本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon Identity and Access Management 中的权限 Amazon ParallelCluster
Amazon ParallelCluster 在创建和管理集群时,使用 IAM 权限来控制对资源的访问权限。
**要在 Amazon 账户中创建和管理集群, Amazon ParallelCluster 需要两个级别的权限:**
+ `pcluster` 用户调用 `pcluster` CLI 命令创建和管理集群所需的权限。
+ 集群资源执行集群操作所需的权限。
**Amazon ParallelCluster 使用** A [mazon EC2 实例配置文件和角色](#iam-ec2-instance-role)来提供集群资源权限。要管理集群资源权限, Amazon ParallelCluster 还需要对 IAM 资源的权限。有关更多信息,请参阅 [Amazon ParallelCluster 用于管理 IAM 资源的用户示例策略](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)。
**`pcluster` 用户需要** IAM 权限才能使用 [`pcluster`](pcluster-v3.md) CLI 创建和管理集群及其资源。这些权限包含在可以添加到用户或角色的 IAM 策略中。有关 IAM 角色的更多信息,请参阅 *Amazon Identity and Access Management 用户指南* 中的 [创建用户角色](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-user.html)。
您还可以使用 [Amazon ParallelCluster 用于管理 IAM 权限的配置参数](#iam-roles-in-parallelcluster-v3-params-for-iam)。
以下各节包含所需的权限及示例。
要使用示例策略,请将 ``、`` 和类似的字符串替换为相应的值。
您可以在[上的Amazon ParallelCluster 文档](https://github.com/awsdocs/aws-parallelcluster-user-guide/blame/main/doc_source/iam-roles-in-parallelcluster-v3.md)中跟踪示例政策的更改 GitHub。
**Topics**
+ [Amazon ParallelCluster 亚马逊 EC2 实例角色](#iam-ec2-instance-role)
+ [Amazon ParallelCluster `pcluster`用户策略示例](#iam-roles-in-parallelcluster-v3-example-user-policies)
+ [Amazon ParallelCluster 用于管理 IAM 资源的用户示例策略](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)
+ [Amazon ParallelCluster 用于管理 IAM 权限的配置参数](#iam-roles-in-parallelcluster-v3-params-for-iam)
## Amazon ParallelCluster 亚马逊 EC2 实例角色
使用默认配置设置创建集群时, Amazon ParallelCluster 使用 Amazon EC2 [实例配置文件](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)自动创建默认集群 Amazon EC2 [实例角色](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html),该角色提供创建和管理集群及其资源所需的权限。
### 使用默认 Amazon ParallelCluster 实例角色的替代方法
您可以使用`InstanceRole`集群配置设置来代替默认 Amazon ParallelCluster 实例角色,为 EC2 指定自己的现有 IAM 角色。有关更多信息,请参阅 [Amazon ParallelCluster 用于管理 IAM 权限的配置参数](#iam-roles-in-parallelcluster-v3-params-for-iam)。通常,您可以指定现有 IAM 角色来完全控制授予给 EC2 的权限。
如果您打算向默认实例角色添加额外的策略,我们建议您使用 [`AdditionalIamPolicies`](#iam-roles-in-parallelcluster-v3-cluster-config-additionaliampolicies) 配置设置而不是 [`InstanceProfile` 或 `InstanceRole`](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-instanceprofile) 设置来传递其他 IAM 策略。您可以在更新集群时进行更新 `AdditionalIamPolicies`,但不能在更新集群时更新 `InstanceRole`。
## Amazon ParallelCluster `pcluster`用户策略示例
以下示例显示了使用 `pcluster` CLI 创建 Amazon ParallelCluster 和管理其资源所需的用户策略。您可以将策略附加到用户或角色。
**Topics**
+ [基本 Amazon ParallelCluster `pcluster` 用户策略](#iam-roles-in-parallelcluster-v3-base-user-policy)
+ [使用 Amazon Batch 日程安排时的其他 Amazon ParallelCluster `pcluster`用户政策](#iam-roles-in-parallelcluster-v3-user-policy-batch)
+ [使用 Amazon FSx for Lustre 时的其他 Amazon ParallelCluster `pcluster`用户政策](#iam-roles-in-parallelcluster-v3-user-policy-fsxlustre)
+ [Amazon ParallelCluster 镜像构建`pcluster`用户政策](#iam-roles-in-parallelcluster-v3-user-policy-build-image)
### 基本 Amazon ParallelCluster `pcluster` 用户策略
以下策略显示了运行 Amazon ParallelCluster `pcluster`命令所需的权限。
策略中列出的最后一个操作用于验证集群配置中指定的任何密钥。例如, Amazon Secrets Manager 密钥用于配置集[`DirectoryService`](DirectoryService-v3.md)成。在这种情况下,只有当 [`PasswordSecretArn`](DirectoryService-v3.md#yaml-DirectoryService-PasswordSecretArn) 中存在有效密钥时,才会创建集群。如果省略此操作,则会跳过密钥验证。为了改善您的安全状况,我们建议您通过仅添加集群配置中指定的密钥来缩小此策略声明的范围。
**注意**
如果现有 Amazon EFS 文件系统是集群中使用的唯一文件系统,则可以将示例 Amazon EFS 策略声明的范围缩小到集群配置文件中 [`SharedStorage` 部分](SharedStorage-v3.md) 引用的特定文件系统。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Read"
},
{
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DisassociateAddress",
