Instance Profile Requirements Additional policies Creating an instance profile

IAM instance profiles for AWS Parallel Computing Service

Applications that run on an EC2 instance must include AWS credentials in any AWS API requests they make. We recommended you use an IAM role to manage temporary credentials on the EC2 instance. You can define an instance profile to do this, and attach it to your instances. For more information, see IAM roles for Amazon EC2 in the Amazon Elastic Compute Cloud User Guide.

Note

When you use the AWS Management Console to create an IAM role for Amazon EC2, the console creates an instance profile automatically and gives it the same name as the IAM role. If you use the AWS CLI, AWS API actions, or an AWS SDK to create the IAM role, you create the instance profile as a separate action. For more information, see Instance profiles in the Amazon Elastic Compute Cloud User Guide.

You must specify the Amazon Resource Name (ARN) of an instance profile when you create a compute node groups. You can choose different instance profiles for some or all compute node groups.

Instance Profile Requirements

Instance Profile ARN

The IAM role name part of the ARN must either begin with AWSPCS or contain /aws-pcs/ in its path:

arn:aws:iam::*:instance-profile/AWSPCS-example-role-1 and
arn:aws:iam::*:instance-profile/aws-pcs/example-role-2.

Note

If you use the AWS CLI, provide a --path value to iam create-instance-profile to include /aws-pcs/ in the ARN path. For example:


aws iam create-instance-profile --path /aws-pcs/ --instance-profile-name example-role-2

Permissions

At minimum, the instance profile for AWS PCS must include the following policy. It allows compute nodes to notify the AWS PCS service when they become operational.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "pcs:RegisterComputeNodeGroupInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Additional policies

You may consider adding managed policies to the instance profile. For example:

AmazonS3ReadOnlyAccess provides read-only access to all S3 buckets.
AmazonSSMManagedInstanceCore enables AWS Systems Manager service core functionality, such as remote access directly from the Amazon Management Console.
CloudWatchAgentServerPolicy contains permissions required to use AmazonCloudWatchAgent on servers.

You can also include your own IAM policies that support your specific use case.

Creating an instance profile

You can create an instance profile directly from the Amazon EC2 console. For more information, see Using instance profiles in the AWS Identity and Access Management User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Minimum permissions

Troubleshooting