本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Identity and Access Management中的权限AWS ParallelCluster
AWS ParallelCluster在创建和管理集群时,使用 IAM 权限来控制对资源的访问权限。
在中创建和管理集群AWS账户,AWS ParallelCluster需要两个级别的权限:
-
的权限
pcluster
用户需要调用pcluster
用于创建和管理集群的 CLI 命令。 -
群集资源执行群集操作所需的权限。
AWS ParallelCluster使用一个EC2 实例配置文件和角色以提供群集资源权限。要管理群集资源权限,AWS ParallelCluster还需要对 IAM 资源的权限。有关更多信息,请参阅AWS ParallelCluster用于管理 IAM 资源的用户示例策略:
pcluster
用户要求使用 IAM 的权限pcluster用于创建和管理集群及其资源的 CLI。这些权限包含在可以添加到用户或角色的 IAM 策略中。有关 IAM 角色的更多信息,请参阅创建用户角色在AWS Identity and Access Management用户指南。
您还可以使用 AWS ParallelCluster用于管理 IAM 权限的配置参数。
以下各节包含所需的权限和示例。
要使用示例策略,请替换
,<REGION>
,以及具有适当值的类似字符串。<AWS
ACCOUNT ID>
以下示例策略包括资源的亚马逊资源名称 (ARN)。如果你在AWS GovCloud (US)要么AWS中国分区,ARN 必须更改。具体而言,必须将它们从 “arn: aws” 更改为 “arn:aws-us-gov“对于AWS GovCloud (US)分区或 “arn: aws-cn” 表示AWS中国分裂。有关更多信息,请参阅中的亚马逊资源名称 (ARN)AWS GovCloud (US)区域在AWS GovCloud (US)用户指南和的 ARN 适用于AWS在中国的服务
您可以在中跟踪示例政策的更改AWS ParallelCluster上的文档 GitHub
主题
AWS ParallelClusterEC2 实例角色
使用默认配置设置创建集群时,AWS ParallelCluster使用 EC2实例配置文件自动创建默认集群 EC2实例角色它提供了创建和管理集群及其资源所需的权限。
使用默认值的替代方法AWS ParallelCluster实例角色
代替默认值AWS ParallelCluster实例角色,你可以使用InstanceRole
集群配置设置,用于为 EC2 指定您自己的现有 IAM 角色。有关更多信息,请参阅AWS ParallelCluster用于管理 IAM 权限的配置参数:通常,您可以指定现有 IAM 角色来完全控制授予给 EC2 的权限。
如果您打算向默认实例角色添加额外的策略,我们建议您使用以下方法传递其他 IAM 策略AdditionalIamPolicies配置设置而不是InstanceProfile要么InstanceRole设置。你可以更新AdditionalIamPolicies
但是,当你更新集群时,你无法更新InstanceRole
当你更新集群时。
AWS ParallelCluster示例 pcluster
用户政策
以下示例显示了创建和管理所需的用户策略AWS ParallelCluster及其资源通过使用pcluster
CLI。您可以将策略附加到用户或角色。
主题
基地AWS ParallelCluster pcluster
用户政策
以下策略显示了运行所需的权限AWS ParallelCluster pcluster
命令。
策略中列出的最后一个操作用于验证集群配置中指定的任何密钥。例如,一个AWS Secrets Managersecret 用于配置DirectoryService整合。在这种情况下,只有当集群中存在有效的密钥时,才会创建集群PasswordSecretArn。如果省略此操作,则会跳过密钥验证。为了改善您的安全状况,我们建议您通过仅添加集群配置中指定的密钥来缩小此策略声明的范围。
注意
如果现有的 Amazon EFS 文件系统是您的集群中唯一使用的文件系统,则可以将示例 Amazon EFS 策略声明的范围缩小到中提及的特定文件系统SharedStorage 部分的集群配置文件。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Read" }, { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DisassociateAddress", "ec2:ModifyLaunchTemplate", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Write" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:
<AWS ACCOUNT ID>
:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:SimulatePrincipalPolicy", "iam:GetInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/*", "arn:aws:iam::<AWS ACCOUNT ID>
:policy/*", "arn:aws:iam::aws:policy/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/*" ], "Effect": "Allow", "Sid": "IamRead" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamInstanceProfile" }, { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>
:function:parallelcluster-*", "arn:aws:lambda:*:<AWS ACCOUNT ID>
:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::parallelcluster-*", "arn:aws:s3:::aws-parallelcluster-*" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::*-aws-parallelcluster*", "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "elasticfilesystem:*" ], "Resource": [ "arn:aws:elasticfilesystem:*:<AWS ACCOUNT ID>
:*" ], "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateExportTask", "logs:DescribeLogStreams", "logs:DescribeExportTasks", "logs:DescribeMetricFilters", "logs:PutMetricFilter", "logs:DeleteMetricFilter" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*", "Effect": "Allow", "Sid": "ResourceGroupRead" }, { "Sid": "AllowDescribingFileCache", "Effect": "Allow", "Action": [ "fsx:DescribeFileCaches" ], "Resource": "*" }, { "Action": "secretsmanager:DescribeSecret", "Resource": "arn:aws:secretsmanager:<REGION>
