LLM-based River Ice Reporting: Request for Roles and permissions

[HamzaKaddour]

1. Requester Information:
This should include the name and contact information of the person making the request.

• PI's Full Name: Marouane Temimi
• PI's Affiliated Institute: Stevens Institute of Technology
• PI's Affiliated Email Address: mtemimi@stevens.edu
• Requester's Full Name: Hamza Kaddour
• Requester's Affiliated Email Address: hkad

2. Project Information:
Provide CIROH project name associated with this research work along with

• CIROH Project Number (as per smartsheet):
• CIROH Project Name: Advancing Research in Cold Regions Hydrology to Support the Modeling and Mapping of Ice-Induced Flood Inundation

3. Project Description:

Provide a brief description of the project and its goals. This can help the infrastructure team understand the context and purpose of the requested resources. If your project involves developing software or scripts, briefly describe the software you plan to develop.Please highlight how this project will be benefit from and/or provide benefit to other resources on the shared infrastructure.

We developed an LLM tool to report on river ice jams in the U.S. and save images and other types of data about them. This project will be publicly hosted and accessible for researchers and users from NOAA, CIROH, and any other intervenants to help in automatically reporting River Ice Jam events and construct a dataset of historical data of these events. That's why we are working on deploying this framework on our CIROH AWS account.

4. Resource Requirements:
Specify the compute, storage, and network resources needed for the project. Be as specific as possible about the number of resources required, and any specific configurations or capabilities needed. This information will help the infrastructure team determine the appropriate resources to allocate.

We already have a CIROH AWS account [StevensAWSAdmin 6038-6259-0424)] in which we created a new EC2 instance in the us-west-2 of type 4xad.4xlarge and id i-09c00068f910ba06c, where a daily cron via EventBridge scheduler with StartInstance action will start it at 1 AM ET and it will run for an estimated of 30 min to 1 hour and will shutdown automatically via a crontab in the instance itself. The EC2 instance will run an LLM for signal extraction from news reports citing River Ice Jam, then take screenshots from our River Ice portal and save the screenshots, reports, and JSONS on an S3 bucket, and the metadata in DynamoDB. In addition, we wanted to use CloudWatch agent for logging and alerting via SNS to our email addresses.
Later, we will create an AWS Lambda and link it to a webpage where when the user asks for the latest X number of days of reports, a request is triggers the lambda to run, grep, and fetch the requested data. This second phase will require access to other services like S3 frontend bucket and API Gateway from AWS, but we can keep it for later.

The first error we encountered is when we tried to assign a role to this instance (in order to attach the S3 bucket to it), which we do not have authorization to perform Iam:PassRole. The role should include:
AmazonSSMManagedInstanceCore
S3 read/write access (for uploading pipeline outputs)
DynamoDB read/write access (for metadata storage)

Options:

1. Cloud Provider Options:

• CIROH AWS
• CIROH Google Cloud Platform (GCP)
• CIROH-2i2c JupyterHub
• NWM BigQuery API Access Only

For detailed information about CIROH cloud accounts and APIs:

• AWS: CIROH AWS Account
• Google Cloud: CIROH Google Account
• CIROH-2i2c JupyterHub: CIROH-2i2c JupyterHub
• NWM BigQuery API: NWM BigQuery API

2. Required Services in the Cloud:

List of AWS Services

• [X ] EC2
• [ X] S3 – public, private, requester pay, bucket name suggestion?
• EBS (Amazon Elastic Block Store)
• EFS
• RDS
• [ X] VPC (Virtual Private Cloud)
• [ X] DynamoDB
• ECS
• EKS (Kubernetes Cluster)
• [ X] Lambda
• Others: please list:

List of Google Cloud Services

• Google Compute Engine
• Google BigQuery
• Google Kubernetes Engine (GKE)
• Google Cloud Storage
• Google VPC
• Google IAM
• Google Cloud Functions
• Dataflow
• Other: please list

5. Working Group
Please select the working group associated with this project:

• Hydrologic Modeling and Prediction Working Group
• Hydroinformatics Working Group
• Community Resources Working Group
• Artificial Intelligence Working Group
• Model & Forecast Evaluation Working Group

6. Timeline

Project start date: 3/20/2026

Project end date: As long as our CIROH AWS account is available

7. Security and Compliance Requirements:
If there are any specific security or compliance requirements for the project, please state them clearly below. This will help ensure that the necessary security measures are in place for the project.

8. Cost Estimation:
Include any cost estimates or requirements for the project. This will help the infrastructure team select the most cost-effective solutions for the project.
Only required for AWS and GCP access. Ignore for others.

AWS Cost Calculator: https://calculator.aws/#/
Google Cloud Pricing Calculator: https://cloud.google.com/products/calculator

We are only using AWS, for this task we estimate the cost not to go over $500 per month, which is already in the quota allocated to our CIROH AWS account with the existing running services.

9. Approval:
Requests require management approval, which typically takes 2-3 weeks to process before access is granted.

Please contact Dr. Marouane Temimi.

[benlee0423]

@HamzaKaddour
If you respond to the message, I can help with that.

[HamzaKaddour]

@HamzaKaddour If you respond to the message, I can help with that.

@benlee0423 Yes, please.