本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Identity and Access Management 中的权限 AWS ParallelCluster
AWS ParallelCluster 在创建和管理集群时,使用 IAM 权限来控制对资源的访问权限。
要在 AWS 账户中创建和管理集群, AWS ParallelCluster 需要两个级别的权限:
-
pcluster用户调用pclusterCLI 命令创建和管理集群所需的权限。 -
集群资源执行集群操作所需的权限。
AWS ParallelCluster 使用 A mazon EC2 实例配置文件和角色来提供集群资源权限。要管理集群资源权限, AWS ParallelCluster 还需要对 IAM 资源的权限。有关更多信息,请参阅 AWS ParallelCluster 用于管理 IAM 资源的用户示例策略。
pcluster 用户需要 IAM 权限才能使用 pcluster CLI 创建和管理集群及其资源。这些权限包含在可以添加到用户或角色的 IAM 策略中。有关 IAM 角色的更多信息,请参阅 AWS Identity and Access Management 用户指南 中的 创建用户角色。
您还可以使用 AWS ParallelCluster 用于管理 IAM 权限的配置参数。
以下各节包含所需的权限及示例。
要使用示例策略,请将 <REGION><AWS
ACCOUNT ID>
以下示例策略包括资源的亚马逊资源名称 (ARNs)。如果您在 AWS GovCloud (US) 或 AWS 中国分区中工作,则必须 ARNs 对其进行更改。具体而言,对于分区,必须将其从 “arn: a aws-us-gov ws” 更改为 “arn:”,对于中国 AWS GovCloud (US) 分区,必须将其从 “arn: aws-cn” 更改为 “arn: aws-cn”。 AWS 有关更多信息,请参阅AWS GovCloud (US) 用户指南中 AWS GovCloud (US)
区域中的 Amazon 资源名称 (ARNs),以及ARNs 中国 AWS 服务
您可以在上的AWS ParallelCluster
文档
主题
AWS ParallelCluster Amazon EC2 实例角色
使用默认配置设置创建集群时,会 AWS ParallelCluster 使用 Amazon EC2 实例配置文件自动创建默认集群 Amazon EC2 实例角色,该角色提供创建和管理集群及其资源所需的权限。
使用默认 AWS ParallelCluster 实例角色的替代方法
您可以使用InstanceRole集群配置设置来代替默认 AWS ParallelCluster 实例角色,为其指定自己的现有 IAM 角色 EC2。有关更多信息,请参阅 AWS ParallelCluster 用于管理 IAM 权限的配置参数。通常,您可以指定现有 IAM 角色来完全控制授予的权限 EC2。
如果您打算向默认实例角色添加额外的策略,我们建议您使用 AdditionalIamPolicies 配置设置而不是 InstanceProfile 或 InstanceRole 设置来传递其他 IAM 策略。您可以在更新集群时进行更新 AdditionalIamPolicies,但不能在更新集群时更新 InstanceRole。
AWS ParallelCluster pcluster用户策略示例
以下示例显示了使用 pcluster CLI 创建 AWS ParallelCluster 和管理其资源所需的用户策略。您可以将策略附加到用户或角色。
主题
基本 AWS ParallelCluster pcluster 用户策略
以下策略显示了运行 AWS ParallelCluster pcluster命令所需的权限。
策略中列出的最后一个操作用于验证集群配置中指定的任何密钥。例如, AWS Secrets Manager 密钥用于配置集DirectoryService成。在这种情况下,只有当 PasswordSecretArn 中存在有效密钥时,才会创建集群。如果省略此操作,则会跳过密钥验证。为了改善您的安全状况,我们建议您通过仅添加集群配置中指定的密钥来缩小此策略声明的范围。
注意
如果现有 Amazon EFS 文件系统是集群中使用的唯一文件系统,则可以将示例 Amazon EFS 策略声明的范围缩小到集群配置文件中 SharedStorage 部分 引用的特定文件系统。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Read" }, { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DisassociateAddress", "ec2:ModifyLaunchTemplate", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Write" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutCompositeAlarm" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:SimulatePrincipalPolicy", "iam:GetInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/*", "arn:aws:iam::<AWS ACCOUNT ID>:policy/*", "arn:aws:iam::aws:policy/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*" ], "Effect": "Allow", "Sid": "IamRead" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamInstanceProfile" }, { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:*:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::parallelcluster-*", "arn:aws:s3:::aws-parallelcluster-*" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::*-aws-parallelcluster*", "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "elasticfilesystem:*" ], "Resource": [ "arn:aws:elasticfilesystem:*:<AWS ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateExportTask", "logs:DescribeLogStreams", "logs:DescribeExportTasks", "logs:DescribeMetricFilters", "logs:PutMetricFilter", "logs:DeleteMetricFilter" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*", "Effect": "Allow", "Sid": "ResourceGroupRead" }, { "Sid": "AllowDescribingFileCache", "Effect": "Allow", "Action": [ "fsx:DescribeFileCaches" ], "Resource": "*" }, { "Action": "secretsmanager:DescribeSecret", "Resource": "arn:aws:secretsmanager:<REGION>:<AWS ACCOUNT ID>:secret:<SECRET NAME>", "Effect": "Allow" } ] }
使用 AWS Batch
调度器时的其他 AWS ParallelCluster pcluster 用户策略
