Gradient Permissions

Sync NEVER saves client secrets to Sync's systems permanently.
When using Sync's UI, Databricks tokens are collected at the time of execution and only held for the duration of the HTTP transaction.
When using Sync's CLI, Sync's CLI leverages local client Databricks tokens and client's boto3 access.
Databricks
Gradient uses a Databricks token to interact with your Databricks workspace. The account associated with the token requires permissions to any Databricks Job and the associated compute that will be monitored. See the Databricks documentation for more details. Gradient uses this access to retrieve the Spark event logs for every job run it evaluates.
Databricks recommends that you set up a service principal for automation tasks. As noted in their docs, service principals give automated tools and scripts API-only access to Databricks resources, providing greater security than using users or groups.
The Gradient Agent needs AWS access to retrieve instance market information during job execution. To access this information, Gradient uses Boto3 which will leverage permissions granted through the cluster's instance profile. See Example AWS Profile below for required permissions.
Gradient reads and writes logs to the storage path defined in the cluster delivery configuration. If the logs are configured to be delivered to an S3 location, the cluster instance profile must have permission to read and write data to the S3 destination and it must include putObjectAcl permission. See the user guide for how to setup the cluster instance profile.
For logs stored on DBFS, the account associated to the Databricks token must have permission to read and write to the DBFS location where those logs are delivered.
Example AWS profile
{                                                                                                                                                                                                                
    "RoleName": "sync-minimum-access",
    "PolicyName": "sync-minimum-access",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeVolumes"
                ]
                "Resource": "*"
            },
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:PutObjectAcl"
                ],
                "Resource": [
                    "arn:aws:s3:::sync-us-east-1-temp-90-days/sync/*",
                    "arn:aws:s3:::sync-us-east-1-temp-90-days"
                ]
            }
        ]
    }
}
EMR
For EMR, the example AWS profile also applies.
Last modified 15d ago