AWS Identity and Access Management roles in AWS ParallelCluster
AWS ParallelCluster uses AWS Identity and Access Management (IAM) roles for Amazon EC2 to enable instances to access AWS services for the deployment and operation of a cluster. By default, the IAM role for Amazon EC2 is created when the cluster is created. This means that the user that creates the cluster must have the appropriate level of permissions, as described in the following sections.
AWS ParallelCluster uses multiple AWS services to deploy and operate a cluster. See the complete list in the AWS Services used in AWS ParallelCluster section.
Topics
Default settings for cluster creation
When you use the default settings for cluster creation, a default IAM role for Amazon EC2 is created by the cluster. The user that creates the cluster must have the right level of permissions to create all of the resources required to launch the cluster. This includes creating an IAM role for Amazon EC2. Typically, the IAM user must have the permissions of an AdministratorAccess managed policy when using the default settings. For information about managed policies, see AWS managed policies in the IAM User Guide.
Using an existing IAM role for Amazon EC2
In place of the default settings, you can use an existing ec2_iam_role when
creating a cluster, but you must define the IAM policy and role before attempting to launch the cluster. Typically, you choose an existing IAM
role for Amazon EC2 to minimize the permissions that are granted to users as they launch clusters. The AWS ParallelCluster example instance and user policies
include the minimum permissions required by AWS ParallelCluster and its features. You must create both policies and roles as
individual policies in IAM and then attach the roles and policies to the appropriate resources. Some of the role policies might get large and cause quota errors.
For more information, see Troubleshooting IAM policy size issues. In the policies, replace
<REGION>, <AWS ACCOUNT ID>, and similar strings with the appropriate values.
If your intent is to add extra policies to the default settings for cluster nodes, we recommend that you pass the additional custom IAM policies with the additional_iam_policies setting instead of using the ec2_iam_role settings.
AWS ParallelCluster example instance and user policies
The following example policies include Amazon Resource Names (ARNs) for the resources. If
you're working in the AWS GovCloud (US) or AWS China partitions, the ARNs must be changed. Specifically, they must be
changed from "arn:aws" to "arn:aws-us-gov" for the AWS GovCloud (US) partition or "arn:aws-cn" for the AWS China
partition. For more information, see Amazon Resource Names (ARNs) in AWS GovCloud (US)
Regions in the AWS GovCloud (US) User Guide and ARNs for AWS services in China
These policies include the minimum permissions currently required by AWS ParallelCluster, its features, and resources. Some of the role policies might get large and cause quota errors. For more information, see Troubleshooting IAM policy size issues.
Topics
- ParallelClusterInstancePolicy using SGE, Slurm, or Torque
- ParallelClusterInstancePolicy using awsbatch
- ParallelClusterUserPolicy using Slurm
- ParallelClusterUserPolicy using SGE or Torque
- ParallelClusterUserPolicy using awsbatch
- ParallelClusterLambdaPolicy using SGE, Slurm, or Torque
- ParallelClusterLambdaPolicy using awsbatch
- ParallelClusterUserPolicy for users
ParallelClusterInstancePolicy using SGE, Slurm, or
Torque
Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers. You can continue using them in versions up to and including 2.11.4, but they aren't eligible for future updates or troubleshooting support from the AWS service and AWS Support teams.
ParallelClusterInstancePolicy using Slurm
The following example sets the ParallelClusterInstancePolicy using Slurm as the scheduler.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:network-interface/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*", "arn:aws:ec2:<REGION>::image/<IMAGE ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:key-pair/<KEY NAME>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:security-group/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:launch-template/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }
ParallelClusterInstancePolicy using SGE or
Torque
The following example sets the ParallelClusterInstancePolicy using SGE or Torque as
the scheduler.
