本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Identity and Access ManagementAWS ParallelCluster3.x 中的权限
AWS ParallelCluster创建和管理集群时使用 IAM 权限来控制对资源的访问。
要在AWS账户中创建和管理集群,AWS ParallelCluster需要两个级别的权限:
-
pcluster用户调用pclusterCLI 命令来创建和管理集群所需的权限。 -
集群资源执行集群操作所需的权限。
AWS ParallelCluster使用 EC2 实例配置文件和角色提供集群资源权限。要管理集群资源权限,AWS ParallelCluster还需要对 IAM 资源的权限。有关更多信息,请参阅AWS ParallelCluster用于管理 IAM 资源的用户示例策略:
pcluster用户需要 IAM 权限才能使用pcluster CLI 创建和管理集群及其资源。这些权限包含在可以添加到用户或角色的 IAM 策略中。有关 IAM 角色的更多信息,请参阅用户指南中的创建AWS Identity and Access Management用户角色。
您还可以使用 AWS ParallelCluster用于管理 IAM 权限的配置参数。
以下部分包含所需的权限和示例。
要使用示例策略,请将<REGION><AWS
ACCOUNT ID>
以下示例策略包括资源的 Amazon 资源名称 (ARN)。如果您在AWS GovCloud (US)或AWS中国分区工作,则必须更改 ARN。具体而言,必须将分区的 “arn: aws” 更改为 “arn:aws-us-gov”,或者将AWS中国AWS GovCloud (US)分区从 “arn: aws-cn” 更改为 “arn: aws-cn”。有关更多信息,请参阅《AWS GovCloud (US)用户指南》中的 “AWS GovCloud (US)区域中的亚马逊资源名称 (ARN)” 和 “中国AWS服务入门” 中的 “中国AWS
您可以在上的AWS ParallelCluster文档
主题
AWS ParallelClusterEC2 实例角色
当您使用默认配置设置创建集群时,AWS ParallelCluster使用 EC2 实例配置文件自动创建默认集群 EC2 实例角色,该角色提供创建和管理集群及其资源所需的权限。
使用默认AWS ParallelCluster实例角色的替代方法
代替默认AWS ParallelCluster实例角色,您可以使用InstanceRole集群配置设置为 EC2 指定自己的现有 IAM 角色。有关更多信息,请参阅AWS ParallelCluster用于管理 IAM 权限的配置参数:通常,您可以指定现有 IAM 角色来完全控制授予给 EC2 的权限。
如果您的意图是向默认实例角色添加额外策略,我们建议您使用AdditionalIamPolicies配置设置而不是InstanceProfile或InstanceRole设置传递其他 IAM 策略。您可以在更新集群AdditionalIamPolicies时更新,但是,在更新集群InstanceRole时无法更新。
AWS ParallelCluster pcluster用户策略示例
以下示例显示了使用pcluster CLI 创建AWS ParallelCluster和管理其资源所需的用户策略。您可以将策略附加到用户或角色。
主题
基本AWS ParallelCluster pcluster用户政策
以下策略显示运行AWS ParallelClusterpcluster命令所需的权限。
策略中列出的最后一项操作用于验证集群配置中指定的任何机密。例如,使用AWS Secrets Manager密钥来配置集DirectoryService成。在这种情况下,只有当中存在有效的密钥时,才会创建集群PasswordSecretArn。如果省略此操作,则跳过密钥验证。为了改善您的安全状况,我们建议您通过仅添加集群配置中指定的密钥来缩小此策略声明的范围。
注意
如果现有 Amazon EFS 文件系统是集群中使用的唯一文件系统,则可以将 Amazon EFS 策略语句示例的范围缩小到集群配置文件中引用的特定文件系统。SharedStorage 部分
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Read" }, { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DisassociateAddress", "ec2:ModifyLaunchTemplate", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Write" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:SimulatePrincipalPolicy", "iam:GetInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/*", "arn:aws:iam::<AWS ACCOUNT ID>:policy/*", "arn:aws:iam::aws:policy/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*" ], "Effect": "Allow", "Sid": "IamRead" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamInstanceProfile" }, { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:*:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::parallelcluster-*", "arn:aws:s3:::aws-parallelcluster-*" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::*-aws-parallelcluster*", "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "elasticfilesystem:*" ], "Resource": [ "arn:aws:elasticfilesystem:*:<AWS ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateExportTask", "logs:DescribeLogStreams", "logs:DescribeExportTasks" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*", "Effect": "Allow", "Sid": "ResourceGroupRead" }, { "Action": "secretsmanager:DescribeSecret", "Resource": "arn:aws:secretsmanager:<REGION>:<AWS ACCOUNT ID>:secret:<SECRET NAME>", "Effect": "Allow" } ] }
使用AWS Batch调度程序时的其他AWS ParallelCluster pcluster用户策略
如果您需要使用AWS Batch调度程序创建和管理集群,则需要以下附加策略。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/batch.amazonaws.com/*" ], "Effect": "Allow" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:*:<AWS ACCOUNT ID>:project/pcluster-*", "Effect": "Allow" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" } ] }
