Skip to main content

Manage IAM Roles

This page describes how IAM Roles are used for Clouds on AWS and how to manage IAM Roles.

Within a Cloud, Clusters run with a IAM Role. Grant proper permissions to this IAM Role for developers to access all required resources.

Default IAM Role

A default IAM Role is configured when you deploy a Cloud on AWS. All Anyscale Clusters within this Cloud run with this Role.

  • Clouds deployed via Anyscale Managed Resources use a role that looks like:
arn:aws:iam::<your_aws_account_id>:role/<cloud_id>-cluster_node_role
  • Clouds deployed via Customer Defined Resources use the role provided in the instance-iam-role field.
info

Determine the IAM role on a running Anyscale Cluster by running:

aws sts get-caller-identity

Use an existing IAM Role

This section walks through the steps to configure an existing IAM role for your Cloud and configure Clusters to use this Role.

Configure the IAM Role

To use an IAM Role on Anyscale, grant EC2 permission to use the Role and give the Role permission to read from the Cloud's S3 Bucket.

Granting EC2 permission

When launching a Cluster, Anyscale instructs the EC2 service to associate the selected IAM Role with each instance. These steps walk through how to give the EC2 service this permission on the Role.

note

The IAM role must be in the same AWS account as the Anyscale Cloud.

1. Navigate to the IAM Roles page and search for the role you want to use.

IAM Role PageThe Desired IAM Role

2. Select the role. You should now see the IAM Role Summary Page.

Selecting the Desired RoleIAM Role Summary Page

3. Select the Trust relationships tab.

Tab to SelectTrust Relationships Tab

4. Select Edit trust relationship. You should now see a JSON text editor.

Edit Trust Relationship ButtonJSON Editor for Trust Relationship

5. Paste in the following JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": ["ec2.amazonaws.com"]
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Existing JSONNew JSON

6. Click Update Trust Policy to save your modifications.

Saving Trust PolicyIAM Role, showing the new Trust Relationship

7. Proceed to configure your clusters.

Access to S3 Bucket

Anyscale Cluster's require permission to read and write from their Anyscale Cloud's S3 Bucket. Add this IAM Role to the S3 Bucket's Policy to allow access. Alternatively, attach an IAM Policy to this Role that grants access to the Cloud's S3 bucket.

Configure Anyscale Clusters to use this Role

With Role setup completed, configure Anyscale Clusters to use it.

1. Copy the Role ARN from your role (click the icon to the right of the ARN to copy).

2. Create a new Compute Config (here). Select the cloud that you had previously established a trust relationship to from the drop down.

Select Cloud by NameSelect the Cloud that matches the ID you used for your Trust Relationship

3. Expand the Advanced configuration box.

New Compute Config PageAdvanced Configuration Field

4. In the Advanced Configuration field, paste the following JSON, replacing Role ARN with the value copied from Step 1.

{
 "IamInstanceProfile": { "Arn" : "Role ARN" }
}

**Filled out Advanced Configuration**

5. Add a name for your Compute Config & press Save. If you want to customize other parameters like node configurations, do so at this time.

Naming your Compute ConfigCreated Compute Config

6. Ensure that you use this Compute Config when you launch Clusters.

note

Each Cluster runs with a single IAM Role. The newly configured IAM Role will be used instead of the default IAM Role.