:<AWS ACCOUNT ID>
:secret:<SECRET NAME>
", "Effect": "Allow" } ] }
额外AWS ParallelCluster pcluster
使用时的用户政策AWS Batch调度器
如果您需要使用创建和管理集群AWS Batch调度程序,需要以下附加策略。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/aws-service-role/batch.amazonaws.com/*" ], "Effect": "Allow" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:*:<AWS ACCOUNT ID>
:project/pcluster-*", "Effect": "Allow" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" } ] }
额外AWS ParallelCluster pcluster
使用 Amazon FSx for Lustre 时的用户政策
如果您需要使用 Amazon FSx for Lustre 创建和管理集群,则需要以下附加策略。
注意
如果现有的 Amazon FSx 文件系统是您的集群中唯一使用的文件系统,则可以将示例 Amazon FSx 策略声明的范围缩小到中提及的特定文件系统SharedStorage 部分的集群配置文件。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fsx:*" ], "Resource": [ "arn:aws:fsx:*:
<AWS ACCOUNT ID>
:*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*", "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "arn:aws:s3:::<S3 NAME>
", "Effect": "Allow" } ] }
AWS ParallelCluster镜像构建pcluster
用户政策
打算使用创建自定义 EC2 映像的用户AWS ParallelCluster必须具有以下权限集。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeImages", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DeregisterImage", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/ParallelClusterImage*", "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAM" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:*:<AWS ACCOUNT ID>
:log-group:/aws/imagebuilder/ParallelClusterImage-*", "arn:aws:logs:*:<AWS ACCOUNT ID>
:log-group:/aws/lambda/ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:<AWS ACCOUNT ID>
:stack/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:DeleteFunction", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>
:function:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "imagebuilder:Get*" ], "Resource": "*", "Effect": "Allow", "Sid": "ImageBuilderGet" }, { "Action": [ "imagebuilder:CreateImage", "imagebuilder:TagResource", "imagebuilder:CreateImageRecipe", "imagebuilder:CreateComponent", "imagebuilder:CreateDistributionConfiguration", "imagebuilder:CreateInfrastructureConfiguration", "imagebuilder:DeleteImage", "imagebuilder:DeleteComponent", "imagebuilder:DeleteImageRecipe", "imagebuilder:DeleteInfrastructureConfiguration", "imagebuilder:DeleteDistributionConfiguration" ], "Resource": [ "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:image/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:image-recipe/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:component/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:distribution-configuration/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:infrastructure-configuration/parallelclusterimage-*" ], "Effect": "Allow", "Sid": "ImageBuilder" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::parallelcluster-*" ], "Effect": "Allow", "Sid": "S3Bucket" }, { "Action": [ "sns:GetTopicAttributes", "sns:TagResource", "sns:CreateTopic", "sns:Subscribe", "sns:Publish", "SNS:DeleteTopic", "SNS:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:<AWS ACCOUNT ID>
:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "S3Objects" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } } ] }