如果您需要使用 AWS Batch 调度程序创建和管理集群,则需要以下附加策略。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/batch.amazonaws.com/*" ], "Effect": "Allow" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:*:<AWS ACCOUNT ID>:project/pcluster-*", "Effect": "Allow" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" } ] }
使用 Amazon FSx for Lustre 时的其他 AWS ParallelCluster pcluster用户政策
如果您需要使用 Amazon FSx for Lustre 创建和管理集群,则需要遵循以下附加策略。
注意
如果现有的 Amazon FSx 文件系统是您的集群中唯一使用的文件系统,则可以将示例 Amazon FSx 策略声明的范围缩小到集群配置文件中引用的特定文件系统。SharedStorage 部分
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fsx:*" ], "Resource": [ "arn:aws:fsx:*:<AWS ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*", "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "arn:aws:s3:::<S3 NAME>", "Effect": "Allow" } ] }
AWS ParallelCluster 镜像构建pcluster用户政策
打算使用其创建自定义 Amazon EC2 图片的用户 AWS ParallelCluster 必须具有以下一组权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DeregisterImage", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/ParallelClusterImage*", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAM" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "logs:GetLogEvents", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:*:<AWS ACCOUNT ID>:log-group:/aws/imagebuilder/ParallelClusterImage-*", "arn:aws:logs:*:<AWS ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:<AWS ACCOUNT ID>:stack/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:DeleteFunction", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>:function:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "imagebuilder:Get*" ], "Resource": "*", "Effect": "Allow", "Sid": "ImageBuilderGet" }, { "Action": [ "imagebuilder:CreateImage", "imagebuilder:TagResource", "imagebuilder:CreateImageRecipe", "imagebuilder:CreateComponent", "imagebuilder:CreateDistributionConfiguration", "imagebuilder:CreateInfrastructureConfiguration", "imagebuilder:DeleteImage", "imagebuilder:DeleteComponent", "imagebuilder:DeleteImageRecipe", "imagebuilder:DeleteInfrastructureConfiguration", "imagebuilder:DeleteDistributionConfiguration" ], "Resource": [ "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:image/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:image-recipe/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:component/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*" ], "Effect": "Allow", "Sid": "ImageBuilder" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::parallelcluster-*" ], "Effect": "Allow", "Sid": "S3Bucket" }, { "Action": [ "sns:GetTopicAttributes", "sns:TagResource", "sns:CreateTopic", "sns:Subscribe", "sns:Publish", "SNS:DeleteTopic", "SNS:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:<AWS ACCOUNT ID>:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "S3Objects" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } } ] }
AWS ParallelCluster 用于管理 IAM 资源的用户示例策略
使用 AWS ParallelCluster 创建集群或自定义集群时 AMIs,必须提供包含向 AWS ParallelCluster 组件授予所需权限集的权限的 IAM 策略。在创建集群 AWS ParallelCluster 或自定义映像时,这些 IAM 资源可以由自动创建,也可以作为输入提供。
您可以使用以下模式通过在配置中使用其他 IAM 策略为 AWS ParallelCluster 用户提供访问 IAM 资源所需的权限。
特权 IAM 访问模式
在此模式下, AWS ParallelCluster 会自动创建所有必要的 IAM 资源。这些 IAM 策略的范围已缩小,仅允许访问集群资源。
要启用特权 IAM 访问模式,请向用户角色添加以下策略。
注意
如果您配置 HeadNode/Iam/AdditionalPolicies或 Scheduling//SlurmQueuesIam/AdditionalPolicies参数,则必须向 AWS ParallelCluster 用户提供为每个其他策略附加和分离角色策略的权限,如以下策略所示。将附加策略 ARNs 添加到附加和分离角色策略的条件中。
警告
此模式使用户能够在中拥有 IAM 管理员权限 AWS 账户
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
受限的 IAM 访问模式
如果没有向用户授予其他 IAM 策略,则集群或自定义映像构建所需的 IAM 角色需要由管理员手动创建,并作为集群配置的一部分进行传递。
创建集群时,需要使用以下参数:
构建自定义映像时,需要使用以下参数:
-
Build / Iam / InstanceRole | InstanceProfile
