Skip to main content

Manage Service Accounts

This page describes how Service Accounts are used for Clouds on GCP and how to manage Service Accounts.

Within a Cloud, Clusters run with a Service Account. Grant proper permissions to this Service Account for developers to access all required resources.

Default Service Account

A default Service Account is configured when you deploy a Cloud on GCP. All Anyscale Clusters within this Cloud run with this Service Account. This Service Account looks like the following: 

<Anyscale Cloud ID with dashes, not underscores>@<project_id>.iam.gserviceaccount.com
e.g. cld-xyzabc@<project_id>.iam.gserviceaccount.com
  • For GCE-based deployments, the project ID is the GCP project associated with your cloud.
  • For legacy GKE deployments, the Service Account can be found in the Provider Identity column in clouds table on the configurations page.
info

Determine the Service Account on a running Cluster by running:

python -c "import google.auth.transport.requests; c,_=google.auth.default(); \
c.refresh(google.auth.transport.requests.Request()); print(c.service_account_email)"

Use an existing Service Account

This section walks through the steps to configure an existing Service Account for your Cloud and configure Clusters to use this Service Account. For help on how to create a Service Account, check out this guide.

Configure an existing Service Account (GCE)

To use a Service Account on Anyscale, grant Anyscale access to the Service Account and then grant the Service Account access to the GCS Bucket.

Access to the Service Account

No additional setup is required for Service Accounts in the same GCP Project as your Anyscale Cloud. If this does not work, ensure the Compute Engine Service Agent has the compute.serviceAgent role on the specified Service Account.

Service Accounts in a separate GCP project require additional configuration:

  1. Disable the iam.disableCrossProjectServiceAccountUsage Boolean constraint in the Service Account's project.

  2. Grant the Compute Engine Service Agent (format below) in the Anyscale Cloud's project the compute.serviceAgent role on the desired Service Account.

service-<Anyscale Cloud Project Number>@compute-system.iam.gserviceaccount.com

  1. Grant the Anyscale access Service Account the roles/iam.serviceAccountUser role on the desired Service Account. This is necessary for the access Service Account to attach your Service Account to an instance.

  2. Ensure the Service Account that you are configuring has read, write and list access to the Google Storage bucket associated with your Anyscale cloud.

note

The GCP Project returned by Application Default Credentials is the Anyscale Cloud's Project, not the Service Account's Project.

Access to Cloud Storage

Anyscale Clusters require permission to read and write from their Anyscale Cloud's GCS Bucket. The easiest way to do this is to grant this Service Account the Storage Admin role on the GCS Bucket associated with this Cloud.

Configure an existing Service Account (Legacy GKE)

This section walks through the steps to configure an existing Service Account for your Cloud.

  1. Navigate to the GCP Service Account page and click Select a Project.

    Click the 'Select Project' button

  2. Select the project that contains the Service Account. The Project ID is found in the Service Account email. The format for Service Account emails is: service-account-name@project-id.iam.gserviceaccount.com.

    Select Project

  3. Select the Service Account you want to use.

    Select Service Account

  4. Go to the Permissions Tab on the top of the page.

    Select Permissions Tab

  1. Click the "Grant Access" button.

    Select Grant Access

  1. In the "New Principals" box, type your cloud-specific Service Account. This cloud specific-Service Account should look like <cloud_id>@<bridge_project_id> and directions for finding it can be found here.

    Type in cloud-specific Service Account into New Principals

  1. In the "Role" box, search for “Service Account Token Creator” and select it.

    Add Service Account Token Creator Role

  1. Click Save.

    Save

Configure Clusters to use this Service Account

With Service Account setup completed, configure Clusters to use it. In this step you will use the Service Account email from above.

  1. Create a new cluster compute (here). Select the cloud tied to the cloud-specific Service Account from Step 6 above.

Select Cloud by NameSelect the Cloud that matches the ID you used for your Trust Relationship

  1. Expand the "Advanced configuration" box.

    New compute config PageAdvanced Configuration Field

  2. In the "Advanced Configuration" field, paste the following JSON, replacing SERVICE_ACCOUNT_EMAIL with the actual email.

{
  "serviceAccount": {"email": "SERVICE_ACCOUNT_EMAIL"}
}

  1. Add a name for your cluster compute & press save. If you want to customize other parameters such as node configurations, do so at this time.

    Naming your compute configCreated compute config

  2. Ensure that you use this compute config when you launch Clusters.

    note

    Each Cluster runs with a single Service Account. The newly configured Service Account will be used instead of the default Service Account.