def _configure_iam_role(config):
head_node_type = config["head_node_type"]
head_node_config = config["available_node_types"][head_node_type]["node_config"]
if "IamInstanceProfile" in head_node_config:
_set_config_info(head_instance_profile_src="config")
return config
_set_config_info(head_instance_profile_src="default")
instance_profile_name = cwh.resolve_instance_profile_name(
config["provider"],
DEFAULT_RAY_INSTANCE_PROFILE,
)
profile = _get_instance_profile(instance_profile_name, config)
if profile is None:
cli_logger.verbose(
"Creating new IAM instance profile {} for use as the default.",
cf.bold(instance_profile_name),
)
client = _client("iam", config)
client.create_instance_profile(InstanceProfileName=instance_profile_name)
profile = _get_instance_profile(instance_profile_name, config)
time.sleep(15) # wait for propagation
cli_logger.doassert(
profile is not None, "Failed to create instance profile."
) # todo: err msg
assert profile is not None, "Failed to create instance profile"
if not profile.roles:
role_name = cwh.resolve_iam_role_name(config["provider"], DEFAULT_RAY_IAM_ROLE)
role = _get_role(role_name, config)
if role is None:
cli_logger.verbose(
"Creating new IAM role {} for use as the default instance role.",
cf.bold(role_name),
)
iam = _resource("iam", config)
policy_doc = {
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole",
},
]
}
attach_policy_arns = cwh.resolve_policy_arns(
config["provider"],
iam,
[
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
],
)
iam.create_role(
RoleName=role_name, AssumeRolePolicyDocument=json.dumps(policy_doc)
)
role = _get_role(role_name, config)
cli_logger.doassert(
role is not None, "Failed to create role."
) # todo: err msg
assert role is not None, "Failed to create role"
for policy_arn in attach_policy_arns:
role.attach_policy(PolicyArn=policy_arn)
profile.add_role(RoleName=role.name)
time.sleep(15) # wait for propagation
# Add IAM role to "head_node" field so that it is applied only to
# the head node -- not to workers with the same node type as the head.
config["head_node"]["IamInstanceProfile"] = {"Arn": profile.arn}
return config
def _configure_iam_role(config):
if "IamInstanceProfile" in config["head_node"]:
_set_config_info(head_instance_profile_src="config")
return config
_set_config_info(head_instance_profile_src="default")
instance_profile_name = cwh.resolve_instance_profile_name(
config,
DEFAULT_RAY_INSTANCE_PROFILE,
)
profile = _get_instance_profile(instance_profile_name, config)
if profile is None:
cli_logger.verbose(
"Creating new IAM instance profile {} for use as the default.",
cf.bold(DEFAULT_RAY_INSTANCE_PROFILE))
client = _client("iam", config)
client.create_instance_profile(
InstanceProfileName=DEFAULT_RAY_INSTANCE_PROFILE)
profile = _get_instance_profile(DEFAULT_RAY_INSTANCE_PROFILE, config)
time.sleep(15) # wait for propagation
cli_logger.doassert(profile is not None,
"Failed to create instance profile.") # todo: err msg
assert profile is not None, "Failed to create instance profile"
if not profile.roles:
role_name = cwh.resolve_iam_role_name(config, DEFAULT_RAY_IAM_ROLE)
role = _get_role(role_name, config)
if role is None:
cli_logger.verbose(
"Creating new IAM role {} for "
"use as the default instance role.",
cf.bold(DEFAULT_RAY_IAM_ROLE))
iam = _resource("iam", config)
policy_doc = {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole",
},
]
}
attach_policy_arns = cwh.resolve_policy_arns(
config, [
"arn:aws:iam::aws:policy/AmazonEC2FullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
])
iam.create_role(RoleName=role_name,
AssumeRolePolicyDocument=json.dump(policy_doc))
role = _get_role(role_name, config)
cli_logger.doassert(role is not None,
"Failed to create role.") # todo: err msg
assert role is not None, "Failed to create role"
for policy_arn in attach_policy_arns:
role.attach_policy(PolicyArn=policy_arn)
profile.add_role(RoleName=role.name)
time.sleep(15) # wait for propagation
config["head_node"]["IamInstanceProfile"] = {"Arn": profile.arn}
return config