Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Amazon Identity and Access Management permissions in Amazon ParallelCluster
Amazon ParallelCluster uses IAM permissions to control access to resources when creating and managing clusters.
To create and manage clusters in an Amazon account, Amazon ParallelCluster requires permissions at two levels:
Amazon ParallelCluster uses an Amazon EC2 instance profile and role to provide cluster resource permissions.
To manage cluster resource permissions, Amazon ParallelCluster also requires permissions to IAM resources. For more information, see Amazon ParallelCluster user example policies for managing IAM
resources.
pcluster users require IAM permissions to use the pcluster CLI to create and manage a cluster and its
resources. These permissions are included in IAM policies that can be added to a user or role. For more information on IAM roles, see Creating a user role in the Amazon Identity and Access Management User Guide.
You can also use Amazon ParallelCluster configuration parameters to manage IAM
permissions.
The following sections contain the required permissions with examples.
To use the example policies, replace <REGION><Amazon
ACCOUNT ID>
You can track changes to the example policies in Amazon ParallelCluster
documentation on GitHub.
Amazon ParallelCluster Amazon EC2 instance roles
When you create a cluster with the default configuration settings, Amazon ParallelCluster uses Amazon EC2 instance profiles to automatically create a default cluster Amazon EC2 instance role that provides the permissions required to create and
manage the cluster and its resources.
Alternatives to using the default Amazon ParallelCluster instance role
In place of the default Amazon ParallelCluster instance role, you can use the InstanceRole cluster configuration setting to specify your
own existing IAM role for EC2. For more information, see Amazon ParallelCluster configuration parameters to manage IAM
permissions.
Typically, you specify existing IAM roles to fully control the permissions granted to EC2.
If your intent is to add extra policies to the default instance role, we recommend that you pass the additional IAM policies by using the
AdditionalIamPolicies configuration setting instead of InstanceProfile or InstanceRole settings.
You can update AdditionalIamPolicies when you update your cluster, however, you can't update the InstanceRole when you update your cluster.
Amazon ParallelCluster example pcluster user policies
The following examples show the user policies required to create and manage Amazon ParallelCluster and its resources by using the pcluster CLI.
You can attach policies to a user or role.
Base Amazon ParallelCluster pcluster user policy
The following policy shows the permissions required to run Amazon ParallelCluster pcluster commands.
The last action listed in the policy is included to provide validation of any secrets specified in the cluster configuration. For example,
an Amazon Secrets Manager secret is used to configure the DirectoryService integration. In this case, a
cluster is created only if a valid secret exists in the PasswordSecretArn. If this
action is omitted, secret validation is skipped. To improve your security posture, we recommend that you scope down this policy statement by
adding only the secrets specified in your cluster configuration.
If existing Amazon EFS file systems are the only file systems used in your cluster, you can scope down the example Amazon EFS policy statements to the specific file
systems referenced in the SharedStorage section of the cluster configuration file.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Read"
},
{
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DisassociateAddress",
"ec2:ModifyLaunchTemplate",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Write"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "arn:aws:dynamodb:*:111122223333:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDB"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListQueryLoggingConfigs"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutCompositeAlarm"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:SimulatePrincipalPolicy",
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:role/*",
"arn:aws:iam::111122223333:policy/*",
"arn:aws:iam::aws:policy/*",
"arn:aws:iam::111122223333:instance-profile/*"
],
"Effect": "Allow",
"Sid": "IamRead"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamInstanceProfile"
},
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:parallelcluster-*",
"arn:aws:lambda:*:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*",
"arn:aws:s3:::aws-parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::*-aws-parallelcluster*",
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": [
"arn:aws:elasticfilesystem:*:111122223333:*"
],
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:CreateExportTask",
"logs:DescribeLogStreams",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:PutMetricFilter",
"logs:DeleteMetricFilter"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"resource-groups:ListGroupResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ResourceGroupRead"
},
{
"Sid": "AllowDescribingFileCache",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileCaches"
],
"Resource": "*"
},
{
"Action": "secretsmanager:DescribeSecret",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:<SECRET NAME>",
"Effect": "Allow"
}
]
}
Additional Amazon ParallelCluster pcluster user policy when using Amazon Batch
scheduler
In case you need to create and manage a cluster with Amazon Batch scheduler, the following additional policy is
required.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/aws-service-role/batch.amazonaws.com/*"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:*"
],
"Resource": "arn:aws-cn:codebuild:*:111122223333:project/pcluster-*",
"Effect": "Allow"
},
{
"Action": [
"ecr:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"batch:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Batch"
},
{
"Action": [
"events:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AmazonCloudWatchEvents"
},
{
"Action": [
"ecs:DescribeContainerInstances",
"ecs:ListContainerInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECS"
}
]
}
Additional Amazon ParallelCluster pcluster user policy when using Amazon FSx for Lustre
In case you need to create and manage a cluster with Amazon FSx for Lustre, the following additional policy is
required.
