[GCP] Allow Head Node to Launch Workers with IAM Role (#17027)

2025-03-06 10:31:39 -05:00 · 2021-07-13 10:44:34 -07:00 · 2021-07-13 10:44:34 -07:00 · fac6045c87
commit fac6045c87
parent 38b5b6d24c
2 changed files with 9 additions and 2 deletions
--- a/python/ray/autoscaler/_private/gcp/config.py
+++ b/python/ray/autoscaler/_private/gcp/config.py
@ -26,7 +26,10 @@ DEFAULT_SERVICE_ACCOUNT_CONFIG = {
    "displayName": "Ray Autoscaler Service Account ({})".format(VERSION),
 }
 DEFAULT_SERVICE_ACCOUNT_ROLES = ("roles/storage.objectAdmin",
-                                 "roles/compute.admin")
+                                 "roles/compute.admin",
+                                 "roles/iam.serviceAccountUser")
+# NOTE: iam.serviceAccountUser allows the Head Node to create worker nodes
+# with ServiceAccounts.

 MAX_POLLS = 12
 POLL_INTERVAL = 5
@ -478,7 +481,6 @@ def _add_iam_policy_binding(service_account, roles, crm):
        resource=project_id, body={}).execute()

    already_configured = True
-
    for role in roles:
        role_exists = False
        for binding in policy["bindings"]:
--- a/python/ray/autoscaler/gcp/example-full.yaml
+++ b/python/ray/autoscaler/gcp/example-full.yaml
@ -115,6 +115,11 @@ available_node_types:
            # Comment this out to use on-demand.
            scheduling:
              - preemptible: true
+            # Un-Comment this to launch workers with the Service Account of the Head Node
+            # serviceAccounts:
+            # - email: ray-autoscaler-sa-v1@<project_id>.iam.gserviceaccount.com
+            #   scopes:
+            #   - https://www.googleapis.com/auth/cloud-platform

    # Additional options can be found in in the compute docs at
    # https://cloud.google.com/compute/docs/reference/rest/v1/instances/insert