GuidesChangelog
Log In
Guides

Arthur Chat On-premises Deployment Guide (AWS ECS)

Suggest Edits

Pre-requisites

Arthur Shield deployment

Arthur Chat uses Arthur Shield to provide built-in LLM firewall protection. The Shield deployment must have
a license that's compatible with Arthur Chat. Please check with the Arthur team to verify that you have the appropriate license.

Azure OpenAI

To augment the LLM with your domain knowledge, Arthur Chat requires Azure OpenAI service endpoints with
text-embedding-ada-002 model.

S3 Bucket and IAM role

Arthur Chat works with a secured S3 bucket. The S3 bucket needs to be accessible with an assumed IAM role and its STS.

  1. Create an S3 bucket in the same region where Shield is deployed with “Block all public access” enabled
  2. On the workstation where AWS CLI is available, create a file, arthur-s3-policy.json, with the below template.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3Access",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::YOUR_S3_BUCKET",
                "arn:aws:s3:::YOUR_S3_BUCKET/*"
            ]
        }
    ]
}
  1. Create an IAM policy, arthur-s3-policy by running the below command
aws iam create-policy \
    --policy-name arthur-s3-policy \
    --policy-document file://arthur-s3-policy.json
  1. Create a file, arthur-trust-relationship-policy.json with the below template. The name of your Arthur Shield ECS task role that will be created by the CloudFormation template is ${ArthurResourceNamespace}-shield-task-role. When Arthur Chat is enabled, the Shield ECS service tasks will not start until its task role gets this permission. 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                  "ARTHUR_SHIELD_ECS_TASK_ROLE_ARN" 
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  1. Create an IAM role, arthur-assumed-role for Arthur to assume
aws iam create-role --role-name arthur-assumed-role --assume-role-policy-document file://arthur-trust-relationship-policy.json
  1. Attach arthur-s3-policy to arthur-assumed-role
aws iam attach-role-policy --policy-arn arn:aws:iam::**YOUR_AWS_ACCOUNT_ID**:policy/arthur-s3-policy --role-name arthur-assumed-role
  1. Configure the bucket policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::**YOUR_S3_BUCKET**/*",
                "arn:aws:s3:::**YOUR_S3_BUCKET**"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "**YOUR_ORG_ID**"
                }
            }
        }
    ]
}

How to install Chat using AWS CloudFormation template

Follow the Arthur Shield On-premises Deployment Guide. In the AWS CloudFormation template form, fill in the parameter values for the pre-requisites you prepared in the Arthur Chat section.

Updated 6 months ago