If existing Amazon FSx file systems are the only file systems used in your cluster, you can scope down the example Amazon FSx policy statements to the specific file
systems referenced in the SharedStorage section of the cluster configuration file.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fsx:*"
],
"Resource": [
"arn:aws:fsx:*:111122223333:*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Effect": "Allow"
}
]
}
Amazon ParallelCluster image build pcluster user policy
Users that intend to create custom Amazon EC2 images with Amazon ParallelCluster must have the following set of permissions.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws-cn:iam::111122223333:instance-profile/parallelcluster/*",
"arn:aws-cn:iam::111122223333:instance-profile/ParallelClusterImage*",
"arn:aws-cn:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAM"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:instance-profile/parallelcluster/*",
"arn:aws-cn:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAMPassRole"
},
{
"Action": [
"logs:GetLogEvents",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:DeleteLogGroup"
],
"Resource": [
"arn:aws-cn:logs:*:111122223333:log-group:/aws/imagebuilder/ParallelClusterImage-*",
"arn:aws-cn:logs:*:111122223333:log-group:/aws/lambda/ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack"
],
"Resource": [
"arn:aws-cn:cloudformation:*:111122223333:stack/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:DeleteFunction",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws-cn:lambda:*:111122223333:function:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"imagebuilder:Get*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ImageBuilderGet"
},
{
"Action": [
"imagebuilder:CreateImage",
"imagebuilder:TagResource",
"imagebuilder:CreateImageRecipe",
"imagebuilder:CreateComponent",
"imagebuilder:CreateDistributionConfiguration",
"imagebuilder:CreateInfrastructureConfiguration",
"imagebuilder:DeleteImage",
"imagebuilder:DeleteComponent",
"imagebuilder:DeleteImageRecipe",
"imagebuilder:DeleteInfrastructureConfiguration",
"imagebuilder:DeleteDistributionConfiguration"
],
"Resource": [
"arn:aws-cn:imagebuilder:*:111122223333:image/parallelclusterimage-*",
"arn:aws-cn:imagebuilder:*:111122223333:image-recipe/parallelclusterimage-*",
"arn:aws-cn:imagebuilder:*:111122223333:component/parallelclusterimage-*",
"arn:aws-cn:imagebuilder:*:111122223333:distribution-configuration/parallelclusterimage-*",
"arn:aws-cn:imagebuilder:*:111122223333:infrastructure-configuration/parallelclusterimage-*"
],
"Effect": "Allow",
"Sid": "ImageBuilder"
},
{
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws-cn:s3:::parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3Bucket"
},
{
"Action": [
"sns:GetTopicAttributes",
"sns:TagResource",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Publish",
"SNS:DeleteTopic",
"SNS:Unsubscribe"
],
"Resource": [
"arn:aws-cn:sns:*:111122223333:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws-cn:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "S3Objects"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "imagebuilder.amazonaws.com"
}
}
}
]
}
Amazon ParallelCluster user example policies for managing IAM
resources
When using Amazon ParallelCluster to create clusters or custom AMIs, IAM policies must be provided that contain permissions
to grant the required set of permissions to Amazon ParallelCluster components. These IAM resources can
be either automatically created by Amazon ParallelCluster or be provided as input when creating a cluster or a custom
image.
