From 55d161b49f4ab2803463c3b003bc392a49e7faa6 Mon Sep 17 00:00:00 2001 From: Eric Liang Date: Wed, 24 Oct 2018 13:57:36 -0700 Subject: [PATCH] [autoscaler] Also grant roles to worker nodes --- python/ray/autoscaler/aws/config.py | 1 + python/ray/autoscaler/gcp/config.py | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/python/ray/autoscaler/aws/config.py b/python/ray/autoscaler/aws/config.py index 8e5d3a4da..79392e31c 100644 --- a/python/ray/autoscaler/aws/config.py +++ b/python/ray/autoscaler/aws/config.py @@ -101,6 +101,7 @@ def _configure_iam_role(config): logger.info("Role not specified for head node, using {}".format( profile.arn)) config["head_node"]["IamInstanceProfile"] = {"Arn": profile.arn} + config["worker_nodes"]["IamInstanceProfile"] = {"Arn": profile.arn} return config diff --git a/python/ray/autoscaler/gcp/config.py b/python/ray/autoscaler/gcp/config.py index d6ae2edeb..a651c3983 100644 --- a/python/ray/autoscaler/gcp/config.py +++ b/python/ray/autoscaler/gcp/config.py @@ -168,12 +168,16 @@ def _configure_iam_role(config): _add_iam_policy_binding(service_account, DEFAULT_SERVICE_ACCOUNT_ROLES) + # NOTE: The amount of access is determined by the scope + IAM + # role of the service account. Even if the cloud-platform scope + # gives (scope) access to the whole cloud-platform, the service + # account is limited by the IAM rights specified below. config["head_node"]["serviceAccounts"] = [{ "email": service_account["email"], - # NOTE: The amount of access is determined by the scope + IAM - # role of the service account. Even if the cloud-platform scope - # gives (scope) access to the whole cloud-platform, the service - # account is limited by the IAM rights specified below. + "scopes": ["https://www.googleapis.com/auth/cloud-platform"] + }] + config["worker_nodes"]["serviceAccounts"] = [{ + "email": service_account["email"], "scopes": ["https://www.googleapis.com/auth/cloud-platform"] }]