AWS Identity and Access Management roles in AWS ParallelCluster - AWS ParallelCluster

AWS Identity and Access Management roles in AWS ParallelCluster

AWS ParallelCluster uses AWS Identity and Access Management (IAM) roles for Amazon EC2 to enable instances to access AWS services for the deployment and operation of a cluster. By default, the IAM role for Amazon EC2 is created when the cluster is created. This means that the user that creates the cluster must have the appropriate level of permissions, as described in the following sections.

AWS ParallelCluster uses multiple AWS services to deploy and operate a cluster. See the complete list in the AWS Services used in AWS ParallelCluster section.

Default settings for cluster creation

When you use the default settings for cluster creation, a default IAM role for Amazon EC2 is created by the cluster. The user that creates the cluster must have the right level of permissions to create all of the resources required to launch the cluster. This includes creating an IAM role for Amazon EC2. Typically, the IAM user must have the permissions of an AdministratorAccess managed policy when using the default settings. For information about managed policies, see AWS managed policies in the IAM User Guide.

Using an existing IAM role for Amazon EC2

In place of the default settings, you can use an existing ec2_iam_role when creating a cluster, but you must define the IAM policy and role before attempting to launch the cluster. Typically, you choose an existing IAM role for Amazon EC2 to minimize the permissions that are granted to users as they launch clusters. The AWS ParallelCluster example instance and user policies include the minimum permissions required by AWS ParallelCluster and its features. You must create both policies and roles as individual policies in IAM and then attach the roles and policies to the appropriate resources. Some of the role policies might get large and cause quota errors. For more information, see Troubleshooting IAM policy size issues. In the policies, replace <REGION>, <AWS ACCOUNT ID>, and similar strings with the appropriate values.

If your intent is to add extra policies to the default settings for cluster nodes, we recommend that you pass the additional custom IAM policies with the additional_iam_policies setting instead of using the ec2_iam_role settings.

AWS ParallelCluster example instance and user policies

The following example policies include Amazon Resource Names (ARNs) for the resources. If you're working in the AWS GovCloud (US) or AWS China partitions, the ARNs must be changed. Specifically, they must be changed from "arn:aws" to "arn:aws-us-gov" for the AWS GovCloud (US) partition or "arn:aws-cn" for the AWS China partition. For more information, see Amazon Resource Names (ARNs) in AWS GovCloud (US) Regions in the AWS GovCloud (US) User Guide and ARNs for AWS services in China in Getting Started with AWS services in China.

These policies include the minimum permissions currently required by AWS ParallelCluster, its features, and resources. Some of the role policies might get large and cause quota errors. For more information, see Troubleshooting IAM policy size issues.

ParallelClusterInstancePolicy using SGE, Slurm, or Torque

Note

Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers. You can continue using them in versions up to and including 2.11.4, but they aren't eligible for future updates or troubleshooting support from the AWS service and AWS Support teams.

ParallelClusterInstancePolicy using Slurm

The following example sets the ParallelClusterInstancePolicy using Slurm as the scheduler.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:network-interface/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*", "arn:aws:ec2:<REGION>::image/<IMAGE ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:key-pair/<KEY NAME>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:security-group/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:launch-template/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }

ParallelClusterInstancePolicy using SGE or Torque

The following example sets the ParallelClusterInstancePolicy using SGE or Torque as the scheduler.

Note

This policy only applies to AWS ParallelCluster versions up to and including version 2.11.4. Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:network-interface/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*", "arn:aws:ec2:<REGION>::image/<IMAGE ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:key-pair/<KEY NAME>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:security-group/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:launch-template/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": [ "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*" ], "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeTags", "autoscaling:SetInstanceHealth" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "Autoscaling" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "sqs:ListQueues" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "SQSList" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }

