[AWS] Fix config syntax for IAM profile

docs/source/reference/config.rst

@@ -120,18 +120,20 @@ Available fields and semantics:
     # instances. SkyPilot will auto-create and reuse a service account (IAM
     # role) for AWS instances.
     #
-    # Customized service account (IAM role): <string> or <dict>
+    # Customized service account (IAM role): <string> or <list of single-element dict>
     # - <string>: apply the service account with the specified name to all instances.
     #    Example:
     #       remote_identity: my-service-account-name
-    # - <dict>: A dict mapping from the cluster name (pattern) to the service account name to use.
-    #    NOTE: If none of the wildcard expressions in the dict match the cluster name, LOCAL_CREDENTIALS will be used.
-    #    To specify your default, use "*" as the wildcard expression.
-    #    Example:
+    # - <list of single-element dict>: A list single-element dict mapping from the cluster name (pattern)
+    #   to the service account name to use. The matching of the cluster name is done in the same order
+    #   as the list.
+    #   NOTE: If none of the wildcard expressions in the dict match the cluster name, LOCAL_CREDENTIALS will be used.
+    #   To specify your default, use "*" as the wildcard expression.
+    #   Example:
     #       remote_identity:
-    #         my-cluster-name: my-service-account-1
-    #         sky-serve-controller-*: my-service-account-2
-    #         "*": my-default-service-account
+    #         - my-cluster-name: my-service-account-1
+    #         - sky-serve-controller-*: my-service-account-2
+    #         - "*": my-default-service-account
     #
     # Two caveats of SERVICE_ACCOUNT for multicloud users:
     #

sky/backends/backend_utils.py

@@ -801,8 +801,8 @@ def write_cluster_config(
         (str(cloud).lower(), 'remote_identity'), 'LOCAL_CREDENTIALS')
     if remote_identity is not None and not isinstance(remote_identity, str):
         for profile in remote_identity:
-            if fnmatch.fnmatchcase(cluster_name, profile):
-                remote_identity = remote_identity[profile]
+            if fnmatch.fnmatchcase(cluster_name, list(profile.keys())[0]):
+                remote_identity = list(profile.values())[0]
                 break
     if remote_identity != 'LOCAL_CREDENTIALS':
         if not cloud.supports_service_account_on_remote():

sky/skypilot_config.py

@@ -152,7 +152,9 @@ def _try_load_config() -> None:
             common_utils.validate_schema(
                 _dict,
                 schemas.get_config_schema(),
-                f'Invalid config YAML ({config_path}): ',
+                f'Invalid config YAML ({config_path}). See: '
+                'https://skypilot.readthedocs.io/en/latest/reference/config.html. ' # pylint: disable=line-too-long
+                'Error: ',
                 skip_none=False)
 
         logger.debug('Config syntax check passed.')

sky/utils/schemas.py

@@ -533,11 +533,22 @@ def get_cluster_schema():
     'remote_identity': {
         'oneOf': [{
             'type': 'string'
-        }, {
-            'type': 'object',
-            'required': [],
-            'additionalProperties': {
-                'type': 'string',
+        },
+        {
+            # A list of single-element dict to pretain the order.
+            # Example:
+            #  remote_identity:
+            #    - my-cluster1-*: my-iam-role-1
+            #    - my-cluster2-*: my-iam-role-2
+            #    - *: my-iam-role-3
+            'type': 'array',
+            'items': {
+                'type': 'object',
+                'additionalProperties': {
+                    'type': 'string'
+                },
+                'maxProperties': 1,
+                'minProperties': 1,
             },
         }]
     }