Reference#

IAM custom role#

Coiled requires a limited set of IAM permissions to provision infrastructure and compute resources in your GCP account (see the guide on creating a service account).

Here’s an example YAML file you can customize with the specific permissions you’ll need.

Example IAM role for cluster service account
title: coiled
description: coiled-externally-hosted
stage: GA
includedPermissions:
- bigquery.datasets.create
- bigquery.jobs.create
- bigquery.datasets.get
- bigquery.datasets.update
- bigquery.tables.getData
- compute.acceleratorTypes.list
- compute.addresses.list
- compute.disks.create
- compute.disks.delete
- compute.disks.list
- compute.disks.useReadOnly
- compute.firewalls.create
- compute.firewalls.delete
- compute.firewalls.get
- compute.firewalls.list
- compute.globalOperations.get
- compute.globalOperations.getIamPolicy
- compute.globalOperations.list
- compute.images.create
- compute.images.delete
- compute.images.get
- compute.images.list
- compute.images.setLabels
- compute.images.useReadOnly
- compute.instances.create
- compute.instances.delete
- compute.instances.get
- compute.instances.getSerialPortOutput
- compute.instances.list
- compute.instances.setLabels
- compute.instances.setMetadata
- compute.instances.setServiceAccount
- compute.instances.setTags
- compute.instanceTemplates.create
- compute.instanceTemplates.delete
- compute.instanceTemplates.get
- compute.instanceTemplates.useReadOnly
- compute.machineTypes.get
- compute.machineTypes.list
- compute.networks.create
- compute.networks.delete
- compute.networks.get
- compute.networks.list
- compute.networks.updatePolicy
- compute.projects.get
- compute.projects.setCommonInstanceMetadata
- compute.regionOperations.get
- compute.regionOperations.list
- compute.regions.get
- compute.regions.list
- compute.routers.create
- compute.routers.delete
- compute.routers.get
- compute.routers.list
- compute.routers.update
- compute.routes.delete
- compute.routes.list
- compute.subnetworks.create
- compute.subnetworks.delete
- compute.subnetworks.get
- compute.subnetworks.getIamPolicy
- compute.subnetworks.list
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.zoneOperations.get
- compute.zoneOperations.list
- compute.zones.list
- iam.serviceAccounts.actAs
- logging.buckets.create
- logging.buckets.get
- logging.buckets.list
- logging.logEntries.create
- logging.logEntries.list
- logging.sinks.create
- logging.sinks.get
- logging.sinks.list
- storage.buckets.create
- storage.buckets.get
- storage.objects.create
- storage.objects.get
- storage.objects.list
- storage.objects.update

For accessing data, you can use a more limited set of IAM permissions to access your data while running a computation (see guide on creating a service account for data access). You can use the following YAML file for the IAM role, which has scope for submitting logs and accessing Google Storage, adding or removing permissions as needed.

Here’s an example YAML file you can customize with the specific permissions you’ll need.

Example IAM role for data access service account
title: coiled-data
description: coiled-externally-hosted
stage: GA
includedPermissions:
- logging.logEntries.create
- storage.buckets.get
- storage.buckets.create
- storage.objects.create
- storage.objects.get
- storage.objects.list
- storage.objects.update

Quotas#

Each Google Cloud resource type has pre-defined quotas, which are the maximum number of resources you can create for a given resource type. If you have received error messages such as Quota <resource-type> exceeded, you may want to request an increase.

You can run coiled setup gcp --quotas from the command-line to view or adjust your quotas. Or, you can view existing quotas and request increases from your Google Cloud console. In particular, the following resource types often have insufficient quotas:

  • Persistent disk SSD (GB) (see the Google Cloud documentation on Disk quotas). You may need to request an increase if you see the Quota 'SSD_TOTAL_GB' exceeded error message.

  • In-use external IP addresses (see the Google Cloud documentation on External IP addresses). You may need to request an increase if you see the Quota 'IN_USE_ADDRESSES' exceeded error message.

  • CPU (see the Google Cloud documentation on CPU quota). You may need to request an increase if you see the Quota 'CPUS' exceeded error message.

Backend options#

There are several GCP-specific options that you can specify (listed below) to customize Coiled’s behavior.

Name

Description

Default

region_name

GCP region to create resources in

us-east1

zone_name

GCP zone to create resources in

us-east1-c

firewall

Ports and CIDR block for the security groups that Coiled creates

{"ports": [22, 443], "cidr": "0.0.0.0/0"}

You can specify backend options when creating a cluster:

import coiled

cluster = coiled.Cluster(backend_options={"region_name": "us-central1"})

Or at the account level for yourself or your team members using coiled.set_backend_options():

import coiled

coiled.set_backend_options(gcp_region="us-central1")

Or save them to your Coiled configuration file ~/.config/dask/coiled.yaml (see Configuration):

coiled:
  backend-options:
    region_name: us-central1

GPU support#

Coiled supports running computations with GPU-enabled machines if your account has access to GPUs. See the GPU best practices documentation for more information on using GPUs with GCP.

Logs#

If you are running Coiled on your GCP account, cluster logs will be saved within your GCP account. Coiled will send logs to GCP Logging and GCP BigQuery (if BigQuery is enabled in the project).

We send logs to GCP Logging so that you can easily view logs with GCP Logs Explorer, and we use GCP Cloud Storage/GCP BigQuery to back the logs views we display on the Cluster Dashboard.

Note

Coiled will only use BigQuery if you have BigQuery enabled in your project and if you have the following permissions in your service account: bigquery.datasets.create, bigquery.datasets.get, bigquery.datasets.update and bigquery.jobs.create

Log Storage

Storage time

GCP Logging

30 days

GCP BigQuery dataset

10 days

When you configure your backend to use GCP, Coiled creates a bucket named coiled-logs GCP Logging.

Networking#

When Coiled is configured to run in your own GCP account, you can customize the firewall ingress rules for resources that Coiled creates in your GCP account.

By default, Dask schedulers created by Coiled will be reachable via port 443 from any source network and port 22 from the IP address of the client machine starting the cluster. This is consistent with the default ingress rules that Coiled configures for its AWS security groups:

Protocol

Port

Source

tcp

443

0.0.0.0/0

tcp

22

client IP address

Note

Port 443 is used by the Dask dashboard and Dask client protocol. Port 22 optionally supports incoming SSH connections to the virtual machine.

Configuring firewall rules#

While allowing incoming connections on the default Dask ports from any source network is convenient, you might want to configure additional security measures by restricting incoming connections. This can be done by using coiled.set_backend_options() or by using the backend_options.

On this page