AWS Setup Guide for OnglX Deploy

Complete guide to setting up AWS for successful OnglX deployments with all required permissions and prerequisites.

Prerequisites

Before deploying with OnglX to AWS, ensure you have:

AWS Account with billing enabled
AWS CLI installed and configured
Programmatic access (Access Key + Secret Key or AWS SSO)
Sufficient permissions for the services you plan to use

Required AWS Services & APIs

OnglX Deploy requires access to these AWS services:

For Inference Domain (AI/ML APIs)

AWS Lambda - For serverless function hosting
Amazon API Gateway - For REST API endpoints
Amazon S3 - For deployment artifacts and storage
Amazon Bedrock - For AI model access
AWS IAM - For role and policy management
Amazon CloudWatch - For logging and monitoring

Service Quotas to Check

Before deploying, verify you have sufficient quotas:

BASH

1# Check Lambda concurrent executions limit
2aws service-quotas get-service-quota \
3  --service-code lambda \
4  --quota-code L-B99A9384
5
6# Check API Gateway limits
7aws service-quotas get-service-quota \
8  --service-code apigateway \
9  --quota-code L-01FE57C8

AWS Bedrock Model Access

Critical: OnglX Deploy inference requires specific Bedrock model access.

⚠️ Important: There's a difference between foundation model availability and account access. Models may show as "ACTIVE" in the foundation models list but still require explicit access approval for your account.

Enable Required Models

Navigate to AWS Bedrock Console → Model access
Request access to these models (required):
- Anthropic Claude 3.5 Sonnet (anthropic.claude-3-5-sonnet-20241022-v2:0)
- Anthropic Claude 3 Haiku (anthropic.claude-3-haiku-20240307-v1:0) - Usually pre-approved
- Amazon Titan Text Express (amazon.titan-text-express-v1)
- Amazon Titan Text Lite (amazon.titan-text-lite-v1)
Wait for approval (usually 5-10 minutes for Titan models, up to 24 hours for Anthropic)

Check Foundation Model Availability vs Account Access

BASH

1# List all foundation models (shows what's available in the region)
2aws bedrock list-foundation-models \
3  --region us-east-1 \
4  --query 'modelSummaries[?modelLifecycle.status==`ACTIVE`].[modelId,modelName,providerName]' \
5  --output table
6
7# Check which models you actually have access to (requires model access page approval)
8# This is different from the above - just because a model shows as ACTIVE doesn't mean you have access

Test Model Access with OnglX Deploy

The best way to verify model access is through your deployed API:

BASH

1# Test with Claude 3 Haiku (usually works immediately)
2curl -X POST "https://your-api-endpoint.execute-api.us-east-1.amazonaws.com/dev/v1/chat/completions" \
3  -H "Content-Type: application/json" \
4  -H "Authorization: Bearer your-bearer-token" \
5  -H "X-API-Key: your-api-key" \
6  -d '{
7    "model": "anthropic.claude-3-haiku-20240307-v1:0",
8    "messages": [{"role": "user", "content": "Test message"}],
9    "max_tokens": 50
10  }'
11
12# Test with Claude 3.5 Sonnet (may require approval)
13curl -X POST "https://your-api-endpoint.execute-api.us-east-1.amazonaws.com/dev/v1/chat/completions" \
14  -H "Content-Type: application/json" \
15  -H "Authorization: Bearer your-bearer-token" \
16  -H "X-API-Key: your-api-key" \
17  -d '{
18    "model": "anthropic.claude-3-5-sonnet-20241022-v2:0",
19    "messages": [{"role": "user", "content": "Test message"}],
20    "max_tokens": 50
21  }'

Understanding Model Access Errors

If you get an error like:

"Model access required" or "Invocation of model ID ... with on-demand throughput isn't supported"

This means the model exists but you don't have account-level access. Go to AWS Bedrock Console → Model Access and request approval.

Direct Bedrock API Test (Alternative Method)

BASH

# Test specific model access directly via Bedrock API
aws bedrock invoke-model \
  --region us-east-1 \
  --model-id anthropic.claude-3-haiku-20240307-v1:0 \
  --body '{"anthropic_version":"bedrock-2023-05-31","max_tokens":10,"messages":[{"role":"user","content":"Hi"}]}' \
  response.json

IAM Permissions

Option 1: Administrator Access (Development Only)

For development/testing, you can use broad permissions:

JSON

1{
2  "Version": "2012-10-17",
3  "Statement": [
4    {
5      "Effect": "Allow",
6      "Action": "*",
7      "Resource": "*"
8    }
9  ]
10}

⚠️ Warning: Never use administrator access in production.

