.yaml

@@ -45,9 +45,21 @@ Parameters:
   DNSName:
     Type: String
     Description: The DNS name of the public load balancer. To use HTTPS, create an SSL certificate in AWS Certificate Manager and attach it to the load balancer.
+  LambdaDeploymentHelperArn:
+    Type: String
+    Description: The ARN of the Lambda function for capacity provider association
+  APIKey:
+    Type: String
+    Default: ""
+    NoEcho: true
+    Description: API key to be used for invoking the model
 
 Conditions:
   UseDefaultEndpointName: !Equals [!Ref SageMakerEndpointName, "Auto-generate"]
+  HasAPIKey: !Not [!Equals [!Ref APIKey, ""]]
+  IsChinaRegion: !Or
+    - !Equals [!Ref "AWS::Region", "cn-north-1"]
+    - !Equals [!Ref "AWS::Region", "cn-northwest-1"]
 
 Resources:
   ExecutionRole:
@@ -154,13 +166,28 @@ Resources:
         ScaleInCooldown: 600
         ScaleOutCooldown: 600
 
+  SetApiKey:
+    Type: Custom::SetApiKey
+    Condition: HasAPIKey
+    Properties:
+      ServiceToken: !Ref LambdaDeploymentHelperArn
+      ModelName: !Join ['', [!Ref ModelId, '/', !Ref ModelTag]]
+      APIKey: !Ref APIKey
+
 Outputs:
   Model:
-    Description: Model ID used to generate the response.
+    Description: The unique model ID that determines which model will process your request in the OpenAI-compatible API.
     Value: !Join ['', [!Ref ModelId, '/', !Ref ModelTag]]
   BaseURL:
     Description: Please use this URL for the OpenAI-compatible model API, like /v1/chat/completions. To use HTTPS, create an SSL certificate in AWS Certificate Manager and attach it to the load balancer.
     Value: !Join ['', ['http://', !Ref DNSName]]
   SageMakerEndpointName:
     Description: You can use invoke the endpoint by using the SageMaker runtime API.
     Value: !GetAtt SageMakerEndpoint.EndpointName
+  ModelAPIKey:
+    Condition: HasAPIKey
+    Description: "API key for accessing model is securely stored in AWS Secrets Manager and can be managed through the provided link."
+    Value: !If
+      - IsChinaRegion
+      - !Sub "https://console.amazonaws.cn/secretsmanager/secret?name=EMD-APIKey-Secrets&region=${AWS::Region}"
+      - !Sub "https://console.aws.amazon.com/secretsmanager/secret?name=EMD-APIKey-Secrets&region=${AWS::Region}"