To ensure a smooth deployment of Dify Enterprise Edition, please follow the infrastructure and configuration instructions below.

1. Infrastructure Requirements

Required AWS Services:

  • S3
  • ECR

Supported Authentication Methods:

Dify supports the following two methods to access AWS services:

  • Access Key Mode (AK/SK): Provide credentials via environment variables
  • IRSA Mode: IAM Roles for Service Accounts, allowing more secure and fine-grained access control

2. Access Key Mode Configuration

Step 1: Prepare Credentials

Create an IAM user with permissions for S3 and ECR only, and obtain its Access Key and Secret Key.

Step 2: Create Kubernetes Secret

kubectl create secret generic image-repo-secret --from-file=<path to .aws/credentials>

Step 3: Modify values.yaml

persistence:
  type: "s3"
  s3:
    endpoint: "https://s3.{region_code}.amazonaws.com"
    region: "{region_code}"
    bucketName: "your_bucket_name"
    useAwsS3: true
    useAwsManagedIam: false
    accessKey: "{your access key}"
    secretKey: "{your secret key}"

plugin_daemon:
  enabled: true
  replicas: 1
  apiKey: "dify123456"

plugin_connector:
  apiKey: "dify123456"
  imageRepoSecret: "image-repo-secret"
  imageRepoPrefix: "{account_id}.dkr.ecr.{region}.amazonaws.com/"
  imageRepoType: ecr
  ecrRegion: "us-west-2"

Step 4: Configure dify_plugin_daemon Database

externalPostgres:
  enabled: true
  address: "rds_address"
  port: "5432"
  credentials:
    plugin_daemon:
      database: "dify_plugin_daemon"
      username: "{user}"
      password: "{password}"
      sslmode: "disable"

Step 5: Upgrade Helm Release

helm upgrade dify dify/dify-ee -n default --version 3.0.0

3. IRSA Mode Configuration

Since AK/SK is strictly controlled in enterprises, it is recommended to use AWS Pod Identity (IRSA) for authorization.

✅ Benefits

  • Follows AWS security best practices
  • Supports fine-grained permissions for plugin operations

🪄 Quick Setup

Prerequisites

  • An available AWS region and EKS cluster
  • A created S3 bucket for Dify file storage
  • kubectl installed and configured locally with access to the target EKS cluster
  • AWS CLI installed and credentials configured

IAM Roles to Create

IAM RoleDescription
IAM Role - S3Full access to S3
IAM Role - S3 + ECRFull access to both S3 and ECR
IAM Role - ECR PullPull-only access to ECR images

Create Kubernetes ServiceAccounts and Associate with IAM Roles

Pod NameServiceAccount NameIAM RoleDescription
dify-api, dify-workerdify-api-saIAM Role - S3For backend services to access S3 (e.g. uploads)
dify-plugin-crddify-plugin-crd-saIAM Role - S3 + ECRTo access S3 and operate on plugin images
dify-plugin-runnerdify-plugin-runner-saIAM Role - ECR PullTo pull plugin images and run plugins

Summary of Required or Optional Resources

TypeName (Example)RequiredDescription
EKS Clustere.g., dify-dev-clusterMust exist with OIDC provider enabled
S3 Buckete.g., dify-ee-storageMust exist and be accessible
ECR Repositorye.g., dify-ee-plugin-repoOptionalCan be auto-created if not present
IAM RolesThe three roles mentioned aboveReuse if existing, or create if not
IAM PoliciesS3, ECR, ECR Pull access policiesAttach to respective roles
OIDC ProviderObtain from EKS and associate with IAMRequired for IRSA trust policy

Users may also contact the Dify technical support team to obtain a one-click setup script:

bash ./irsa_one_click.sh

✅ After completing the above steps, proceed with the rest of the deployment.

Modify values.yaml

persistence:
  type: "s3"
  s3:
    endpoint: "https://s3.{region_code}.amazonaws.com"
    region: "{region_code}"
    bucketName: "your_bucket_name"
    useAwsS3: true
    useAwsManagedIam: true

api:
  enabled: true
  replicas: 1
  innerApi:
    enabled: true
    apiKey: "dify123456"
  serviceAccountName: "dify-api-sa"

worker:
  enabled: true
  replicas: 1
  serviceAccountName: "dify-api-sa"

plugin_daemon:
  enabled: true
  replicas: 1
  apiKey: "dify123456"

plugin_connector:
  apiKey: "dify123456"
  customServiceAccount: "dify-plugin-build-sa"
  runnerServiceAccount: "dify-plugin-build-run-sa"
  imageRepoPrefix: "{account_id}.dkr.ecr.{region}.amazonaws.com/"
  imageRepoType: ecr
  ecrRegion: "us-west-2"

Add Plugin Database Configuration

externalPostgres:
  enabled: true
  address: "rds_address"
  port: "5432"
  credentials:
    plugin_daemon:
      database: "dify_plugin_daemon"
      username: "{user}"
      password: "{password}"
      sslmode: "disable"

4. Upgrade Helm Release

helm upgrade dify dify/dify-ee -n default --version 3.0.0

Notes

  • Redis Cluster mode is not supported
  • 🌐 EKS nodes must have internet access or be configured with a NAT Gateway