This policy only applies to AWS ParallelCluster versions up to and including version 2.11.4. Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:network-interface/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*", "arn:aws:ec2:<REGION>::image/<IMAGE ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:key-pair/<KEY NAME>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:security-group/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:launch-template/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": [ "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*" ], "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeTags", "autoscaling:SetInstanceHealth" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "Autoscaling" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "sqs:ListQueues" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "SQSList" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }
ParallelClusterInstancePolicy using
awsbatch
The following example sets the ParallelClusterInstancePolicy using awsbatch as the
scheduler. You must include the same policies that are assigned to the BatchUserRole that is defined in
the AWS Batch AWS CloudFormation nested stack. The BatchUserRole ARN is provided as a stack output. In this example,
“<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”. The following example is an overview
of the required permissions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "batch:RegisterJobDefinition", "logs:GetLogEvents" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "cloudformation:DescribeStacks", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "logs:FilterLogEvents", "s3:PutObject", "s3:Get*", "s3:DeleteObject", "iam:PassRole" ], "Resource": [ "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_SERIAL_NAME>:1", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_MNP_NAME>*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-queue/<AWS_BATCH_STACK - JOB_QUEUE_NAME>", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<STACK NAME>/*", "arn:aws:s3:::<RESOURCES S3 BUCKET>/batch/*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<AWS_BATCH_STACK - JOB_ROLE>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:cluster/<ECS COMPUTE ENVIRONMENT>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:container-instance/*", "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/batch/job:log-stream:*" ], "Effect": "Allow" }, { "Action": [ "s3:List*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow" }, { "Action": [ "batch:DescribeJobQueues", "batch:TerminateJob", "batch:DescribeJobs", "batch:CancelJob", "batch:DescribeJobDefinitions", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:AttachVolume", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" } ] }
ParallelClusterUserPolicy using Slurm
The following example sets the ParallelClusterUserPolicy, using Slurm as the scheduler. In this
example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”.
If you use a custom role, ec2_iam_role =
, you must change the IAM resource to include the name of that
role from:<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
To:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "ScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicy using SGE or
Torque
This section only applies to AWS ParallelCluster versions up to and including version 2.11.4. Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers.
The following example sets the ParallelClusterUserPolicy, using SGE or Torque as the
scheduler. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”.
If you use a custom role, ec2_iam_role =
, you must change the IAM resource to include the name of that
role from:<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
To:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingDescribe" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "autoscaling:PutNotificationConfiguration", "autoscaling:UpdateAutoScalingGroup", "autoscaling:PutScalingPolicy", "autoscaling:DescribeScalingActivities", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "sqs:GetQueueAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSDescribe" }, { "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSModify" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSDescribe" }, { "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSModify" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicy using
awsbatch
The following example sets the ParallelClusterUserPolicy using awsbatch as the
scheduler. In this example, “<RESOURCES S3 BUCKET>” is the value of the cluster_resource_bucket setting; if cluster_resource_bucket is not specified then
“<RESOURCES S3 BUCKET>” is “parallelcluster-*”.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2LaunchTemplate" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "sqs:GetQueueAttributes", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQS" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*", "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>" ], "Effect": "Allow", "Sid": "IAMRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:PassRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAM" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "logs:*" ], "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:*", "Effect": "Allow", "Sid": "Logs" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:<REGION>:<AWS ACCOUNT ID>:project/parallelcluster-*", "Effect": "Allow", "Sid": "CodeBuild" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" }, { "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterLambdaPolicy using SGE, Slurm, or
Torque
The following example sets the ParallelClusterLambdaPolicy, using SGE, Slurm, or Torque as
the scheduler.
Starting with version 2.11.5, AWS ParallelCluster doesn't support the use of SGE or Torque schedulers.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::*" ], "Effect": "Allow", "Sid": "S3BucketPolicy" }, { "Action": [ "ec2:DescribeInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "DescribeInstances" }, { "Action": [ "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "FleetTerminatePolicy" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53DeletePolicy" } ] }
ParallelClusterLambdaPolicy using
awsbatch
The following example sets the ParallelClusterLambdaPolicy using awsbatch as the
scheduler.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:*", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "ecr:BatchDeleteImage", "ecr:ListImages" ], "Effect": "Allow", "Resource": "*", "Sid": "ECRPolicy" }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Effect": "Allow", "Resource": "*", "Sid": "CodeBuildPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": "*", "Sid": "S3BucketPolicy" } ] }
ParallelClusterUserPolicy for users
The following example sets the ParallelClusterUserPolicy for users that don't need to create or
update clusters. The following commands are supported.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "MinimumModify", "Action": [ "autoscaling:UpdateAutoScalingGroup", "batch:UpdateComputeEnvironment", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "dynamodb:GetItem", "dynamodb:PutItem" ], "Effect": "Allow", "Resource": [ "arn:aws:autoscaling:<REGION>:<AWS ACCOUNT ID>:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:compute-environment/*", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<CLUSTERNAME>/*", "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/<CLUSTERNAME>" ] }, { "Sid": "Describe", "Action": [ "cloudformation:DescribeStacks", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus" ], "Effect": "Allow", "Resource": "*" } ] }