作为上面所列参数的一部分传递的 IAM 角色必须以 /parallelcluster/ 路径前缀进行创建。如果无法做到这一点,则需要更新用户策略以便对特定自定义角色授予 iam:PassRole 权限,如以下示例所示。
{ "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [<list all custom IAM roles>], "Effect": "Allow", "Sid": "IamPassRole" }
警告
目前,此模式不允许管理 AWS Batch 集群,因为并非所有 IAM 角色都可以在集群配置中传递。
PermissionsBoundary 模式
此模式委托创建绑 AWS ParallelCluster 定到已配置的 IAM 权限边界的 IAM 角色。有关 IAM 权限边界的更多信息,请参阅 IAM 用户指南 中的 IAM 实体的权限边界。
需要将以下策略添加到用户角色。
在策略中,<permissions-boundary-arn>替换为要作为权限边界强制执行的 IAM 策略 ARN。
警告
如果您配置 HeadNode/Iam/AdditionalPolicies 或 Scheduling/SlurmQueues/Iam/ 参数,则必须向用户授予为每个其他策略附加和分离角色策略的权限,如以下策略所示。将附加策略 ARNs 添加到附加和分离角色策略的条件中。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] } }, "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] } }, "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] }, "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
启用此模式后,创建或更新集群时必须在 Iam/PermissionsBoundary 配置参数中指定权限边界 ARN,在构建自定义映像时必须在 Build/Iam/PermissionBoundary 参数中指定权限边界 ARN。
AWS ParallelCluster 用于管理 IAM 权限的配置参数
AWS ParallelCluster 公开了一系列配置选项,用于自定义和管理集群中或自定义 AMI 创建过程中使用的 IAM 权限和角色。
集群配置
头节点 IAM 角色
HeadNode / Iam / InstanceRole | InstanceProfile
使用此选项,您可以覆盖分配给集群头节点的默认 IAM 角色。有关更多详细信息,请参阅 InstanceProfile 参考。
以下是当调度器为 Slurm 时作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略 有关更多信息,请参阅 A mazon 用户指南中的创建用于 CloudWatch 代理的 IAM 角色和 CloudWatch 用户。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 AWS Systems Manager 用户指南 中的用于 AWS Systems Manager的AWS 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*", "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Action": "ec2:TerminateInstances", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ], "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute", "ec2:DescribeCapacityReservations" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<AWS ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }
请注意,如果使用 Scheduling/SlurmQueues/Iam/InstanceRole 来覆盖计算 IAM 角色,则上面报告的头节点策略需要在 iam:PassRole 权限的 Resource 部分中包含此类角色。
以下是当调度器为 AWS Batch时作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅 A mazon 用户指南中的创建用于 CloudWatch 代理的 IAM 角色和 CloudWatch 用户。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 AWS Systems Manager 用户指南 中的用于 AWS Systems Manager的AWS 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "batch:TerminateJob", "logs:GetLogEvents", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances" ], "Resource": [ "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:container-instance/AWSBatch-PclusterComputeEnviron*", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:cluster/AWSBatch-Pcluster*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-queue/PclusterJobQueue*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/PclusterJobDefinition*:*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<AWS ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }
Amazon S3 访问权限
HeadNode/Iam/S3Access 或 Scheduling/SlurmQueues/S3Access
在这些配置部分中,您可以在 AWS ParallelCluster创建与集群的头节点或计算节点关联的 IAM 角色时向这些角色授予其他 Amazon S3 策略来自定义 Amazon S3 访问权限。有关更多信息,请参阅每个配置参数的参考文档。
只有在使用 特权 IAM 访问模式 或 PermissionsBoundary 模式 来配置用户时,才能使用此参数。
其他 IAM 策略
HeadNode/Iam/AdditionalIamPolicies 或 SlurmQueues/Iam/AdditionalIamPolicies
使用此选项将其他托管 IAM 策略附加到与集群的头节点或计算节点关联的 IAM 角色(如果这些角色由创建) AWS ParallelCluster。
警告
要使用此选项,请确保针对需要附加的 IAM 策略向 AWS ParallelCluster 用户授予 iam:AttachRolePolicy 和 iam:DetachRolePolicy 权限。
AWS Lambda 函数角色
Iam / Roles / LambdaFunctionsRole
此选项将覆盖集群创建过程中使用的所有 AWS Lambda 函数所附加的角色。 AWS Lambda 需要配置为允许担任该角色的委托人。
注意
如果设置了 DeploymentSettings/LambdaFunctionsVpcConfig,则 LambdaFunctionsRole 必须包括用于设置 VPC 配置的 AWS Lambda 角色权限。