ParallelClusterInstancePolicy using awsbatch

The following example sets the ParallelClusterInstancePolicy using awsbatch as the scheduler. You must include the same policies that are assigned to the BatchUserRole that is defined in the AWS Batch AWS CloudFormation nested stack. The BatchUserRole ARN is provided as a stack output. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then “<RESOURCES S3 BUCKET>” is “parallelcluster-*”. The following example is an overview of the required permissions:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "batch:RegisterJobDefinition", "logs:GetLogEvents" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "cloudformation:DescribeStacks", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "logs:FilterLogEvents", "s3:PutObject", "s3:Get*", "s3:DeleteObject", "iam:PassRole" ], "Resource": [ "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_SERIAL_NAME>:1", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_MNP_NAME>*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-queue/<AWS_BATCH_STACK - JOB_QUEUE_NAME>", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<STACK NAME>/*", "arn:aws:s3:::<RESOURCES S3 BUCKET>/batch/*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<AWS_BATCH_STACK - JOB_ROLE>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:cluster/<ECS COMPUTE ENVIRONMENT>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:container-instance/*", "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/batch/job:log-stream:*" ], "Effect": "Allow" }, { "Action": [ "s3:List*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow" }, { "Action": [ "batch:DescribeJobQueues", "batch:TerminateJob", "batch:DescribeJobs", "batch:CancelJob", "batch:DescribeJobDefinitions", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:AttachVolume", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" } ] }

ParallelClusterUserPolicy using Slurm

The following example sets the ParallelClusterUserPolicy, using Slurm as the scheduler. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then “<RESOURCES S3 BUCKET>” is “parallelcluster-*”.

Note

If you use a custom role, ec2_iam_role = <role_name>, you must change the IAM resource to include the name of that role from:

"Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*"

To:

"Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/<role_name>"

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "ScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }

ParallelClusterUserPolicy using SGE or Torque

Note

This section only applies to AWS ParallelCluster versions up to and including version 2.11.4. Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers.

The following example sets the ParallelClusterUserPolicy, using SGE or Torque as the scheduler. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then “<RESOURCES S3 BUCKET>” is “parallelcluster-*”.

Note

If you use a custom role, ec2_iam_role = <role_name>, you must change the IAM resource to include the name of that role from:

"Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*"

To:

"Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/<role_name>"

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingDescribe" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "autoscaling:PutNotificationConfiguration", "autoscaling:UpdateAutoScalingGroup", "autoscaling:PutScalingPolicy", "autoscaling:DescribeScalingActivities", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "sqs:GetQueueAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSDescribe" }, { "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSModify" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSDescribe" }, { "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSModify" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }

ParallelClusterUserPolicy using awsbatch

The following example sets the ParallelClusterUserPolicy using awsbatch as the scheduler. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then “<RESOURCES S3 BUCKET>” is “parallelcluster-*”.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2LaunchTemplate" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "sqs:GetQueueAttributes", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQS" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*", "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>" ], "Effect": "Allow", "Sid": "IAMRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:PassRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAM" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "logs:*" ], "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:*", "Effect": "Allow", "Sid": "Logs" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:<REGION>:<AWS ACCOUNT ID>:project/parallelcluster-*", "Effect": "Allow", "Sid": "CodeBuild" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" }, { "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }

ParallelClusterLambdaPolicy using SGE, Slurm, or Torque

The following example sets the ParallelClusterLambdaPolicy, using SGE, Slurm, or Torque as the scheduler.

Note

Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::*" ], "Effect": "Allow", "Sid": "S3BucketPolicy" }, { "Action": [ "ec2:DescribeInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "DescribeInstances" }, { "Action": [ "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "FleetTerminatePolicy" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53DeletePolicy" } ] }

ParallelClusterLambdaPolicy using awsbatch

The following example sets the ParallelClusterLambdaPolicy using awsbatch as the scheduler.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:*", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "ecr:BatchDeleteImage", "ecr:ListImages" ], "Effect": "Allow", "Resource": "*", "Sid": "ECRPolicy" }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Effect": "Allow", "Resource": "*", "Sid": "CodeBuildPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": "*", "Sid": "S3BucketPolicy" } ] }

ParallelClusterUserPolicy for users

The following example sets the ParallelClusterUserPolicy for users that don't need to create or update clusters. The following commands are supported.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "MinimumModify", "Action": [ "autoscaling:UpdateAutoScalingGroup", "batch:UpdateComputeEnvironment", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "dynamodb:GetItem", "dynamodb:PutItem" ], "Effect": "Allow", "Resource": [ "arn:aws:autoscaling:<REGION>:<AWS ACCOUNT ID>:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:compute-environment/*", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<CLUSTERNAME>/*", "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/<CLUSTERNAME>" ] }, { "Sid": "Describe", "Action": [ "cloudformation:DescribeStacks", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus" ], "Effect": "Allow", "Resource": "*" } ] }