DEV Community: Anand Joshi

AWS re:Invent 2023 - My Reflection

Anand Joshi — Fri, 22 Dec 2023 14:40:35 +0000

What is AWS re:Invent

AWS re:Invent is an annual conference hosted by Amazon Web Services (AWS). The event typically takes place in Las Vegas, Nevada, also been held in virtual formats

Thank you Raft for sponsoring me to attend AWS re:Invent 2023. I absolutely love to be part of Raft's Mission

This years AWS re:Invent was a transformative event with a big focus on Generative AI. It featured following Keynotes

Keynotes

Adam Selipsky

Several new AWS services were announced, S3 Express One Zone, Graviton4, and various features and foundational model releases in Bedrock, EC2 Capacity Block for Machine Learning, Trainium 2, and other services were introduced.
Generative AI Powered Assistant, enter Amazon Q !!! it Rocks !!!
The AWS-Nvidia partnership was highlighted and how it facilitated the launch of EC2 Capacity Blocks for ML, leveraging the Grace Hopper Superchip Cluster.
AWS Anthropic partnership was discussed. This collaboration led to the release of Claude 2.0, a foundational model within Bedrock

Dr. Swami Sivasubramanian

Several new announcements were covered with Bedrock overview as a guideline and the relationship between Data and GenerativeAI. New announcements were: Availability of Foundational Models - Claude 2.1 from Anthropic, Llama 2 70B, Titan Multimodal embeddings, Titan Text Lite and Express General availability , Titan Image Generator with Invisible Watermarks, SageMaker HyperPod and many SageMaker Innovations Vector Capabilities in DynamoDB, Neptune Analytics, Clean Rooms for ML.

Dr. Werner Vogels

The laws of The Frugal Architect. https://thefrugalarchitect.com/
Special Shoutout to Dr. Rebecca Portnoff and Thorn team on their incredible contribution to combat child sexual abuse.

Sessions

In the plethora of available sessions on the catalog, trying not to get overwhelmed and stay focused I ended up attending following sessions over the course of 4 Days

Workshop - Build a generative AI chatbot using your own data with Amazon Titan
Learnt how to build an AI chatbot using custom data with AWS’s very own foundational model - Titan. It touched upon many AWS AI services such as SageMaker, Bedrock, OpenSearch Service etc. Learnt concept of Vector Search and Vector Embeddings and the use of LangChanins to integrate LLMs into Applications

Breakout Session - Data Mesh
OLTP/OLAP patterns and how Data Mesh can solve some of the issues with these patterns decentralizing data and building governance capabilities.

Builder Session - Building protein language models for life science generative AI
Learnt LLMs variant pLMs - Protein Language Models to classify if a given protein is attached to the membrane or an organelle inside the cell. Very cool to see the use case of LLMs

Chalk Talk - Supercharge agent productivity with Amazon Transcribe & generative AI
Leant how AWS Transcribe Service and Generative AI can work together, Take for example a phone call, It can be converted to text with the help of Transcribe service, This text has loads of insights for example sentiments. It can be summarized with the help of Generative AI !

Chalk Talk - An immersive experience with Amazon Bedrock
Focused on the basics of Bedrock and its application in various use cases, including Chat Assistants, Image Generation, and Question-Answering systems. This session featured live coding to demonstrate the implementation process. It covered concepts such as vector embeddings, Fine Tuning and Model Parameters(Temperature, Top P, and Top K). Foundational models like the Titan family and Claude 2.0 were discussed.

Chalk talk - Drive ML strategies with data extracted from chat messages
Covered how ML strategies can be developed based on data that is extracted from chat messages. A use case of a Trading platform was discussed to run a sentiment analysis on the chat data in Trading Platform. How NLP can be used in conjunction with ML to develop end of-day-strategies for a Trading Platform.

Innovation talk - From hype to impact: Building a generative AI architecture
This talk demystified the Generative AI topic from the hype and buzz words to the real architectures. Generative AI Concepts with AWS Services and the reference architecture were discussed.

Chalk Talk Session - Train and deploy FMs on Amazon EC2 and Amazon SageMaker
A live demo of training a model using an EC2 instance and Deep Learning AMIs, building Model Artifacts and deploying it to SageMaker. It featured the implementation Stable Diffusion use case to generate new images

Chalk talk - Code faster with Amazon CodeWhisperer
The talk features basics of Code Whisperer in IDE as well as new feature such as command line support. Code Whisperer can now be used to generate AWS CLI commands in the form of shell script. Session also covered security scanning features and support for various programming languages and IAC frameworks

Special highlights

My honor to meet in person, the Leaders of cutting edge tech
Dr. Swami Sivasubramanian, Jeff Barr, Allie K Miller, Viktoria Semaan, Linda Haviv, Faye Ellis

How can one plan better

Session Catalog is published few months before. Take some time to really plan for which sessions you plan to attend and mark them as favorites.
Review the conference schedule in advance and try to cluster your sessions together at a single venue or nearby venues to minimize the need for long-distance travel between sessions.
Breakout Sessions are typically recorded and you can watch them later online. So prioritize Chalk Talks, Builder Sessions, Workshops when you register for events.
Have fun, take some time and explore Expo, Builders Fair and do lots of networking.
Signup and attend after hours events by AWS and Partners

Demystifying AWS Identity Federation

Anand Joshi — Mon, 18 Dec 2023 18:54:13 +0000

Sitting in the cafe and thinking what should I read today, I just decided to contribute to the Developer community with an article that can quickly summarize what AWS Identity Federation is.