You can use the following modes to provide the Amazon ParallelCluster user with the permissions required to access IAM resources by using additional IAM policies in
the configuration.
Privileged IAM access mode
With this mode, Amazon ParallelCluster automatically creates all necessary IAM resources. These IAM policies are scoped down to enable access
to cluster resources only.
To enable Privileged IAM access mode, add the following policy to the user role.
If you configure HeadNode / Iam / AdditionalPolicies or Scheduling / SlurmQueues / Iam / AdditionalPolicies parameters, you must provide the Amazon ParallelCluster user
with permission to attach and detach role policies for each additional policy as shown in the following policy. Add the additional policy ARNs to the
condition for attaching and detaching role policies.
This mode enables the user to have IAM Administrator privileges in the Amazon Web Services account
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws-cn:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws-cn:iam::111122223333:policy/parallelcluster*",
"arn:aws-cn:iam::111122223333:policy/parallelcluster/*",
"arn:aws-cn:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws-cn:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws-cn:iam::aws:policy/AWSBatchFullAccess",
"arn:aws-cn:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws-cn:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws-cn:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws-cn:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws-cn:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws-cn:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws-cn:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
Restricted IAM access mode
When no additional IAM policies are granted to the user, IAM roles required by clusters or
custom image build need to be manually created by an administrator and passed as part of the cluster
configuration.
When creating a cluster the following parameters are required:
When building a custom image the following parameters are required:
The IAM roles passed as part of the above listed parameters must be created on the
/parallelcluster/ path prefix. If this isn't possible, the user policy needs to be
updated to grant iam:PassRole permission on the specific custom roles, as in the following
example.
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
<list all custom IAM roles>
],
"Effect": "Allow",
"Sid": "IamPassRole"
}
Currently this mode does not allow the management of Amazon Batch clusters because not all IAM roles can be
passed in the cluster configuration.
PermissionsBoundary
mode
This mode delegates to Amazon ParallelCluster the creation of IAM roles that are bound to the
configured IAM permissions boundary. For more information on IAM permissions boundaries, see Permissions boundaries for IAM
entities in the IAM User Guide.
The following policy needs to be added to the user role.
In the policy, replace <permissions-boundary-arn> with the IAM policy ARN to be enforced
as permissions boundary.
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"<permissions-boundary-arn>"
]
}
},
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"<permissions-boundary-arn>"
]
}
},
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws-cn:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"<permissions-boundary-arn>"
]
},
"ArnLike": {
"iam:PolicyARN": [
"arn:aws-cn:iam::111122223333:policy/parallelcluster*",
"arn:aws-cn:iam::111122223333:policy/parallelcluster/*",
"arn:aws-cn:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws-cn:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws-cn:iam::aws:policy/AWSBatchFullAccess",
"arn:aws-cn:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws-cn:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws-cn:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws-cn:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws-cn:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws-cn:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws-cn:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
When this mode is enabled, you must specify the permissions boundary ARN in the Iam / PermissionsBoundary configuration parameter when creating or updating a cluster
and in the Build / Iam / PermissionBoundary
parameter when building a custom image.
Amazon ParallelCluster configuration parameters to manage IAM
permissions
Amazon ParallelCluster exposes a series of configuration options to customize and manage the IAM permissions and roles that are used
in a cluster or during the custom AMI creation process.
Cluster configuration
Head node IAM role
HeadNode / Iam / InstanceRole | InstanceProfile
With this option, you override the default IAM role that's assigned to the head node of the cluster. For additional
details, please refer to the InstanceProfile
reference.