"ec2:ModifyLaunchTemplate",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Write"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:TagResource",
"dynamodb:UntagResource"
],
"Resource": "arn:aws:dynamodb:*:111122223333:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDB"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListQueryLoggingConfigs"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutCompositeAlarm",
"cloudwatch:TagResource",
"cloudwatch:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:SimulatePrincipalPolicy",
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:role/*",
"arn:aws:iam::111122223333:policy/*",
"arn:aws:iam::aws:policy/*",
"arn:aws:iam::111122223333:instance-profile/*"
],
"Effect": "Allow",
"Sid": "IamRead"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamInstanceProfile"
},
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:parallelcluster-*",
"arn:aws:lambda:*:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*",
"arn:aws:s3:::aws-parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::*-aws-parallelcluster*",
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": [
"arn:aws:elasticfilesystem:*:111122223333:*"
],
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:CreateExportTask",
"logs:DescribeLogStreams",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:PutMetricFilter",
"logs:DeleteMetricFilter",
"logs:ListTagsForResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"resource-groups:ListGroupResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ResourceGroupRead"
},
{
"Sid": "AllowDescribingFileCache",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileCaches"
],
"Resource": "*"
},
{
"Action": "secretsmanager:DescribeSecret",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:",
"Effect": "Allow"
}
]
}
```
------
### 使用 Amazon Batch 日程安排时的其他 Amazon ParallelCluster `pcluster`用户政策
如果您需要使用 Amazon Batch 调度程序创建和管理集群,则需要以下附加策略。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/aws-service-role/batch.amazonaws.com/*"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:*"
],
"Resource": "arn:aws:codebuild:*:111122223333:project/pcluster-*",
"Effect": "Allow"
},
{
"Action": [
"ecr:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"batch:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Batch"
},
{
"Action": [
"events:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AmazonCloudWatchEvents"
},
{
"Action": [
"ecs:DescribeContainerInstances",
"ecs:ListContainerInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECS"
}
]
}
```
------
### 使用 Amazon FSx for Lustre 时的其他 Amazon ParallelCluster `pcluster`用户政策
如果您需要使用 Amazon FSx for Lustre 创建和管理集群,则需要遵循以下附加策略。
**注意**
如果现有的 Amazon FSx 文件系统是您的集群中唯一使用的文件系统,则可以将示例 Amazon FSx 策略声明的范围缩小到集群配置文件中引用的特定文件系统。[`SharedStorage` 部分](SharedStorage-v3.md)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fsx:*"
],
"Resource": [
"arn:aws:fsx:*:111122223333:*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Effect": "Allow"
}
]
}
```
------
### Amazon ParallelCluster 镜像构建`pcluster`用户政策
打算使用创建自定义 Amazon EC2 映像的用户 Amazon ParallelCluster 必须具有以下一组权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:CreateRole",
"iam:TagRole",
"iam:GetRole",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*",
"arn:aws:iam::111122223333:instance-profile/ParallelClusterImage*",
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAM"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*",
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAMPassRole"
},
{
