Configure Machine Learning on Amazon OpenSearch Serverless
Machine Learning
Machine Learning (ML) provides ML capabilities in the form of ML algorithms and remote models. With access to these models, you can run several AI workflows such as RAG or semantic search. ML supports experimentation and production deployment of generative AI use cases using the latest externally hosted models that you can configure with connectors. After you configure a connector, you must configure it to a model and then deploy it to perform prediction.
Connectors
Connectors facilitate access to models hosted on third-party ML platforms. They serve as the gateway between your OpenSearch cluster and a remote model. For more information, see the following documentation:
-
Creating connectors for third-party ML platforms
on the OpenSearch Documentation website -
Important
-
When you create a trust policy, add
ml.opensearchservice.amazonaws.com
as the OpenSearch Service principle. -
Skip the steps on the Connectors page that display how to configure a domain in the policy.
-
Add the
iam:PassRole
statement in the Configure permissions step. -
Skip the Map the ML role step in OpenSearch Dashboards. Backend role configuration is not required. This applies to Connectors for AWS services, and to Connectors for external platforms.
-
In your SigV4 request to the collection endpoint, set the service name to
aoss
instead ofes
.
-
Models
A model is the core functionality that's used across various AI workflows. Generally,
you associate the connector with a model to perform prediction using the connector.
After a model is in the deployed state, you can run prediction. For more information,
see Register a model hosted on a third-party platform
Note
Not all model features are supported on OpenSearch Serverless, such as local models. For more information, see Unsupported Machine Learning APIs and features.
Configure permissions for Machine Learning
The following section describes the collection data access policies required for
Machine Learning (ML). Replace the placeholder values
with
your specific information. For more information, see Supported policy
permissions.
{ "Rules": [ { "Resource": [ "model/
collection_name
/*" ], "Permission": [ "aoss:DescribeMLResource", "aoss:CreateMLResource", "aoss:UpdateMLResource", "aoss:DeleteMLResource", "aoss:ExecuteMLResource" ], "ResourceType": "model" } ], "Principal": [ "arn:aws:iam::account_id
:role/role_name
" ], "Description": "ML full access policy forcollection_name
" }
-
aoss:DescribeMLResource – Grants permission to search and query connectors, models, and model groups.
-
aoss:CreateMLResource – Grants permission to create connectors, models, and model groups.
-
aoss:UpdateMLResource – Grants permission to update connectors, models, and model groups.
-
aoss:DeleteMLResource – Grants permission to delete connectors, models, and model groups.
-
aoss:ExecuteMLResource – Grants permission to perform predictions on models.