Here is the minimal set of policies to be used as part of this role when the scheduler is Slurm:
-
arn:aws-cn:iam::aws:policy/CloudWatchAgentServerPolicy managed IAM policy. For more
information, see Create IAM roles and users
for use with the CloudWatch agent in the Amazon CloudWatch User Guide.
-
arn:aws-cn:iam::aws:policy/AmazonSSMManagedInstanceCore managed IAM policy. For more
information, see Amazon managed
policies for Amazon Systems Manager in the Amazon Systems Manager User Guide.
-
Additional IAM policy:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws-cn:s3:::us-east-1-aws-parallelcluster/*",
"arn:aws-cn:s3:::dcv-license.us-east-1/*",
"arn:aws-cn:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/parallelcluster/*",
"arn:aws-cn:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeCapacityReservations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws-cn:secretsmanager:us-east-1:111122223333:secret:<SECRET_ID>",
"Effect": "Allow"
}
]
}
Note that in case Scheduling / SlurmQueues / Iam
/ InstanceRole is used to override the
compute IAM role, the head node policy reported above needs to include such role in the Resource
section of the iam:PassRole permission.
Here is the minimal set of policies to be used as part of this role when the scheduler is Amazon Batch:
-
arn:aws-cn:iam::aws:policy/CloudWatchAgentServerPolicy managed IAM policy. For more
information, see Create IAM roles and users
for use with the CloudWatch agent in the Amazon CloudWatch User Guide.
-
arn:aws-cn:iam::aws:policy/AmazonSSMManagedInstanceCore managed IAM policy. For more
information, see Amazon managed
policies for Amazon Systems Manager in the Amazon Systems Manager User Guide.
-
Additional IAM policy:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws-cn:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws-cn:s3:::dcv-license.us-east-1/*",
"arn:aws-cn:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws-cn:iam::111122223333:role/parallelcluster/*",
"arn:aws-cn:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"batch:DescribeJobQueues",
"batch:DescribeJobs",
"batch:ListJobs",
"batch:DescribeComputeEnvironments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"batch:SubmitJob",
"batch:TerminateJob",
"logs:GetLogEvents",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances"
],
"Resource": [
"arn:aws-cn:logs:us-east-1:111122223333:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*",
"arn:aws-cn:ecs:us-east-1:111122223333:container-instance/AWSBatch-PclusterComputeEnviron*",
"arn:aws-cn:ecs:us-east-1:111122223333:cluster/AWSBatch-Pcluster*",
"arn:aws-cn:batch:us-east-1:111122223333:job-queue/PclusterJobQueue*",
"arn:aws-cn:batch:us-east-1:111122223333:job-definition/PclusterJobDefinition*:*",
"arn:aws-cn:batch:us-east-1:111122223333:job/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws-cn:secretsmanager:us-east-1:111122223333:secret:<SECRET_ID>",
"Effect": "Allow"
}
]
}
Amazon S3 access
HeadNode / Iam /
S3Access or Scheduling /
SlurmQueues / S3Access
In these configuration sections, you can customize the Amazon S3 access by granting additional Amazon S3 policies to the IAM
roles associated with the head node or compute nodes of the cluster when such roles are created by
Amazon ParallelCluster. For more information, see the reference documentation for each of the configuration
parameter.
This parameter can be only used when the user is configured with Privileged IAM access mode or PermissionsBoundary
mode.
Additional IAM policies
HeadNode / Iam / AdditionalIamPolicies or SlurmQueues /
Iam /
AdditionalIamPolicies
Use this option to attach additional managed IAM policies to the IAM roles associated with the head node
or compute nodes of the cluster when such roles are created by Amazon ParallelCluster.
To use this option, make sure the Amazon ParallelCluster user is granted
iam:AttachRolePolicy and iam:DetachRolePolicy permissions for the IAM policies that need to be attached.
