Dify Enterprise Edition Deployment Guide (AWS)
To ensure a smooth deployment of Dify Enterprise Edition, please follow the infrastructure and configuration instructions below.Notes
‼️ Please make sure you have upgraded to version 2.8.0 and completed the migration.‼️1. Infrastructure Requirements
Required AWS Services:
- S3
- ECR
Supported Authentication Methods:
Dify supports the following two approaches for accessing AWS services:- Access Key Mode (AK/SK): Provide credentials via environment variables
- IRSA Mode: IAM Roles for Service Accounts to enable secure and fine-grained access control
2. Access Key Mode
Step 1: Prepare Credentials
Create an IAM user with only S3 and ECR permissions. Obtain its Access Key and Secret Key.Step 2: Create Kubernetes Secret
Step 3: Update values.yaml
Step 4: Configure Plugin Daemon Database
Step 5: Upgrade Helm Release
3. IRSA Mode
Since Access Keys are strictly controlled in enterprise environments, we recommend using AWS Pod Identity (IRSA) for access.✅ Benefits
- Follows AWS security best practices
- Enables fine-grained control over plugin execution environments
Setup
Step 1: Set up IAM role and Service Account
-
Prerequisites
- An available AWS Region and EKS cluster.
- An existing S3 bucket for Dify file storage.
kubectlis installed and configured locally, and can access the target EKS cluster.- AWS CLI is installed and credentials are configured locally.
🚀Option A: Run One-Click Script
‼️The one-click script is for demo and testing purposes only. Please develop your own script to meet your security requirements. You can obtain this demo script from the Dify FDE team.🔨Option B: Manually setup
- Enable the IAM OIDC provider for your EKS cluster Follow the official AWS documentation to associate your EKS cluster with an OIDC identity provider. This step is required before you can use IAM Roles for Service Accounts (IRSA).
-
Setup IAM Policy
Item Example Naming Description S3 Policy Name dify-ee-irsa-<cluster_name>-s3-policyFull access to the specified S3 bucket ECR Policy Name dify-ee-irsa-<cluster_name>-ecr-policyFull access to ECR and read-only access to CloudTrail ECR Policy Name dify-ee-irsa-<cluster_name>-ecr-pull-only-policyAllows pull-only operations from ECR -
Setup Role with policy
Item Example Naming policy IAM Role - S3 DifyEE-Role-<cluster_name>-s3dify-ee-irsa-<cluster_name>-s3-policyIAM Role - S3 + ECR DifyEE-Role-<cluster_name>-s3-ecrdify-ee-irsa-<cluster_name>-s3-policydify-ee-irsa-<cluster_name>-ecr-policyIAM Role - ECR Pull-only DifyEE-Role-<cluster_name>-ecr-image-pulldify-ee-irsa-<cluster_name>-ecr-pull-only-policy -
Setup ServiceAccount with IAM Role
Purpose Default Name Bound IAM Role Description For dify-api, dify-worker dify-api-saDifyEE-Role-<cluster_name>-s3Backend services access S3 for file uploads etc. For dify-plugin-crd build dify-plugin-crd-saDifyEE-Role-<cluster_name>-s3-ecrAccesses S3 and operates plugin image repositories For dify-plugin runtime dify-plugin-runner-saDifyEE-Role-<cluster_name>-ecr-image-pullPulls plugin images for running plugins
Step 2: Set Environment Variables
Configure environment variables as per the release notes (e.g.,S3_REGION, S3_BUCKET_NAME).
Step 3: Update values.yaml
Step 4: Add Plugin Daemon Database Configuration
Step 5: Follow the release note to Upgrade (Install)
https://langgenius.github.io/dify-helm/#/pages/3_0_0Step 6: Add S3 Permissions to the Custom ServiceAccount for the Application
ServiceAccount name:dify-plugin-connector-sa
./irsa_one_click.sh to create the S3 read/write role, this ARN will appear at the end of the script execution.
Step 7: Restart the Dify Daemon Pod
Notes
- ❌ Redis cluster mode is not supported
- 🌐 EKS nodes must have internet access or be behind a NAT gateway