AWS ParallelCluster用于管理 IAM 资源的用户示例策略
使用时AWS ParallelCluster要创建集群或自定义 AMI,必须提供包含向其授予所需权限集的权限的 IAM 策略AWS ParallelCluster组件。这些 IAM 资源可以由以下人员自动创建AWS ParallelCluster或者在创建集群或自定义映像时作为输入提供。
您可以使用以下模式来提供AWS ParallelCluster具有在配置中使用其他 IAM 策略访问 IAM 资源所需的权限的用户。
特权 IAM 访问模式
使用此模式,AWS ParallelCluster自动创建所有必要的 IAM 资源。这些 IAM 策略的范围已缩小,仅允许访问集群资源。
要启用特权 IAM 访问模式,请向用户角色添加以下策略。
注意
如果你配置HeadNode/Iam/AdditionalPolicies要么Scheduling/SlurmQueues/Iam/AdditionalPolicies参数,您必须提供AWS ParallelCluster有权为每个其他策略附加和分离角色策略的用户,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。
警告
此模式使用户能够在中拥有 IAM 管理员权限AWS 账户
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
受限的 IAM 访问模式
如果没有向用户授予其他 IAM 策略,则集群或自定义映像构建所需的 IAM 角色需要由管理员手动创建,并作为集群配置的一部分传递。
创建集群时,需要以下参数:
构建自定义镜像时,需要以下参数:
-
Build / Iam / InstanceRole | InstanceProfile
作为上面列出的参数的一部分传递的 IAM 角色必须在上创建/parallelcluster/
路径前缀。如果这不可能,则需要更新用户政策以授予iam:PassRole
特定自定义角色的权限,如下例所示。
{ "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [
<list all custom IAM roles>
], "Effect": "Allow", "Sid": "IamPassRole" }
警告
目前,此模式不允许管理AWS Batch集群,因为并非所有 IAM 角色都可以在集群配置中传递。
PermissionsBoundary
模式
此模式委托给AWS ParallelCluster创建绑定到配置的 IAM 权限边界的 IAM 角色。有关 IAM 权限界限的更多信息,请参阅IAM 实体的权限边界在IAM 用户指南。
需要将以下策略添加到用户角色中。
在策略中,替换<permissions-boundary-arn>
将 IAM 策略 ARN 作为权限边界强制执行。
警告
如果你配置HeadNode/Iam/AdditionalPolicies要么Scheduling/SlurmQueues/Iam/AdditionalPoliciesparameters,您必须向用户授予附加和分离每个附加策略的角色策略的权限,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>
] } }, "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>
] } }, "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>
] }, "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
启用此模式后,您必须在中指定权限边界 ARNIam/PermissionsBoundary创建或更新集群时的配置参数以及在Build/Iam/PermissionBoundary构建自定义镜像时的参数。
AWS ParallelCluster用于管理 IAM 权限的配置参数
AWS ParallelCluster公开了一系列配置选项,用于自定义和管理集群中或自定义 AMI 创建过程中使用的 IAM 权限和角色。
集群配置
头节点 IAM 角色
HeadNode / Iam / InstanceRole | InstanceProfile
使用此选项,您可以覆盖分配给集群头节点的默认 IAM 角色。欲了解更多详情,请参阅InstanceProfile参考。
以下是当调度器为 Slurm 时,作为该角色一部分使用的最少策略集:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
托管 IAM 策略。有关更多信息,请参阅创建 IAM 角色和用户以供使用 CloudWatch 代理人在亚马逊 CloudWatch 用户指南。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
托管 IAM 策略。有关更多信息,请参阅AWS的托管策略AWS Systems Manager在AWS Systems Manager用户指南。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::
<REGION>
-aws-parallelcluster/*", "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": "arn:aws:dynamodb:<REGION>
:<AWS ACCOUNT ID>
:table/parallelcluster-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Action": "ec2:TerminateInstances", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ] "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute", "ec2:DescribeCapacityReservations" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:instance/*", "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>
:<AWS ACCOUNT ID>
:secret:<SECRET_ID>
", "Effect": "Allow" } ] }
请注意,以防万一Scheduling/SlurmQueues/Iam/InstanceRole用于覆盖计算 IAM 角色,上面报告的头节点策略需要将此类角色包含在Resource
的部分iam:PassRole
许可。
以下是当调度器处于此角色状态时用作此角色一部分的最少策略集AWS Batch:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
托管 IAM 策略。有关更多信息,请参阅创建 IAM 角色和用户以供使用 CloudWatch 代理人在亚马逊 CloudWatch 用户指南。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
托管 IAM 策略。有关更多信息,请参阅AWS的托管策略AWS Systems Manager在AWS Systems Manager用户指南。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::dcv-license.