"Action": [
"logs:GetLogEvents",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:DeleteLogGroup"
],
"Resource": [
"arn:aws:logs:*:111122223333:log-group:/aws/imagebuilder/ParallelClusterImage-*",
"arn:aws:logs:*:111122223333:log-group:/aws/lambda/ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack"
],
"Resource": [
"arn:aws:cloudformation:*:111122223333:stack/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:DeleteFunction",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"imagebuilder:Get*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ImageBuilderGet"
},
{
"Action": [
"imagebuilder:CreateImage",
"imagebuilder:TagResource",
"imagebuilder:CreateImageRecipe",
"imagebuilder:CreateComponent",
"imagebuilder:CreateDistributionConfiguration",
"imagebuilder:CreateInfrastructureConfiguration",
"imagebuilder:DeleteImage",
"imagebuilder:DeleteComponent",
"imagebuilder:DeleteImageRecipe",
"imagebuilder:DeleteInfrastructureConfiguration",
"imagebuilder:DeleteDistributionConfiguration"
],
"Resource": [
"arn:aws:imagebuilder:*:111122223333:image/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:image-recipe/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:component/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:distribution-configuration/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:infrastructure-configuration/parallelclusterimage-*"
],
"Effect": "Allow",
"Sid": "ImageBuilder"
},
{
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3Bucket"
},
{
"Action": [
"sns:GetTopicAttributes",
"sns:TagResource",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Publish",
"SNS:DeleteTopic",
"SNS:Unsubscribe"
],
"Resource": [
"arn:aws:sns:*:111122223333:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "S3Objects"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "imagebuilder.amazonaws.com"
}
}
}
]
}
```
------
## Amazon ParallelCluster 用于管理 IAM 资源的用户示例策略
使用 Amazon ParallelCluster 创建集群或自定义集群时 AMIs,必须提供包含向 Amazon ParallelCluster 组件授予所需权限集的权限的 IAM 策略。在创建集群 Amazon ParallelCluster 或自定义映像时,这些 IAM 资源可以由自动创建,也可以作为输入提供。
您可以使用以下模式通过在配置中使用其他 IAM 策略为 Amazon ParallelCluster 用户提供访问 IAM 资源所需的权限。
**Topics**
+ [特权 IAM 访问模式](#iam-roles-in-parallelcluster-v3-privileged-iam-access)
+ [受限的 IAM 访问模式](#iam-roles-in-parallelcluster-v3-restricted-iam-access)
+ [`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)
### 特权 IAM 访问模式
在此模式下, Amazon ParallelCluster 会自动创建所有必要的 IAM 资源。这些 IAM 策略的范围已缩小,仅允许访问集群资源。
要启用特权 IAM 访问模式,请向用户角色添加以下策略。
**注意**
如果您配置 [`HeadNode`](HeadNode-v3.md)/[`Iam`](HeadNode-v3.md#HeadNode-v3-Iam)/[`AdditionalPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies)或 [`Scheduling`](Scheduling-v3.md)//[`SlurmQueues`[`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam)](Scheduling-v3.md#Scheduling-v3-SlurmQueues)/[`AdditionalPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies)参数,则必须向 Amazon ParallelCluster 用户提供为每个其他策略附加和分离角色策略的权限,如以下策略所示。将附加策略 ARNs 添加到附加和分离角色策略的条件中。
**警告**
此模式使用户能够在中拥有 IAM 管理员权限 Amazon Web Services 账户
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::111122223333:policy/parallelcluster*",
"arn:aws:iam::111122223333:policy/parallelcluster/*",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
```
------
### 受限的 IAM 访问模式
如果没有向用户授予其他 IAM 策略,则集群或自定义映像构建所需的 IAM 角色需要由管理员手动创建,并作为集群配置的一部分进行传递。
创建集群时,需要使用以下参数:
+ [`Iam`](Iam-v3.md) / [`Roles`](Iam-v3.md#yaml-Iam-Roles) / [`LambdaFunctionsRole`](Iam-v3.md#yaml-Iam-Roles-LambdaFunctionsRole)