使用 Amazon FSx for Lustre 时的额外AWS ParallelCluster pcluster用户政策
如果您需要使用 Amazon FsX for Lustre 创建和管理集群,则需要以下附加政策。
注意
如果现有 Amazon FSx 文件系统是集群中唯一使用的文件系统,则可以将 Amazon FSx 策略声明示例的范围缩小到集群配置文件中引用的特定文件系统。SharedStorage 部分
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fsx:*" ], "Resource": [ "arn:aws:fsx:*:<AWS ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*", "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "arn:aws:s3:::<S3 NAME>", "Effect": "Allow" } ] }
AWS ParallelCluster映像生成pcluster用户政策
打算使用创建自定义 EC2 映像的用户AWS ParallelCluster必须具有以下一组权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeImages", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DeregisterImage", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/ParallelClusterImage*", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAM" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:*:<AWS ACCOUNT ID>:log-group:/aws/imagebuilder/ParallelClusterImage-*", "arn:aws:logs:*:<AWS ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:<AWS ACCOUNT ID>:stack/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:DeleteFunction", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>:function:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "imagebuilder:Get*" ], "Resource": "*", "Effect": "Allow", "Sid": "ImageBuilderGet" }, { "Action": [ "imagebuilder:CreateImage", "imagebuilder:TagResource", "imagebuilder:CreateImageRecipe", "imagebuilder:CreateComponent", "imagebuilder:CreateDistributionConfiguration", "imagebuilder:CreateInfrastructureConfiguration", "imagebuilder:DeleteImage", "imagebuilder:DeleteComponent", "imagebuilder:DeleteImageRecipe", "imagebuilder:DeleteInfrastructureConfiguration", "imagebuilder:DeleteDistributionConfiguration" ], "Resource": [ "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:image/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:image-recipe/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:component/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*" ], "Effect": "Allow", "Sid": "ImageBuilder" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::parallelcluster-*" ], "Effect": "Allow", "Sid": "S3Bucket" }, { "Action": [ "sns:GetTopicAttributes", "sns:TagResource", "sns:CreateTopic", "sns:Subscribe", "sns:Publish", "SNS:DeleteTopic", "SNS:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:<AWS ACCOUNT ID>:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "S3Objects" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } } ] }
AWS ParallelCluster用于管理 IAM 资源的用户示例策略
在使用AWS ParallelCluster创建集群或自定义 AMI 时,必须提供包含向AWS ParallelCluster组件授予所需权限集的权限的 IAM 策略。这些 IAM 资源可以由AWS ParallelCluster自动创建,也可以在创建集群或自定义映像时作为输入提供。
您可以使用以下模式通过在配置中使用其他 IAM 策略为AWS ParallelCluster用户提供访问 IAM 资源所需的权限。
特权 IAM 访问模式
使用此模式,AWS ParallelCluster自动创建所有必要的 IAM 资源。这些 IAM 策略的范围缩小,仅允许访问集群资源。
要启用特权 IAM 访问模式,请向用户角色添加以下策略。
注意
如果您配置 HeadNode/Iam/AdditionalPolicies或 Scheduling//SlurmQueuesIam/AdditionalPolicies参数,则必须向AWS ParallelCluster用户提供为每个附加策略附加和分离角色策略的权限,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。
警告
此模式允许用户在中拥有 IAM 管理员权限AWS 账户
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
受限的 IAM 访问模式
当未向用户授予其他 IAM 策略时,集群或自定义映像构建所需的 IAM 角色需要由管理员手动创建,并作为集群配置的一部分传递。
创建集群时,以下参数为必需参数:
构建自定义映像时,以下参数为必需参数:
-
Build / Iam / InstanceRole | InstanceProfile
作为上述参数的一部分传递的 IAM 角色必须在/parallelcluster/路径前缀上创建。如果这不可能,则需要更新用户策略以授予对特定自定义角色的iam:PassRole权限,如以下示例所示。
{ "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [<list all custom IAM roles>], "Effect": "Allow", "Sid": "IamPassRole" }
警告
