Can a Ray cluster be started on GCP using an existing service account without having to create a GCP IAM role?

Dmitry_Balabka · June 5, 2023, 3:17pm

I’m having trouble creating a cluster on GCP due to insufficient permissions. Ray Cluster is attempting to create a GCP IAM service account, but it needs permission to create service accounts. I currently have an Editor role that allows me to create a Ray node manually. However, only GCP project owners have the ability to adjust permissions by default.

It is possible to utilize an existing service account credentials located in ~/.config/gcloud/application_default_credentials.json and created by the command gcloud auth application-default login?

Additionally, may I inquire about the primary motivation for creating a distinct IAM role, other than fundamental security considerations?

Jules_Damji · June 5, 2023, 5:57pm

@Dmitry_Balabka

cc: @Kai-Hsun_Chen @architkulkarni Anyone from the infra team can answer this question?

architkulkarni · June 5, 2023, 6:15pm

Hi @Dmitry_Balabka,

Does the configuration in Launching Ray Clusters on GCP — Ray 3.0.0.dev0 work? I would hope that it works for the head node in addition to worker nodes, but I’m not completely sure.

As for the initial motivation for the IAM role, I’m not sure if there are other reasons besides security. @ijrsvt do you happen to know?