+ [`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`InstanceRole`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceRole) \$1 [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile)
+ [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) \$1 [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)
构建自定义映像时,需要使用以下参数:
+ [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`InstanceRole`](Build-v3.md#yaml-build-image-Build-Iam-InstanceRole) \$1 [`InstanceProfile`](Build-v3.md#yaml-build-image-Build-Iam-InstanceProfile)
+ [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`CleanupLambdaRole`](Build-v3.md#yaml-build-image-Build-Iam-CleanupLambdaRole)
作为上面所列参数的一部分传递的 IAM 角色必须以 `/parallelcluster/` 路径前缀进行创建。如果无法做到这一点,则需要更新用户策略以便对特定自定义角色授予 `iam:PassRole` 权限,如以下示例所示。
```
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
],
"Effect": "Allow",
"Sid": "IamPassRole"
}
```
**警告**
目前,此模式不允许管理 Amazon Batch 集群,因为并非所有 IAM 角色都可以在集群配置中传递。
### `PermissionsBoundary` 模式
此模式委托创建绑 Amazon ParallelCluster 定到已配置的 IAM 权限边界的 IAM 角色。有关 IAM 权限边界的更多信息,请参阅 *IAM 用户指南* 中的 [IAM 实体的权限边界](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html)。
需要将以下策略添加到用户角色。
在策略中,**替换为要作为权限边界强制执行的 IAM 策略 ARN。
**警告**
如果您配置 [`HeadNode`](HeadNode-v3.md)/[`Iam`](HeadNode-v3.md#HeadNode-v3-Iam)/[`AdditionalPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies) 或 [`Scheduling`](Scheduling-v3.md)/[`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues)/[`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam)/ 参数,则必须向用户授予为每个其他策略附加和分离角色策略的权限,如以下策略所示。将附加策略 ARNs 添加到附加和分离角色策略的条件中。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
""
]
}
},
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
""
]
}
},
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
""
]
},
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::111122223333:policy/parallelcluster*",
"arn:aws:iam::111122223333:policy/parallelcluster/*",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
```
------
启用此模式后,创建或更新集群时必须在 [`Iam`](Iam-v3.md)/[`PermissionsBoundary`](Iam-v3.md#yaml-Iam-PermissionsBoundary) 配置参数中指定权限边界 ARN,在构建自定义映像时必须在 [`Build`](Build-v3.md)/[`Iam`](Build-v3.md#Build-v3-Iam)/[`PermissionBoundary`](Build-v3.md#yaml-build-image-Build-Iam-PermissionsBoundary) 参数中指定权限边界 ARN。
## Amazon ParallelCluster 用于管理 IAM 权限的配置参数
Amazon ParallelCluster 公开了一系列配置选项,用于自定义和管理集群中或自定义 AMI 创建过程中使用的 IAM 权限和角色。
**Topics**
+ [集群配置](#iam-roles-in-parallelcluster-v3-cluster-config)
+ [自定义映像配置](#iam-roles-in-parallelcluster-v3-custom-image-configuration)
### 集群配置
**Topics**
+ [头节点 IAM 角色](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-instanceprofile)
+ [Amazon S3 访问权限](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-s3access)
+ [其他 IAM 策略](#iam-roles-in-parallelcluster-v3-cluster-config-additionaliampolicies)
+ [Amazon Lambda 函数角色](#iam-roles-in-parallelcluster-v3-cluster-config-lambdafunctionsrole)
+ [计算节点 IAM 角色](#iam-roles-in-parallelcluster-v3-cluster-config-slurmqueues-instanceprofile)
+ [权限边界](#iam-roles-in-parallelcluster-v3-cluster-config-permissionsboundary)
#### 头节点 IAM 角色
[`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`InstanceRole`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceRole) \$1 [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile)
使用此选项,您可以覆盖分配给集群头节点的默认 IAM 角色。有关更多详细信息,请参阅 [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile) 参考。
以下是当调度器为 Slurm 时作为该角色一部分使用的一组最少策略:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` 托管的 IAM 策略 有关更多信息,请参阅 A *mazon [用户指南中的创建用于 CloudWatch 代理的 IAM 角色和](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) CloudWatch 用户*。