Option 2: Least Privilege (Production)

Create a custom policy with minimum required permissions:

JSON

1{
2  "Version": "2012-10-17",
3  "Statement": [
4    {
5      "Sid": "LambdaManagement",
6      "Effect": "Allow",
7      "Action": [
8        "lambda:CreateFunction",
9        "lambda:UpdateFunctionCode",
10        "lambda:UpdateFunctionConfiguration",
11        "lambda:DeleteFunction",
12        "lambda:GetFunction",
13        "lambda:ListFunctions",
14        "lambda:InvokeFunction",
15        "lambda:AddPermission",
16        "lambda:RemovePermission",
17        "lambda:CreateEventSourceMapping",
18        "lambda:DeleteEventSourceMapping"
19      ],
20      "Resource": "*"
21    },
22    {
23      "Sid": "APIGatewayManagement",
24      "Effect": "Allow",
25      "Action": [
26        "apigateway:*"
27      ],
28      "Resource": "*"
29    },
30    {
31      "Sid": "S3Management",
32      "Effect": "Allow",
33      "Action": [
34        "s3:CreateBucket",
35        "s3:DeleteBucket",
36        "s3:GetObject",
37        "s3:PutObject",
38        "s3:DeleteObject",
39        "s3:ListBucket",
40        "s3:GetBucketLocation"
41      ],
42      "Resource": "*"
43    },
44    {
45      "Sid": "IAMManagement",
46      "Effect": "Allow",
47      "Action": [
48        "iam:CreateRole",
49        "iam:DeleteRole",
50        "iam:AttachRolePolicy",
51        "iam:DetachRolePolicy",
52        "iam:CreatePolicy",
53        "iam:DeletePolicy",
54        "iam:GetRole",
55        "iam:GetRolePolicy",
56        "iam:PassRole",
57        "iam:ListRolePolicies",
58        "iam:ListAttachedRolePolicies"
59      ],
60      "Resource": "*"
61    },
62    {
63      "Sid": "BedrockAccess",
64      "Effect": "Allow",
65      "Action": [
66        "bedrock:InvokeModel",
67        "bedrock:InvokeModelWithResponseStream",
68        "bedrock:ListFoundationModels"
69      ],
70      "Resource": "*"
71    },
72    {
73      "Sid": "CloudWatchLogs",
74      "Effect": "Allow",
75      "Action": [
76        "logs:CreateLogGroup",
77        "logs:CreateLogStream",
78        "logs:PutLogEvents",
79        "logs:DescribeLogGroups",
80        "logs:DescribeLogStreams"
81      ],
82      "Resource": "*"
83    }
84  ]
85}

Authentication Setup

Method 1: AWS CLI Profiles (Recommended)

Install AWS CLI v2:

BASH

1# macOS
2brew install awscli
3
4# Linux
5curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
6unzip awscliv2.zip
7sudo ./aws/install
8
9# Windows
10msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

Configure your profile:

BASH

aws configure --profile your-profile-name
# Enter: Access Key ID, Secret Access Key, Default region, Output format

Use with OnglX Deploy:

BASH

onglx-deploy --profile your-profile-name deploy

Method 2: Environment Variables

BASH

export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_DEFAULT_REGION="us-east-1"
export AWS_PROFILE=""  # Clear if set

Method 3: AWS SSO (Enterprise)

Configure SSO:

BASH

aws configure sso
# Follow prompts for SSO URL, region, etc.

Login before deployment:

BASH

aws sso login --profile your-sso-profile
onglx-deploy --profile your-sso-profile deploy

Regional Considerations

Bedrock Model Availability

Not all Bedrock models are available in all regions. Recommended regions:

us-east-1 (N. Virginia) - All models available
us-west-2 (Oregon) - Most models available
eu-west-1 (Ireland) - Limited model selection

Check Model Availability by Region

BASH

aws bedrock list-foundation-models \
  --region us-east-1 \
  --query "modelSummaries[?modelLifecycle.status=='ACTIVE'].[modelId,modelName]" \
  --output table

Cost Optimization

Resource Tagging

OnglX Deploy automatically tags resources for cost tracking:

JSON

{
  "Environment": "dev",
  "Project": "your-project-name",
  "ManagedBy": "onglx"
}

Troubleshooting Common Issues

1. "AccessDenied" for Bedrock Models

Error: Access denied to model anthropic.claude-3-5-sonnet-20241022-v2:0

Solution: Request model access in Bedrock console and wait for approval.

2. Lambda Timeout Errors

Error: Task timed out after 15.00 seconds

Solution: Increase timeout in your OnglX configuration:

YAML

inference:
  timeout: 60  # seconds
  memory: 1024  # MB

3. API Gateway 429 Errors

Error: Too Many Requests

Solution: Check API Gateway throttling limits or enable usage plans.

4. S3 Permission Issues

Error: Access Denied when uploading deployment artifacts

Solution: Ensure your IAM policy includes S3 permissions for OnglX-created buckets.

Security Best Practices

1. Use Least Privilege Principle

Create dedicated deployment users
Rotate access keys regularly
Use temporary credentials when possible

2. Enable CloudTrail

BASH

aws cloudtrail create-trail \
  --name onglx-audit-trail \
  --s3-bucket-name your-audit-bucket

3. Monitor Costs

Set up billing alerts:

BASH

aws budgets create-budget \
  --account-id 123456789012 \
  --budget file://budget.json

Validation Checklist

Before running your first OnglX deployment:

[ ] AWS CLI installed and configured
[ ] Required Bedrock models approved and accessible
[ ] IAM permissions configured (test with aws sts get-caller-identity)
[ ] S3 bucket creation permissions verified
[ ] Lambda function creation permissions verified
[ ] API Gateway permissions verified
[ ] CloudWatch Logs permissions verified

Getting Help

If you encounter issues:

Check AWS service health: status.aws.amazon.com
Review CloudTrail logs for permission issues
Use verbose mode: onglx-deploy deploy --verbose
Check OnglX Deploy logs in CloudWatch

Next Steps

Once AWS is configured: