AWS Identity and Access Management roles in AWS ParallelCluster
AWS ParallelCluster uses AWS Identity and Access Management (IAM) roles for Amazon EC2 to enable instances to access AWS services for the deployment and operation of a cluster. By default, the IAM role for Amazon EC2 is created when the cluster is created. This means that the user that creates the cluster must have the appropriate level of permissions, as described in the following sections.
AWS ParallelCluster uses multiple AWS services to deploy and operate a cluster. See the complete list in the AWS Services used in AWS ParallelCluster section.
Default settings for cluster creation
When you use the default settings for cluster creation, an IAM role for Amazon EC2 is created by the cluster. The user that creates the cluster must have the right level of permissions to create all of the resources required to launch the cluster. This includes an IAM role for Amazon EC2. Typically, the IAM user must have the permissions of an AdministratorAccess managed policy. For information about managed policies, see AWS managed policies in the IAM User Guide.
Using an existing IAM role for Amazon EC2
You can use an existing IAM role for Amazon EC2 when creating a cluster, but you must
first define the IAM policy
and role before attempting to launch the cluster. Typically, you choose an existing
IAM role for Amazon EC2 to reduce
the permissions that are granted to users as they launch clusters. The following example
shows an IAM policy and
role for both Amazon EC2 and the AWS ParallelCluster. You must create both policies
and roles as individual policies in
IAM and then attach the roles and policies to the appropriate resources. In the policies,
replace
<REGION>, <AWS ACCOUNT ID>, and similar strings with the
appropriate values.
AWS ParallelCluster example instance and user policies
The following example policies include Amazon Resource Names (ARNs) for the resources.
If
you're working in the AWS GovCloud (US) or AWS China partitions, the ARNs must be
changed. Specifically, they must be
changed from "arn:aws" to "arn:aws-us-gov" for the AWS GovCloud (US) partition or
"arn:aws-cn" for the AWS China
partition. For more information, see Amazon Resource Names (ARNs) in AWS GovCloud (US)
Regions in the AWS GovCloud (US) User Guide and ARNs for AWS services in China
Topics
- ParallelClusterInstancePolicy using SGE, Slurm, or Torque
- ParallelClusterInstancePolicy using awsbatch
- ParallelClusterUserPolicy using Slurm
- ParallelClusterUserPolicy using SGE or Torque
- ParallelClusterUserPolicy using awsbatch
- ParallelClusterLambdaPolicy using SGE, Slurm, or Torque
- ParallelClusterLambdaPolicy using awsbatch
- ParallelClusterUserPolicy for users
ParallelClusterInstancePolicy using SGE, Slurm, or
Torque
The following example sets the ParallelClusterInstancePolicy using SGE, Slurm, or Torque as
the scheduler.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:network-interface/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*", "arn:aws:ec2:<REGION>::image/<IMAGE ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:key-pair/<KEY NAME>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:security-group/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:launch-template/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": [ "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*" ], "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeTags", "autoscaling:SetInstanceHealth" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "Autoscaling" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "sqs:ListQueues" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "SQSList" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }
ParallelClusterInstancePolicy using
awsbatch
The following example sets the ParallelClusterInstancePolicy using awsbatch as the
scheduler. You must include the same policies that are assigned to the BatchUserRole that is defined in
the AWS Batch AWS CloudFormation nested stack. The BatchUserRole ARN is provided as a stack output. In this example,
“<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”. The following example is an overview
of the required permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "batch:RegisterJobDefinition", "logs:GetLogEvents" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "cloudformation:DescribeStacks", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "logs:FilterLogEvents", "s3:PutObject", "s3:Get*", "s3:DeleteObject", "iam:PassRole" ], "Resource": [ "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_SERIAL_NAME>:1", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_MNP_NAME>*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-queue/<AWS_BATCH_STACK - JOB_QUEUE_NAME>", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<STACK NAME>/*", "arn:aws:s3:::<RESOURCES S3 BUCKET>/batch/*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<AWS_BATCH_STACK - JOB_ROLE>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:cluster/<ECS COMPUTE ENVIRONMENT>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:container-instance/*", "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/batch/job:log-stream:*" ], "Effect": "Allow" }, { "Action": [ "s3:List*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow" }, { "Action": [ "batch:DescribeJobQueues", "batch:TerminateJob", "batch:DescribeJobs", "batch:CancelJob", "batch:DescribeJobDefinitions", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:AttachVolume", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" } ] }
ParallelClusterUserPolicy using Slurm
The following example sets the ParallelClusterUserPolicy, using Slurm as the scheduler. In this
example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”.
If you use a custom role, ec2_iam_role =
, you must change the IAM resource to include the name of that
role from:
<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
To:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "ScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*", "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicy using SGE or
Torque
The following example sets the ParallelClusterUserPolicy, using SGE or Torque as the
scheduler. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”.
If you use a custom role, ec2_iam_role =
, you must change the IAM resource to include the name of that
role from:
<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
To:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingDescribe" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "autoscaling:PutNotificationConfiguration", "autoscaling:UpdateAutoScalingGroup", "autoscaling:PutScalingPolicy", "autoscaling:DescribeScalingActivities", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "sqs:GetQueueAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSDescribe" }, { "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSModify" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSDescribe" }, { "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSModify" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*", "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicy using
awsbatch
The following example sets the ParallelClusterUserPolicy using awsbatch as the
scheduler. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2LaunchTemplate" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "sqs:GetQueueAttributes", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQS" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*", "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>" ], "Effect": "Allow", "Sid": "IAMRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:PassRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAM" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "logs:*" ], "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:*", "Effect": "Allow", "Sid": "Logs" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:<REGION>:<AWS ACCOUNT ID>:project/parallelcluster-*", "Effect": "Allow", "Sid": "CodeBuild" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" }, { "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterLambdaPolicy using SGE, Slurm, or
Torque
The following example sets the ParallelClusterLambdaPolicy, using SGE, Slurm, or Torque as
the scheduler.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::*" ], "Effect": "Allow", "Sid": "S3BucketPolicy" }, { "Action": [ "ec2:DescribeInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "DescribeInstances" }, { "Action": [ "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "FleetTerminatePolicy" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53DeletePolicy" } ] }
ParallelClusterLambdaPolicy using
awsbatch
The following example sets the ParallelClusterLambdaPolicy using awsbatch as the
scheduler.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:*", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "ecr:BatchDeleteImage", "ecr:ListImages" ], "Effect": "Allow", "Resource": "*", "Sid": "ECRPolicy" }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Effect": "Allow", "Resource": "*", "Sid": "CodeBuildPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": "*", "Sid": "S3BucketPolicy" } ] }
ParallelClusterUserPolicy for users
The following example sets the ParallelClusterUserPolicy for users that don't need to create or
update clusters. The following commands are supported.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "MinimumModify", "Action": [ "autoscaling:UpdateAutoScalingGroup", "batch:UpdateComputeEnvironment", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "dynamodb:GetItem", "dynamodb:PutItem" ], "Effect": "Allow", "Resource": [ "arn:aws:autoscaling:<REGION>:<AWS ACCOUNT ID>:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:compute-environment/*", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<CLUSTERNAME>/*", "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/<CLUSTERNAME>" ] }, { "Sid": "Describe", "Action": [ "cloudformation:DescribeStacks", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus" ], "Effect": "Allow", "Resource": "*" } ] }