目前,此模式不允许管理AWS Batch集群,因为并非所有 IAM 角色都可以在集群配置中传递。
PermissionsBoundary模式
此模式委托创建绑AWS ParallelCluster定到配置的 IAM 权限边界的 IAM 角色。有关 IAM 权限边界的更多信息,请参阅《IAM 用户指南》中的 IAM 实体的权限边界。
需要向用户角色添加以下策略。
在策略中,将 <permissions-boundary-arn > 替换为 IAM 策略 ARN,作为权限边界强制执行。
警告
如果您配置了 HeadNode/Iam/AdditionalPolicies或 Scheduling//SlurmQueuesIam/AdditionalPolicies参数,则必须授予用户为每个附加策略附加和分离角色策略的权限,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] } }, "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] } }, "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>] }, "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
启用此模式后,您必须在创建或更新集群时在 Iam/PermissionsBoundary配置参数中指定权限边界 ARN,在构建自定义映像时在 Build/Iam/PermissionBoundary参数中指定权限边界 ARN。
AWS ParallelCluster用于管理 IAM 权限的配置参数
AWS ParallelCluster提供了一系列配置选项,用于自定义和管理集群中或自定义 AMI 创建过程中使用的 IAM 权限和角色。
集群配置
头节点 IAM 角色
HeadNode / Iam / InstanceRole | InstanceProfile
使用此选项,您可以替代分配给集群头节点的默认 IAM 角色。有关其他详细信息,请参阅InstanceProfile参考资料。
以下是调度器为 Slurm 时用作此角色一部分的最小策略集:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管 IAM 策略。有关更多信息,请参阅 A mazon 用户指南中的创建 IAM 角色和 CloudWatch 用户以供 CloudWatch 代理使用。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管 IAM 策略。有关更多信息,请参阅《AWS Systems Manager用户指南》AWS Systems Manager中的AWS托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*", "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Action": "ec2:TerminateInstances", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ] "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute", "ec2:DescribeCapacityReservations" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<AWS ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }
请注意,如果使用 Scheduling/SlurmQueues/Iam/InstanceRole替换 compute IAM 角色,则上面报告的头节点策略需要在iam:PassRole权限Resource部分中包含此类角色。
以下是调度器运行时用作此角色一部分的最小策略集AWS Batch:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管 IAM 策略。有关更多信息,请参阅 A mazon 用户指南中的创建 IAM 角色和 CloudWatch 用户以供 CloudWatch 代理使用。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管 IAM 策略。有关更多信息,请参阅《AWS Systems Manager用户指南》AWS Systems Manager中的AWS托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, "Action": [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "batch:TerminateJob", "logs:GetLogEvents", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", ], "Resource": [ "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:container-instance/AWSBatch-PclusterComputeEnviron*", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:cluster/AWSBatch-Pcluster*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-queue/PclusterJobQueue*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/PclusterJobDefinition*:*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<AWS ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }
Amazon S3 访问
HeadNode/Iam/S3Access或 Scheduling/SlurmQueues/S3Access
在这些配置部分中,您可以自定义 Amazon S3 访问权限,方法是在创建此类角色时向与集群的头节点或计算节点关联的 IAM 角色授予其他 Amazon S3 策略AWS ParallelCluster。有关更多信息,请参阅每个配置参数的参考文档。
此参数只能在用户配置为特权 IAM 访问模式或时使用PermissionsBoundary模式。
其他 IAM 策略
HeadNode/Iam/AdditionalIamPolicies或 SlurmQueues/Iam/AdditionalIamPolicies
在创建此类角色时,使用此选项将其他托管 IAM 策略附加到与集群的头节点或计算节点关联的 IAM 角色AWS ParallelCluster。
警告
要使用此选项,请确保向AWS ParallelCluster用户授予iam:AttachRolePolicy需要附加的 IAM 策略的iam:DetachRolePolicy权限。
AWS Lambda函数角色
Iam / Roles / LambdaFunctionsRole
此选项会覆盖附加到集群创建过程中使用的所有AWS Lambda函数的角色。 AWS Lambda需要配置为委托人,才能担任角色所用的委托人。
注意
如果设置了 DeploymentSettings/LambdaFunctionsVpcConfig,则LambdaFunctionsRole必须包含设置 VPC 配置的AWS Lambda角色权限。
