Anyscale natively runs clusters with a specific identity, meaning that clusters managed by Anyscale can be configured to access specific resources. However, how to go about granting permissions to Anyscale clusters differs from cloud to cloud.
Bring your own AWS Compute [EC2]
On EC2 in your AWS Account, Anyscale clusters run with the following role:
This IAM Role is only in the account that Anyscale launches clusters in!
Bring your own GCP
On GCP, clusters run with a Cloud specific Service Account that looks like:
<cloud_id>@<bridge_project_id>.iam.gserviceaccount.com. This can be found in the
Provider Identity column in the clouds table on the configurations page.
To verify the Service Account on a running ray cluster, run the following command:
python -c "import google.auth.transport.requests; c,_=google.auth.default(); \