<REGION>
/*", "arn:aws:s3:::<REGION>
-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, "Action": [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "batch:TerminateJob", "logs:GetLogEvents", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", ], "Resource": [ "arn:aws:logs:<REGION>
:<AWS ACCOUNT ID>
:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*", "arn:aws:ecs:<REGION>
:<AWS ACCOUNT ID>
:container-instance/AWSBatch-PclusterComputeEnviron*", "arn:aws:ecs:<REGION>
:<AWS ACCOUNT ID>
:cluster/AWSBatch-Pcluster*", "arn:aws:batch:<REGION>
:<AWS ACCOUNT ID>
:job-queue/PclusterJobQueue*", "arn:aws:batch:<REGION>
:<AWS ACCOUNT ID>
:job-definition/PclusterJobDefinition*:*", "arn:aws:batch:<REGION>
:<AWS ACCOUNT ID>
:job/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:instance/*", "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>
:<AWS ACCOUNT ID>
:secret:<SECRET_ID>
", "Effect": "Allow" } ] }
亚马逊 S3 访问权限
HeadNode/Iam/S3Access要么Scheduling/SlurmQueues/S3Access
在这些配置部分中,您可以通过向与集群的主节点或计算节点关联的 IAM 角色授予其他 Amazon S3 策略来自定义 Amazon S3 访问权限(如果这些角色是由创建的)AWS ParallelCluster。有关更多信息,请参阅每个配置参数的参考文档。
此参数只能在用户配置为时使用特权 IAM 访问模式要么PermissionsBoundary模式。
其他 IAM 政策
HeadNode/Iam/AdditionalIamPolicies要么SlurmQueues/Iam/AdditionalIamPolicies
使用此选项将其他托管 IAM 策略附加到与集群的头节点或计算节点关联的 IAM 角色(如果这些角色由创建)AWS ParallelCluster。
警告
要使用此选项,请确保AWS ParallelCluster用户被授予iam:AttachRolePolicy
和iam:DetachRolePolicy
需要附加的 IAM 策略的权限。
AWS Lambda函数角色
Iam / Roles / LambdaFunctionsRole
此选项会覆盖附加到所有人的角色AWS Lambda在集群创建过程中使用的函数。AWS Lambda需要配置为允许担任该角色的委托人。
注意
如果DeploymentSettings/LambdaFunctionsVpcConfig设置好了,LambdaFunctionsRole
必须包括AWS Lambda角色权限来设置 VPC 配置。
以下是作为该角色一部分使用的最少策略集:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow" }, { "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Effect": "Allow", "Resource": "arn:aws:logs:
<REGION>
:<AWS ACCOUNT ID>
:log-group:/aws/lambda/pcluster-*" }, { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ] } ] }
计算节点 IAM 角色
Scheduling / SlurmQueues / Iam / InstanceRole | InstanceProfile
此选项允许覆盖分配给集群计算节点的 IAM 角色。有关更多信息,请参阅InstanceProfile:
以下是作为该角色一部分使用的最少策略集:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
托管 IAM 策略。有关更多信息,请参阅创建 IAM 角色和用户以供使用 CloudWatch代理人在亚马逊 CloudWatch 用户指南。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
托管 IAM 策略。有关更多信息,请参阅AWS的托管策略AWS Systems Manager在AWS Systems Manager用户指南。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:Query" ], "Resource": "arn:aws:dynamodb:
<REGION>
:<AWS ACCOUNT ID>
:table/parallelcluster-*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<REGION>
-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Action": "ec2:DescribeInstanceAttribute", "Resource": "*", "Effect": "Allow" } ] }
权限边界
此参数强制AWS ParallelCluster将给定的 IAM 策略作为PermissionsBoundary
适用于在集群部署中创建的所有 IAM 角色。
见PermissionsBoundary模式以获取用户在定义此设置时所需的策略列表。
自定义镜像配置
EC2 映像生成器的实例角色
Build / Iam / InstanceRole | InstanceProfile