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 托管的 IAM 策略。有关更多信息,请参阅 *Amazon Systems Manager 用户指南* 中的[用于 Amazon Systems Manager的Amazon 托管策略](https://docs.amazonaws.cn/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ 其他 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*",
"arn:aws:s3:::dcv-license.us-east-1/*",
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*",
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeCapacityReservations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:",
"Effect": "Allow"
}
]
}
```
------
请注意,如果使用 [`Scheduling`](Scheduling-v3.md)/[`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues)/[`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam)/[`InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) 来覆盖计算 IAM 角色,则上面报告的头节点策略需要在 `iam:PassRole` 权限的 `Resource` 部分中包含此类角色。
以下是当调度器为 Amazon Batch时作为该角色一部分使用的一组最少策略:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` 托管的 IAM 策略。有关更多信息,请参阅 A *mazon [用户指南中的创建用于 CloudWatch 代理的 IAM 角色和](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) CloudWatch 用户*。
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 托管的 IAM 策略。有关更多信息,请参阅 *Amazon Systems Manager 用户指南* 中的[用于 Amazon Systems Manager的Amazon 托管策略](https://docs.amazonaws.cn/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ 其他 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::dcv-license.us-east-1/*",
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*",
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"batch:DescribeJobQueues",
"batch:DescribeJobs",
"batch:ListJobs",
"batch:DescribeComputeEnvironments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"batch:SubmitJob",
"batch:TerminateJob",
"logs:GetLogEvents",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*",
"arn:aws:ecs:us-east-1:111122223333:container-instance/AWSBatch-PclusterComputeEnviron*",
"arn:aws:ecs:us-east-1:111122223333:cluster/AWSBatch-Pcluster*",
"arn:aws:batch:us-east-1:111122223333:job-queue/PclusterJobQueue*",
"arn:aws:batch:us-east-1:111122223333:job-definition/PclusterJobDefinition*:*",
"arn:aws:batch:us-east-1:111122223333:job/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:",
"Effect": "Allow"
}
]
}
```
------
#### Amazon S3 访问权限
[`HeadNode`](HeadNode-v3.md)/[`Iam`](HeadNode-v3.md#HeadNode-v3-Iam)/[`S3Access`](HeadNode-v3.md#yaml-HeadNode-Iam-S3Access) 或 [`Scheduling`](Scheduling-v3.md)/[`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues)/[`S3Access`](HeadNode-v3.md#yaml-HeadNode-Iam-S3Access)
在这些配置部分中,您可以在 Amazon ParallelCluster创建与集群的头节点或计算节点关联的 IAM 角色时向这些角色授予其他 Amazon S3 策略来自定义 Amazon S3 访问权限。有关更多信息,请参阅每个配置参数的参考文档。
只有在使用 [特权 IAM 访问模式](#iam-roles-in-parallelcluster-v3-privileged-iam-access) 或 [`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode) 来配置用户时,才能使用此参数。
#### 其他 IAM 策略
[`HeadNode`](HeadNode-v3.md)/[`Iam`](HeadNode-v3.md#HeadNode-v3-Iam)/[`AdditionalIamPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies) 或 [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues)/[`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam)/[`AdditionalIamPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies)
使用此选项将其他托管 IAM 策略附加到与集群的头节点或计算节点关联的 IAM 角色(如果这些角色由创建) Amazon ParallelCluster。
**警告**
要使用此选项,请确保针对需要附加的 IAM 策略向 [Amazon ParallelCluster 用户](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)授予 `iam:AttachRolePolicy` 和 `iam:DetachRolePolicy` 权限。
#### Amazon Lambda 函数角色
[`Iam`](Iam-v3.md#yaml-Iam-Roles) / [`Roles`](Iam-v3.md#yaml-Iam-Roles) / [`LambdaFunctionsRole`](Iam-v3.md#yaml-Iam-Roles-LambdaFunctionsRole)
