Skip to content

cml runner "Advanced" authentication options for the created instance. #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
May 23, 2022
Merged

cml runner "Advanced" authentication options for the created instance. #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
462e245
Draft
dacbd Mar 22, 2022
d38c1c6
init
dacbd Mar 22, 2022
5f98a3d
tweaks
dacbd Mar 22, 2022
643d5e8
better tempo?
dacbd Mar 22, 2022
14fe372
tempo
dacbd Mar 22, 2022
c413119
more stuff
dacbd May 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions content/docs/ref/runner.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,52 @@ Any [generic option](/doc/ref) in addition to:

## Examples

### Using `--cloud-permission-set`

> Currently this feature is only implemented when using GCP or AWS.

You can predefine a set of permissions via an [AWS role]() or a
[GCP service account]() that is assosiated with the created `cml runner`
instance.

This can enable credentialless access to your `s3` or `gs` dvc remote.
Additionally, you can use this access other resources from that cloud provider
like AWS' Elastic Container Registry or GCP's Artifact Registry, so that you can
push and pull custom docker images.

Other examples, using AWS, could include accessing data in:

- Secrets Manager
- DynamoDB
- Redshfit

#### Example "Permission Sets"

<toggle>
<tab title="AWS">
stuff

```json
{
"stuff": "here"
}
```

</tab>
<tab title="GCP">

stuff

- list of roles

</tab>
</toggle>

> Caveat for `--cloud-permission-set` on GCP: using this feature will likely
> require and additional role be added to your `cml runner` credentials
> `roles/ServiceAccountUser` or ensure the invoker has the permission
> `iam.serviceAccount.actAs` on the targeted Service Account.

### Using `--cloud-ssh-private`

1. Generate a new RSA PEM private key for debugging purposes:
Expand Down
41 changes: 41 additions & 0 deletions content/docs/self-hosted-runners.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,47 @@ below for details on the `secrets` required.
`cml send-comment` from a job, the only requirement is to
[have CML installed](/doc/install).

## Accessing DVC remotes on your CML cloud runner

If you're using an Object Storage remotes like `s3` or `gs` from AWS/GCP it's
easy to allow DVC programatic access without the use of dedicated credentials.

Besides reducing overhead in managing additional keys, you can save in network
costs, and have options to increase transfer speeds. For example, looking at
AWS, we can get [free network transfers](https://aws.amazon.com/s3/pricing/)
from `s3` to `ec2` within the same region.

These `cml runner` commands fit right in with the above examples. For a more
detailed breakdown checkout [the advanced guide](/cool/link).

<toggle>
<tab title="AWS">

```bash
cml runner \
--cloud=aws \
--cloud-region=us-west \
--cloud-type=p2.xlarge \
--cloud-permission-set=arn:aws:iam::1234567890:instance-profile/dvc-s3-access \
--labels=cml-gpu
```

</tab>

<tab title="GCP">

```bash
cml runner \
--cloud=gcp \
--cloud-region=us-west \
--cloud-type=someinstance+gpu? \
[email protected],scopes=storage-rw \
--labels=cml-gpu
```

</tab>
</toggle>

## Docker Images

The CML Docker images (`docker://iterativeai/cml` or
Expand Down