From ee4d8982f270bfc4a54d340d21a50518991a277a Mon Sep 17 00:00:00 2001 From: Victor Skvortsov Date: Mon, 13 May 2024 13:29:57 +0500 Subject: [PATCH] Do not create AWS policy, role, and instance profile when launching instances --- docs/docs/installation/index.md | 29 ------ .../_internal/core/backends/aws/compute.py | 6 +- .../_internal/core/backends/aws/resources.py | 88 ------------------- 3 files changed, 1 insertion(+), 122 deletions(-) diff --git a/docs/docs/installation/index.md b/docs/docs/installation/index.md index b2b18aab8..7e94c7716 100644 --- a/docs/docs/installation/index.md +++ b/docs/docs/installation/index.md @@ -138,35 +138,6 @@ There are two ways to configure AWS: using an access key or using the default cr "servicequotas:*" ], "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:CreateRole", - "iam:AttachRolePolicy", - "iam:TagRole" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreatePolicy", - "iam:TagPolicy" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:GetInstanceProfile", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:TagInstanceProfile", - "iam:PassRole" - ], - "Resource": "*" } ] } diff --git a/src/dstack/_internal/core/backends/aws/compute.py b/src/dstack/_internal/core/backends/aws/compute.py index 265c32b2e..f2d0da344 100644 --- a/src/dstack/_internal/core/backends/aws/compute.py +++ b/src/dstack/_internal/core/backends/aws/compute.py @@ -104,7 +104,6 @@ def create_instance( project_name = instance_config.project_name ec2 = self.session.resource("ec2", region_name=instance_offer.region) ec2_client = self.session.client("ec2", region_name=instance_offer.region) - iam_client = self.session.client("iam", region_name=instance_offer.region) allocate_public_ip = self.config.allocate_public_ips tags = [ @@ -129,10 +128,7 @@ def create_instance( cuda=len(instance_offer.instance.resources.gpus) > 0, ), instance_type=instance_offer.instance.name, - iam_instance_profile_arn=aws_resources.create_iam_instance_profile( - iam_client=iam_client, - project_id=project_name, - ), + iam_instance_profile_arn=None, user_data=get_user_data(authorized_keys=instance_config.get_public_keys()), tags=tags, security_group_id=aws_resources.create_security_group( diff --git a/src/dstack/_internal/core/backends/aws/resources.py b/src/dstack/_internal/core/backends/aws/resources.py index fdc205627..bc8b1de4e 100644 --- a/src/dstack/_internal/core/backends/aws/resources.py +++ b/src/dstack/_internal/core/backends/aws/resources.py @@ -1,4 +1,3 @@ -import json from typing import Any, Dict, List, Optional import botocore.client @@ -24,93 +23,6 @@ def get_image_id(ec2_client: botocore.client.BaseClient, cuda: bool) -> str: return images[0]["ImageId"] -def create_role_and_policy(iam_client: botocore.client.BaseClient, project_id: str) -> str: - policy_name = "dstack_policy_" + project_id.replace("-", "_").lower() - role_name = "dstack_role_" + project_id.replace("-", "_").lower() - - try: - iam_client.get_role(RoleName=role_name) - return role_name - except botocore.exceptions.ClientError as e: - if e.response["Error"]["Code"] != "NoSuchEntity": - raise e - - response = iam_client.create_policy( - PolicyName=policy_name, - Description="Generated by dstack", - PolicyDocument=json.dumps( - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "ec2:*", - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/dstack_project": project_id, - } - }, - }, - ], - } - ), - Tags=[ - {"Key": "owner", "Value": "dstack"}, - {"Key": "dstack_project", "Value": project_id}, - ], - ) - policy_arn = response["Policy"]["Arn"] - iam_client.create_role( - RoleName=role_name, - AssumeRolePolicyDocument=json.dumps( - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": {"Service": "ec2.amazonaws.com"}, - } - ], - } - ), - Description="Generated by dstack", - MaxSessionDuration=3600, - Tags=[ - {"Key": "owner", "Value": "dstack"}, - {"Key": "dstack_project", "Value": project_id}, - ], - ) - iam_client.attach_role_policy(RoleName=role_name, PolicyArn=policy_arn) - return role_name - - -def create_iam_instance_profile(iam_client: botocore.client.BaseClient, project_id: str) -> str: - role_name = create_role_and_policy(iam_client, project_id) - - try: - response = iam_client.get_instance_profile(InstanceProfileName=role_name) - return response["InstanceProfile"]["Arn"] - except botocore.exceptions.ClientError as e: - if e.response["Error"]["Code"] != "NoSuchEntity": - raise e - - response = iam_client.create_instance_profile( - InstanceProfileName=role_name, - Tags=[ - {"Key": "owner", "Value": "dstack"}, - {"Key": "dstack_project", "Value": project_id}, - ], - ) - instance_profile_arn = response["InstanceProfile"]["Arn"] - iam_client.add_role_to_instance_profile( - InstanceProfileName=role_name, - RoleName=role_name, - ) - return instance_profile_arn - - def create_security_group( ec2_client: botocore.client.BaseClient, project_id: str,