此选项将覆盖集群创建过程中使用的所有 Amazon Lambda 函数所附加的角色。 Amazon Lambda 需要配置为允许担任该角色的委托人。
**注意**
如果设置了 [`DeploymentSettings`](DeploymentSettings-cluster-v3.md)/[`LambdaFunctionsVpcConfig`](DeploymentSettings-cluster-v3.md#DeploymentSettings-cluster-v3-LambdaFunctionsVpcConfig),则 `LambdaFunctionsRole` 必须包括用于设置 VPC 配置的 [Amazon Lambda 角色权限](https://docs.amazonaws.cn/lambda/latest/dg/configuration-vpc.html#vpc-permissions)。
以下是作为该角色一部分使用的一组最少策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:111122223333:log-group:/aws/lambda/pcluster-*"
},
{
"Action": "ec2:DescribeInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:TerminateInstances",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete",
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
]
}
]
}
```
------
#### 计算节点 IAM 角色
[`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [` InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) \$1 [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)
此选项允许覆盖分配给集群计算节点的 IAM 角色。有关更多信息,请参阅 [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)。
以下是作为该角色一部分使用的一组最少策略:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` 托管的 IAM 策略。有关更多信息,请参阅 A *mazon [用户指南中的创建用于 CloudWatch代理的 IAM 角色和](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) CloudWatch 用户*。
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 托管的 IAM 策略。有关更多信息,请参阅 *Amazon Systems Manager 用户指南* 中的[用于 Amazon Systems Manager的Amazon 托管策略](https://docs.amazonaws.cn/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ 其他 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:GetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": "ec2:DescribeInstanceAttribute",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "cloudformation:DescribeStackResource",
"Resource": [
"arn:aws:cloudformation:us-east-1:111122223333:stack/*/*"
],
"Effect": "Allow"
}
]
}
```
------
#### 权限边界
[`Iam`](Iam-v3.md) / [`PermissionsBoundary`](Iam-v3.md#yaml-Iam-PermissionsBoundary)
此参数强制 Amazon ParallelCluster 将给定的 IAM 策略作为 a 附加`PermissionsBoundary`到作为集群部署的一部分创建的所有 IAM 角色。
有关定义此设置后用户所需的策略的列表,请参阅 [`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)。
### 自定义映像配置
**Topics**
+ [EC2 Image Builder 的实例角色](#iam-roles-in-parallelcluster-v3-custom-image-configuration-instancerole)
+ [Amazon Lambda 清理角色](#iam-roles-in-parallelcluster-v3-custom-image-configuration-cleanuplambdarole)
+ [其他 IAM 策略](#iam-roles-in-parallelcluster-v3-custom-image-configuration-additionaliampolicies)
+ [权限边界](#iam-roles-in-parallelcluster-v3-custom-image-configuration-permissionsboundary)
#### EC2 Image Builder 的实例角色
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`InstanceRole`](Build-v3.md#yaml-build-image-Build-Iam-InstanceRole) \$1 [`InstanceProfile`](Build-v3.md#yaml-build-image-Build-Iam-InstanceProfile)
使用此选项,您可以覆盖分配给 EC2 Image Builder 为创建自定义 AMI 而启动的 Amazon EC2 实例的 IAM 角色。
以下是作为该角色一部分使用的一组最少策略:
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 托管的 IAM 策略。有关更多信息,请参阅 *Amazon Systems Manager 用户指南* 中的[用于 Amazon Systems Manager的Amazon 托管策略](https://docs.amazonaws.cn/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ `arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder` 托管的 IAM 策略。有关更多信息,请参阅 *Image Builder User Guide* 中的 [`EC2InstanceProfileForImageBuilder` policy](https://docs.amazonaws.cn/imagebuilder/latest/userguide/security-iam-awsmanpol.html#sec-iam-manpol-EC2InstanceProfileForImageBuilder)。
+ 其他 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:ModifyImageAttribute"
],
"Resource": "arn:aws:ec2:us-east-1::image/*",
"Effect": "Allow"
}
]
}
```
------
