IAM on Anyscale
When you deploy an Anyscale cloud to a cloud provider to use virtual machines or a managed Kubernetes service, you configure a collection of indentity and access management (IAM) roles and settings to create trust relationships between the Anyscale control plane and your cloud provider account.
Each cloud provider uses different model and terminology for IAM. The following table provides a brief overview of the terminology and concepts used by AWS and Google Cloud:
| Cloud | Identity object used by Anyscale | IAM relationship with Anyscale control plane | IAM entity attached to Anyscale clusters |
|---|---|---|---|
| AWS | IAM role or instance profile | Cross-account IAM role | Default instance profile |
| Google Cloud | Service account | Cross-cloud assumed service account | Default service account |
How does Anyscale use IAM?
When you deploy a job, service, or workspace, Anyscale uses the following IAM roles:
- Anyscale uses a control plane IAM role to configure and deploy infrastructure for your Ray cluster in your cloud provider account.
- The IAM role attached your Ray cluster grants access to infrastructure and resources from your Ray applications.
Anyscale provides the following options for altering the permissions available to developers and applications running on Ray clusters:
- Update the permissions in the default IAM role used by your Ray clusters. See Default role for Ray clusters.
- Use cloud IAM mapping to set permissions based on project, user, or cluster type. See Cloud IAM mapping.
- Specify an IAM role for your cluster in the advanced setting of your compute config. See Override default role with compute config.
Control plane IAM role
When you deploy an Anyscale cloud to AWS or Google Cloud, you configure a trust relationship between your cloud provider account and the Anyscale AWS account that allows the Anyscale control plane to deploy and configure infrastructure using an IAM role in your cloud provider account. The specific details of this role vary by cloud and features your admin enables.
Other names for the control plane role include the control plane service account and the cross-acount IAM role.
Anyscale uses this role to perform actions such as deploying Ray clusters and storing artifacts in your cloud object storage. When you deploy a workspace, service, or job, Anyscale attaches a default cluster IAM role with more resticted permissions. See Default role for Ray clusters.
Your control plane IAM role must have permissions to attach IAM roles to your virtual machines.
Whether you use anyscale cloud setup or anyscale cloud register, you can customize some permissions in this role after deploying your cloud. Disabling default configurations might remove some Anyscale features. For assistance restricting default IAM permissions used by the control plane, contact Anyscale support.
Default role for Ray clusters
Anyscale attaches an IAM role to each node in your Ray cluster to allow the node to interact with other infrastructure in your cloud provider account.
The permissions configured for your default role might vary depending on how you deployed your Anyscale cloud. At minimum, your default role must have access to the default object storage location configured during your cloud deployment.
You can optionally add additional permissions to the default IAM role to make additional resources available to all Ray clusters deployed in your Anyscale cloud. See Manage AWS IAM roles for Anyscale clusters or Manage Google Cloud service accounts for Anyscale clusters.
Cloud IAM mapping
Anyscale cloud owners can configure cloud IAM mapping rules.
Cloud IAM mapping allows you to set the default IAM role attached to Ray clusters based on any combination of the following:
- Workload type (job, service, or workspace)
- Project name
- User identity (includes Anyscale service accounts)
For example, you can use cloud IAM mapping to configure read-only permissions to production data for workspaces in a project used for interactive development, and then grant read and write permissions on that production data for a service account that launches production Anyscale jobs.
See Anyscale cloud IAM mapping.
Override default role with compute config
You can directly specify an IAM role in the advanced configurations section of your compute config to override the default IAM role.
- For AWS, see Subnets, security groups, and instance IAM role.
- For Google Cloud, see Subnets and service accounts.
In some advanced use cases, such as deploying multiple applications to an Anyscale service, you might assign different IAM roles to worker node groups.
For most applications, Anyscale recommends using a single IAM role for all nodes in your cluster.