Skip to main content

Overview and Basic Configuration

Anyscale natively runs clusters with a specific identity, meaning that clusters managed by Anyscale can be configured to access specific resources. However, how to go about granting permissions to Anyscale clusters differs from cloud to cloud.

Bring your own AWS Compute [EC2]

On EC2 in your AWS Account, Anyscale clusters run with the following role:

arn:aws:iam::<your_aws_account_id>:instance-profile/ray-autoscaler-v1
info

This IAM Role is only in the account that Anyscale launches clusters in!

To make sure that all nodes are run with this role, add the following configuration to the Advanced Configuration of a Compute Configuration. Without this configuration only the head node will run with this role, resulting in blocked access to your resources.

{
"IamInstanceProfile": {
"Arn": "arn:aws:iam::<aws_account_id>:instance-profile/ray-autoscaler-v1"
}
}

Bring your own GCP

On GCP, clusters run with a Cloud specific Service Account that looks like: <cloud_id>@<bridge_project_id>.iam.gserviceaccount.com. This can be found in the Provider Identity column in the clouds table on the configurations page.

info

To verify the Service Account on a running ray cluster, run the following command:

python -c "import google.auth.transport.requests; c,_=google.auth.default(); \
c.refresh(google.auth.transport.requests.Request()); print(c.service_account_email)"