以下是用作此角色一部分的最小策略集:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow" }, { "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Effect": "Allow", "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/lambda/pcluster-*" }, { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ] } ] }
计算节点 IAM 角色
Scheduling / SlurmQueues / Iam / InstanceRole | InstanceProfile
此选项允许覆盖分配给集群计算节点的 IAM 角色。有关更多信息,请参阅InstanceProfile:
以下是用作此角色一部分的最小策略集:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管 IAM 策略。有关更多信息,请参阅 A mazon 用户指南中的创建 IAM 角色和 CloudWatch 用户以供 CloudWatch代理使用。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管 IAM 策略。有关更多信息,请参阅《AWS Systems Manager用户指南》AWS Systems Manager中的AWS托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:Query" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Action": "ec2:DescribeInstanceAttribute", "Resource": "*", "Effect": "Allow" } ] }
权限边界
此参数强制AWS ParallelCluster将给定的 IAM 策略作为集群部署的一部分附加PermissionsBoundary到所有 IAM 角色。
PermissionsBoundary模式有关定义此设置时用户所需的策略列表,请参见。
自定义映像配置
EC2 Image Builder 的实例角色
Build / Iam / InstanceRole | InstanceProfile
使用此选项,您可以替换分配给 EC2 Image Builder 启动的 EC2 实例的 IAM 角色,以创建自定义 AMI。
以下是用作此角色一部分的最小策略集:
-
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管 IAM 策略。有关更多信息,请参阅《AWS Systems Manager用户指南》AWS Systems Manager中的AWS托管策略。 -
arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder托管 IAM 策略。有关更多信息,请参阅 Image Builder 用户指南中的EC2InstanceProfileForImageBuilder政策。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:ModifyImageAttribute" ], "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" } ] }
AWS Lambda清理角色
Build / Iam / CleanupLambdaRole
此选项将覆盖附加到自定义映像构建过程中使用的所有AWS Lambda函数的角色。 AWS Lambda需要配置为委托人,才能担任角色所用的委托人。
注意
如果设置了 DeploymentSettings/LambdaFunctionsVpcConfig,则CleanupLambdaRole必须包含设置 VPC 配置的AWS Lambda角色权限。
以下是用作此角色一部分的最小策略集:
-
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole托管 IAM 策略。有关更多信息,请参阅AWS Lambda开发者指南中的 Lambda 功能AWS托管策略。 -
其他 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow" }, { "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteInfrastructureConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteComponent" ], "Resource": [ "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:component/parallelclusterimage-*/*" ], "Effect": "Allow" }, { "Action": "imagebuilder:DeleteImageRecipe", "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:image-recipe/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteDistributionConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteImage", "imagebuilder:GetImage", "imagebuilder:CancelImageCreation" ], "Resource": "arn:aws:imagebuilder:<REGION>:<AWS ACCOUNT ID>:image/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "cloudformation:DeleteStack", "Resource": "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/*/*", "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" }, { "Action": "tag:TagResources", "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:ParallelClusterImage-*", "Effect": "Allow" }, { "Action": "logs:DeleteLogGroup", "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*:*", "Effect": "Allow" }, { "Action": [ "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:GetSubscriptionAttributes", "SNS:Unsubscribe" ], "Resource": "arn:aws:sns:<REGION>:<AWS ACCOUNT ID>:ParallelClusterImage-*", "Effect": "Allow" } ] }
其他 IAM 策略
Build / Iam / AdditionalIamPolicies
您可以使用此选项将其他托管 IAM 策略附加到与 EC2 Image Builder 用于生成自定义 AMI 的 EC2 实例关联的角色。
警告
要使用此选项,请确保向AWS ParallelCluster用户授予iam:AttachRolePolicy需要附加的 IAM 策略的iam:DetachRolePolicy权限。
权限边界
Build / Iam / PermissionsBoundary
此参数强制AWS ParallelCluster将给定的 IAM 策略作为自定义 AMI 构建的一部分附加PermissionsBoundary到所有 IAM 角色。
PermissionsBoundary模式有关使用此类功能所需的策略列表,请参见。
