Modify IAM Configurations to Allow learn-ai Application to Use AWS Resources

[feoh]

Description/Context

1. Create an IAM role + policies + attachments
2. Create a k8s service account
3. Annotate that service account with the IAM role
4. Tell the ‘deployment’ / pods to use the service account when they run

Plan/Design

Prior Art:

https://github.com/mitodl/ol-infrastructure/blob/main/src/ol_infrastructure/applications/airbyte/__main__.py#L584-L614

The only other thing you’ll need is to make the service account because in that example we’re relying on one that comes with the helm chart. The pulumi stuff to make one is here https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/serviceaccount/

there are special things about the role in the IAM config that the TrustRole does for you. AssumeRole stuff

[blarghmatey]

Beyond the core mechanics of the IAM policy, this also needs to include provisions for interacting with AWS Bedrock functionality. Additionally, this should create a Vault role for generating IAM credentials with the same IAM policy bound to it that can be generated for use in developer environments.

[feoh]

Decided to branch off his branch rather than PR and merge before I understood what I was merging :)

https://github.com/mitodl/ol-infrastructure/tree/cpatti_learn_ai