使用此选项,您可以覆盖分配给 EC2 Image Builder 启动的 EC2 实例的 IAM 角色来创建自定义 AMI。
以下是作为该角色一部分使用的最少策略集:
-
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
托管 IAM 策略。有关更多信息,请参阅AWS的托管策略AWS Systems Manager在AWS Systems Manager用户指南。 -
arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder
托管 IAM 策略。有关更多信息,请参阅EC2InstanceProfileForImageBuilder
政策在图像生成器用户指南。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:ModifyImageAttribute" ], "Resource": "arn:aws:ec2:
<REGION>
::image/*", "Effect": "Allow" } ] }
AWS Lambda清理角色
Build / Iam / CleanupLambdaRole
此选项会覆盖附加到所有人的角色AWS Lambda在自定义映像构建过程中使用的函数。AWS Lambda需要配置为允许担任该角色的委托人。
注意
如果DeploymentSettings/LambdaFunctionsVpcConfig设置好了,CleanupLambdaRole
必须包括AWS Lambda角色权限来设置 VPC 配置。
以下是作为该角色一部分使用的最少策略集:
-
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
托管 IAM 策略。有关更多信息,请参阅AWSLambda 功能的托管策略在AWS Lambda开发者指南。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow" }, { "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteInfrastructureConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:infrastructure-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteComponent" ], "Resource": [ "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:component/parallelclusterimage-*/*" ], "Effect": "Allow" }, { "Action": "imagebuilder:DeleteImageRecipe", "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:image-recipe/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteDistributionConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:distribution-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteImage", "imagebuilder:GetImage", "imagebuilder:CancelImageCreation" ], "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:image/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "cloudformation:DeleteStack", "Resource": "arn:aws:cloudformation:<REGION>
:<AWS ACCOUNT ID>
:stack/*/*", "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:<REGION>
::image/*", "Effect": "Allow" }, { "Action": "tag:TagResources", "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:<REGION>
:<AWS ACCOUNT ID>
:function:ParallelClusterImage-*", "Effect": "Allow" }, { "Action": "logs:DeleteLogGroup", "Resource": "arn:aws:logs:<REGION>
:<AWS ACCOUNT ID>
:log-group:/aws/lambda/ParallelClusterImage-*:*", "Effect": "Allow" }, { "Action": [ "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:GetSubscriptionAttributes", "SNS:Unsubscribe" ], "Resource": "arn:aws:sns:<REGION>
:<AWS ACCOUNT ID>
:ParallelClusterImage-*", "Effect": "Allow" } ] }
其他 IAM 政策
Build / Iam / AdditionalIamPolicies
您可以使用此选项将其他托管 IAM 策略附加到与 EC2 Image Builder 用来生成自定义 AMI 的 EC2 实例关联的角色。
警告
要使用此选项,请确保AWS ParallelCluster用户被授予iam:AttachRolePolicy
和iam:DetachRolePolicy
需要附加的 IAM 策略的权限。
权限边界
Build / Iam / PermissionsBoundary
此参数强制AWS ParallelCluster将给定的 IAM 策略作为PermissionsBoundary
适用于作为自定义 AMI 构建的一部分创建的所有 IAM 角色。
见PermissionsBoundary模式以获取使用此类功能所需的策略列表。