Amazon Lambda functions role
Iam / Roles /
LambdaFunctionsRole
This option overrides the role attached to all Amazon Lambda functions that are used during the cluster creation
process. Amazon Lambda needs to be configured as the principal allowed to assume the role.
Here is the minimal set of policies to be used as part of this role:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws-cn:route53:::hostedzone/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws-cn:logs:us-east-1:111122223333:log-group:/aws/lambda/pcluster-*"
},
{
"Action": "ec2:DescribeInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:TerminateInstances",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws-cn:s3:::parallelcluster-*-v1-do-not-delete",
"arn:aws-cn:s3:::parallelcluster-*-v1-do-not-delete/*"
]
}
]
}
Compute nodes IAM role
Scheduling / SlurmQueues /
Iam / InstanceRole |
InstanceProfile
This option allows to override the IAM role that is assigned to the compute nodes of the cluster. For more
information, see InstanceProfile.
Here is the minimal set of policies to be used as part of this role:
-
arn:aws-cn:iam::aws:policy/CloudWatchAgentServerPolicy managed IAM policy. For more information,
see Create IAM roles and users for use with the CloudWatch
agent in the Amazon CloudWatch User Guide.
-
arn:aws-cn:iam::aws:policy/AmazonSSMManagedInstanceCore managed IAM policy. For more
information, see Amazon managed
policies for Amazon Systems Manager in the Amazon Systems Manager User Guide.
-
Additional IAM policy:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:GetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws-cn:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": "ec2:DescribeInstanceAttribute",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "cloudformation:DescribeStackResource",
"Resource": [
"arn:aws:cloudformation:us-east-1:111122223333:stack/*/*"
],
"Effect": "Allow"
}
]
}
Permissions boundary
Iam / PermissionsBoundary
This parameter forces Amazon ParallelCluster to attach the given IAM policy as a PermissionsBoundary to all IAM
roles that are created as part of a cluster deployment.
See PermissionsBoundary
mode for the list of policies required by the
user when this setting is defined.
Custom Image configuration
Instance role for EC2 Image Builder
Build / Iam /
InstanceRole |
InstanceProfile
With this option you override the IAM role that is assigned to the Amazon EC2 instance launched by EC2 Image Builder to
create a custom AMI.
Here is the minimal set of policies to be used as part of this role:
-
arn:aws-cn:iam::aws:policy/AmazonSSMManagedInstanceCore managed IAM policy. For more
information, see Amazon managed
policies for Amazon Systems Manager in the Amazon Systems Manager User Guide.
-
arn:aws-cn:iam::aws:policy/EC2InstanceProfileForImageBuilder managed IAM policy. For more
information, see EC2InstanceProfileForImageBuilder policy in the
Image Builder User Guide.
-
Additional IAM policy:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:ModifyImageAttribute"
],
"Resource": "arn:aws:ec2:us-east-1::image/*",
"Effect": "Allow"
}
]
}
Amazon Lambda cleanup role
Build / Iam /
CleanupLambdaRole
This option overrides the role attached to all Amazon Lambda functions that are used during the custom image build
process. Amazon Lambda needs to be configured as the principal allowed to assume the role.
Here is the minimal set of policies to be used as part of this role:
Additional IAM policies
Build / Iam /
AdditionalIamPolicies
You use this option to attach additional managed IAM policies to the role associated with the Amazon EC2 instance used by EC2 Image Builder to produce the custom AMI.
To use this option, make sure the Amazon ParallelClusteruser is granted
iam:AttachRolePolicy and iam:DetachRolePolicy permissions for the IAM policies that need to be attached.
Permissions boundary
Build / Iam /
PermissionsBoundary
This parameter forces Amazon ParallelCluster to attach the given IAM policy as a PermissionsBoundary
to all IAM roles that are created as part of custom AMI build.
See PermissionsBoundary
mode for the list of policies required to use such
functionality.