Objective:
What we will cover is how to use a Google as Identity Provider for authentication and how to use Google Identity Token to request temporary and limited-privilege credentials from AWS that can be used with AWS CLI

How it works:

Here we decide to trust Google as our Authentication provider.User will prove its identity by successfully logging in to Google.
We then capture Identity Token issued by Google to the User after User successfully logs in.
Use the Identity Token issued in the Step 3 with AWS Security Token Service(STS) to obtain temporary and limited-privilege credentials
Use the Credentials obtained in Step 4 with AWS Command line interface to interact with AWS Cloud Platform

Here are the CLI Tools we need, please follow the installation instructions as per your development environment.

Let’s rollup our sleeves and follow these steps:
For the steps below, I suggest not to use the AWS root user but create an AWS IAM User with Administrative access and use it instead, Also please protect the root user and IAM Users with MFA enabled.

Initiate Login and Login to Google. Open Terminal and use the command below. This command will open up the browser and ask you to login to Google. If you have already logged in, it will ask to use the account to proceed. Please select the account, It will then prompt you asking permission for gcloud sdk for your Google Account. Please select “Allow”
gcloud auth login
Return to the terminal and it should show you the prompt like below. Verify you logged in with the gmail address of your choice.
Its time to get the Identity Token issued by Google. Use the command below on the terminal. The output of the command is the Identity Token issued by Google. Please copy it and never share this.

gcloud auth print-identity-token

3 Please use the command below to decode the Google Identity Token. From the output JSON please save the values of
aud(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)
sub(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2)

We will use these values to scope the AWS Role to the Google User we intent to give the AWS CLI access to.

jq -R 'split(".") | .[1] | @base64d | fromjson' <<< <Google Identity Token>

4 Create Role in AWS. In AWS Console Navigate to IAM -> Role and create a role with Trusted Entity Type of “Web Identity” and Identity Provider set to “Google”

Use the Value of aud in the Audience and value of sub for value of accounts.google.com:sub

This will ensure that the AWS role will only be assumed by intended Google User and no one else.

Click Next

Select the required permission policy. For example if you want this google user to only access(read, write) S3 select AmazonS3FullAccess

Give role a name and description and create the role.

Please note down the Amazon Resource Name(ARN) of the Role once its created. We will use this in the final step when we get AWS Credentials by assuming this role.

5 Assume the role created in Step 4 using the Google Identity Token and obtain AWS temporary, limited-privilege credentials. Please use the command below:

aws sts assume-role-with-web-identity \
  --role-arn arn:aws:iam::<Your AWS Account Number>:role/<role-name> \ 
  --role-session-name <Session Name> \
  --web-identity-token <Google Identity Token>

Temporary Credentials will be in the output JSON and will have 3 major fields: Access Key Id, Secret Access Key and Session Token. Please note the values and use it in the commands below:

export AWS_ACCESS_KEY_ID=<Access Key Id>
export AWS_SECRET_ACCESS_KEY=<Secret Access Key>
export AWS_SESSION_TOKEN=<Session Token>

The returned credentials expire one hour after they are generated and can be set using — duration-seconds flag to the aws sts command

6 Use the AWS Temporary Credentials. You can now use aws cli commands with the above temporary credentials set. The example above has AmazonS3FullAccess policy configured for the role. Please try creating a bucket coping objects and reading objects from the bucket with aws s3 command

Summary:

You have created AWS Web Identity Role that has a specific permission and this role can only be assumed by a trusted Google User.
We don’t create any user within AWS IAM, we rather trust an Identity Provider and establish trust relationship with the user(s) on trusted Identity Provider before hand in the form of AWS IAM Role and its trusted entities.
Once User assumes this role, AWS will issue temporary privilege credentials (Access Key ID, Secret Access Key and Session Token) those can be used with AWS CLI.
The privilege nature of the credentials is governed by Access Policies attached to the Role which can be changed at anytime to expand / reduce the scope of what this user can / can’t do. We can scope this down to the policy such that User has access to what is minimally need. This is called “Principal of Least Privilege”
We can revoke/add the trust relationship of users anytime from the Web Identity Role