AWS Instance Profile
Last updated
Was this helpful?
Last updated
Was this helpful?
The Gradient Agent needs AWS access to retrieve instance market information during job execution. To access this information, Gradient uses which will leverage permissions granted through the cluster's instance profile. See Example AWS Profile below for required permissions.
Gradient reads and writes logs to the storage path defined in the cluster delivery configuration. If the logs are configured to be delivered to an S3 location, the cluster instance profile must have permission to read and write data to the S3 destination and it must include putObjectAcl permission.
In your AWS console, go to IAM > Roles and click on Create role
Select AWS service
as the entity type and EC2 as the service
Gradient does not need any additional permissions at this point. Implement any default permissions you may need. If none are needed, click next.
Insert a name for the role. Below we use sync-minimum-access
. Click on create Role once completed.
Click into the Role you just created, and under Permissions, click on Add permission > create inline policy
Click on the JSON editor
Copy and paste the code block below into the JSON policy editor.
Be sure to update <your-s3-bucket-path> to be the same s3 bucket path as where you store your Databricks logs (screen-shot from the Databricks cluster).
Click on Next. On the next page click on Create Policy.
In the Databricks admin page, go to Instance profiles and click on "Add instance profile"
On the next page copy and paste the "Instance profile ARN" and "IAM role ARN" values from the AWS console Role's page. Click "add" to complete.
Done! You should now be able to select this instance profile in the cluster page of your jobs