以下是作为该角色一部分使用的一组最少策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow" }, { "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Effect": "Allow", "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/lambda/pcluster-*" }, { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ] } ] }
计算节点 IAM 角色
Scheduling / SlurmQueues / Iam / InstanceRole | InstanceProfile
此选项允许覆盖分配给集群计算节点的 IAM 角色。有关更多信息,请参阅 InstanceProfile。
以下是作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅 A mazon 用户指南中的创建用于 CloudWatch代理的 IAM 角色和 CloudWatch 用户。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 AWS Systems Manager 用户指南 中的用于 AWS Systems Manager的AWS 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Action": "ec2:DescribeInstanceAttribute", "Resource": "*", "Effect": "Allow" }, { "Action": "cloudformation:DescribeStackResource", "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/*/*" ], "Effect" "Allow" } ] }
权限边界
此参数强制 AWS ParallelCluster 将给定的 IAM 策略作为 a 附加PermissionsBoundary到作为集群部署的一部分创建的所有 IAM 角色。
有关定义此设置后用户所需的策略的列表,请参阅 PermissionsBoundary 模式。
自定义映像配置
EC2 Image Builder 的实例角色
Build / Iam / InstanceRole | InstanceProfile
使用此选项,您可以覆盖分配给 I EC2 mage Builder 启动的亚马逊 EC2 实例的 IAM 角色来创建自定义 AMI。
以下是作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 AWS Systems Manager 用户指南 中的用于 AWS Systems Manager的AWS 托管策略。 -
arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder托管的 IAM 策略。有关更多信息,请参阅 Image Builder User Guide 中的EC2InstanceProfileForImageBuilderpolicy。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:ModifyImageAttribute" ], "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" } ] }
AWS Lambda 清理角色
Build / Iam / CleanupLambdaRole
此选项将覆盖自定义映像构建过程中使用的所有 AWS Lambda 函数所附加的角色。 AWS Lambda 需要配置为允许担任该角色的委托人。
注意
如果设置了 DeploymentSettings/LambdaFunctionsVpcConfig,则 CleanupLambdaRole 必须包括用于设置 VPC 配置的 AWS Lambda 角色权限。
以下是作为该角色一部分使用的一组最少策略:
-
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole托管的 IAM 策略。有关更多信息,请参阅 AWS Lambda 开发人员指南 中的 Lambda 功能的AWS 托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow" }, { "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteInfrastructureConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteComponent" ], "Resource": [ "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:component/parallelclusterimage-*/*" ], "Effect": "Allow" }, { "Action": "imagebuilder:DeleteImageRecipe", "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:image-recipe/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteDistributionConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteImage", "imagebuilder:GetImage", "imagebuilder:CancelImageCreation" ], "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:image/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "cloudformation:DeleteStack", "Resource": "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/*/*", "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" }, { "Action": "tag:TagResources", "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:ParallelClusterImage-*", "Effect": "Allow" }, { "Action": "logs:DeleteLogGroup", "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*:*", "Effect": "Allow" }, { "Action": [ "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:GetSubscriptionAttributes", "SNS:Unsubscribe" ], "Resource": "arn:aws:sns:<REGION>:<AWS ACCOUNT ID>:ParallelClusterImage-*", "Effect": "Allow" } ] }
其他 IAM 策略
Build / Iam / AdditionalIamPolicies
您可以使用此选项将其他托管 IAM 策略附加到与 I EC2 mage Builder 用来生成自定义 AMI 的亚马逊 EC2 实例关联的角色。
警告
要使用此选项,请确保针对需要附加的 IAM 策略向 AWS ParallelCluster用户授予 iam:AttachRolePolicy 和 iam:DetachRolePolicy 权限。
权限边界
Build / Iam / PermissionsBoundary
此参数强制 AWS ParallelCluster 将给定的 IAM 策略作为 a 附加PermissionsBoundary到在自定义 AMI 构建过程中创建的所有 IAM 角色。
有关使用此类功能所需的策略列表,请参阅 PermissionsBoundary 模式。