#### Amazon Lambda 清理角色
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`CleanupLambdaRole`](Build-v3.md#yaml-build-image-Build-Iam-CleanupLambdaRole)
此选项将覆盖自定义映像构建过程中使用的所有 Amazon Lambda 函数所附加的角色。 Amazon Lambda 需要配置为允许担任该角色的委托人。
**注意**
如果设置了 [`DeploymentSettings`](DeploymentSettings-build-image-v3.md)/[`LambdaFunctionsVpcConfig`](DeploymentSettings-build-image-v3.md#DeploymentSettings-build-image-v3-LambdaFunctionsVpcConfig),则 `CleanupLambdaRole` 必须包括用于设置 VPC 配置的 [Amazon Lambda 角色权限](https://docs.amazonaws.cn/lambda/latest/dg/configuration-vpc.html#vpc-permissions)。
以下是作为该角色一部分使用的一组最少策略:
+ `arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole` 托管的 IAM 策略。有关更多信息,请参阅 *Amazon Lambda 开发人员指南* 中的 [Lambda 功能的Amazon 托管策略](https://docs.amazonaws.cn/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-features)。
+ 其他 IAM 策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:DetachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow"
},
{
"Action": [
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/parallelcluster/*",
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteInfrastructureConfiguration",
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:infrastructure-configuration/parallelclusterimage-*",
"Effect": "Allow"
},
{
"Action": [
"imagebuilder:DeleteComponent"
],
"Resource": [
"arn:aws:imagebuilder:us-east-1:111122223333:component/parallelclusterimage-*/*"
],
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteImageRecipe",
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:image-recipe/parallelclusterimage-*/*",
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteDistributionConfiguration",
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:distribution-configuration/parallelclusterimage-*",
"Effect": "Allow"
},
{
"Action": [
"imagebuilder:DeleteImage",
"imagebuilder:GetImage",
"imagebuilder:CancelImageCreation"
],
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:image/parallelclusterimage-*/*",
"Effect": "Allow"
},
{
"Action": "cloudformation:DeleteStack",
"Resource": "arn:aws:cloudformation:us-east-1:111122223333:stack/*/*",
"Effect": "Allow"
},
{
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:us-east-1::image/*",
"Effect": "Allow"
},
{
"Action": "tag:TagResources",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:DeleteFunction",
"lambda:RemovePermission"
],
"Resource": "arn:aws:lambda:us-east-1:111122223333:function:ParallelClusterImage-*",
"Effect": "Allow"
},
{
"Action": "logs:DeleteLogGroup",
"Resource": "arn:aws:logs:us-east-1:111122223333:log-group:/aws/lambda/ParallelClusterImage-*:*",
"Effect": "Allow"
},
{
"Action": [
"SNS:GetTopicAttributes",
"SNS:DeleteTopic",
"SNS:GetSubscriptionAttributes",
"SNS:Unsubscribe"
],
"Resource": "arn:aws:sns:us-east-1:111122223333:ParallelClusterImage-*",
"Effect": "Allow"
}
]
}
```
------
#### 其他 IAM 策略
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`AdditionalIamPolicies`](Build-v3.md#yaml-build-image-Build-Iam-AdditionalIamPolicies)
您可以使用此选项将其它托管式 IAM 策略附加到与 EC2 Image Builder 用于生成自定义 AMI 的 Amazon EC2 实例关联的角色。
**警告**
要使用此选项,请确保针对需要附加的 IAM 策略向 [Amazon ParallelCluster用户](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)授予 `iam:AttachRolePolicy` 和 `iam:DetachRolePolicy` 权限。
#### 权限边界
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`PermissionsBoundary`](Build-v3.md#yaml-build-image-Build-Iam-PermissionsBoundary)
此参数强制 Amazon ParallelCluster 将给定的 IAM 策略作为 a 附加`PermissionsBoundary`到在自定义 AMI 构建过程中创建的所有 IAM 角色。
有关使用此类功能所需的策略列表,请参阅 [`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)。