Skip to main content

Bring An AWS IAM Role to Anyscale

This page describes both how to automatically create a role in your account, and how to configure an existing role such that Anyscale uses it.

Bring an Existing IAM Role to Anyscale

This section walks through the steps to configure an existing IAM role to run on Anyscale.

1. Navigate to the IAM Roles page, & search for the role you want to use for your Anyscale clusters' identity.

IAM Role PageThe Desired IAM Role

2. Select the role. You should now see the IAM Role Summary Page.

Selecting the Desired RoleIAM Role Summary Page

3. Select the "Trust relationships" tab.

Tab to SelectTrust Relationships Tab

4. Select "Edit trust relationship". You should now see a JSON text editor

Edit Trust Relationship ButtonJSON Editor for Trust Relationship

5. Paste in the following JSON, replacing <Cloud_ID> with your actual Anyscale Cloud's ID. and <ACCOUNT_ID> based on the following:

  • For 'Bring your own AWS Compute`, use the 12-digit AWS Account ID of the account where Anyscale was configured.
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {

"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/<Cloud_ID>-cluster_node_role"
"Action": "sts:AssumeRole",
"Condition": {}

Existing JSONNew JSON


If you want multiple clouds to use this IAM role, the "AWS" field can take a list of ARNs (see below):

"AWS": ["arn::::one", "arn:::two"]

6. Click "Update Trust Policy" to save your modifications

Saving Trust PolicyIAM Role, showing the new Trust Relationship


If you get an error like:

An error occurred: Invalid principal in policy: "AWS":"arn:..."

This likely means the cloud ID was incorrectly copied.

7. Proceed to configure your clusters.

Configuring Anyscale Clusters

Now that you have a role, you must configure clusters to use it.

1. Copy the "Role ARN" from your role (click the icon to the right of the ARN to copy).

2. Create a new Compute Config (here). Select the cloud that you had previously established a trust relationship to from the drop down.

Select Cloud by NameSelect the Cloud that matches the ID you used for your Trust Relationship

3. Expand the "Advanced configuration" box.

New Compute Config PageAdvanced Configuration Field

4. In the Advanced Configuration field, paste the following JSON, replacing Role ARN with the value copied from Step 1.

"IamInstanceProfile": { "Arn" : "Role ARN" }

**Filled out Advanced Configuration**

5. Add a name for your Compute Config & press Save! If you want to customize other parameters like node configurations, do so at this time.

Naming your Compute ConfigCreated Compute Config

6. Ensure that you use this Compute Config when you launch clusters!


CloudFormation Rollback

If the creation of the CloudFormation stack fails, it will automatically 'rollback'.

If the cloud stack creation fails with an "Invalid principal in policy" error , this is due to an incorrect Cloud ID: