Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

IAM roles not being set for workers

See original GitHub issue

It seems like the head node in an EC2 cluster gets assigned to a IAM role that lets it access all EC2 and S3 functionality, but the worker nodes do not. This prevents tasks that require direct S3 access from running on the worker nodes unless a .aws/credentials, .boto config, or other authentication method is synced up to the cluster.

It’s a small thing, but it would be nice to just rely on the IAM roles to take care of S3 access. One less configuration to worry about.

System information

OS Platform and Distribution: Ubuntu 16.04 (EC2 Deep Learning AMI)
Ray installed from: binary
Ray version: 0.5.3
Python version: 3.6

Steps to reproduce

ray up <my config.yaml> --num-workers 2 Observe that worker nodes are not assigned a IAM role in the EC2 dashboard.

Issue Analytics

State:
Created 5 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

ericlcommented, Oct 23, 2018

@npyoung it would be great if you could try out this patch: https://github.com/ray-project/ray/pull/3118

0reactions

kshugginscommented, Nov 15, 2021

as an aside, for future users.

using the default IAM role creation that ray uses doesn’t permit IAM role pass through. So you can’t just specify the correct Arn in the yaml config ( unless I seriously borked something ).

You also have to specify a permissions policy to permit it:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<role-to-constrain-it-to>*"
        }
    ]
}