From fac6045c87aebadd85869c06827da33e07dcab8a Mon Sep 17 00:00:00 2001 From: Ian Rodney Date: Tue, 13 Jul 2021 10:44:34 -0700 Subject: [PATCH] [GCP] Allow Head Node to Launch Workers with IAM Role (#17027) --- python/ray/autoscaler/_private/gcp/config.py | 6 ++++-- python/ray/autoscaler/gcp/example-full.yaml | 5 +++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/python/ray/autoscaler/_private/gcp/config.py b/python/ray/autoscaler/_private/gcp/config.py index 265838588..9a05a1747 100644 --- a/python/ray/autoscaler/_private/gcp/config.py +++ b/python/ray/autoscaler/_private/gcp/config.py @@ -26,7 +26,10 @@ DEFAULT_SERVICE_ACCOUNT_CONFIG = { "displayName": "Ray Autoscaler Service Account ({})".format(VERSION), } DEFAULT_SERVICE_ACCOUNT_ROLES = ("roles/storage.objectAdmin", - "roles/compute.admin") + "roles/compute.admin", + "roles/iam.serviceAccountUser") +# NOTE: iam.serviceAccountUser allows the Head Node to create worker nodes +# with ServiceAccounts. MAX_POLLS = 12 POLL_INTERVAL = 5 @@ -478,7 +481,6 @@ def _add_iam_policy_binding(service_account, roles, crm): resource=project_id, body={}).execute() already_configured = True - for role in roles: role_exists = False for binding in policy["bindings"]: diff --git a/python/ray/autoscaler/gcp/example-full.yaml b/python/ray/autoscaler/gcp/example-full.yaml index 9dea7e354..3b71f9baa 100644 --- a/python/ray/autoscaler/gcp/example-full.yaml +++ b/python/ray/autoscaler/gcp/example-full.yaml @@ -115,6 +115,11 @@ available_node_types: # Comment this out to use on-demand. scheduling: - preemptible: true + # Un-Comment this to launch workers with the Service Account of the Head Node + # serviceAccounts: + # - email: ray-autoscaler-sa-v1@.iam.gserviceaccount.com + # scopes: + # - https://www.googleapis.com/auth/cloud-platform # Additional options can be found in in the compute docs at # https://cloud.google.com/compute/docs/reference/rest/v1/instances/insert