本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Identity and Access Management 權限 AWS ParallelCluster
AWS ParallelCluster 在建立和管理叢集時,使用 IAM 許可來控制對資源的存取。
若要在 AWS 帳戶中建立和管理叢集, AWS ParallelCluster 需要兩個層級的權限:
-
pcluster
使用者呼叫pcluster
CLI 命令以建立和管理叢集所需的權限。 -
叢集資源執行叢集動作所需的權限。
AWS ParallelCluster 使用 Amazon EC2 執行個體設定檔和角色提供叢集資源許可。若要管理叢集資源許 AWS ParallelCluster 可,還需要 IAM 資源的許可。如需詳細資訊,請參閱 AWS ParallelCluster 管理 IAM 資源的使用者範例政策。
pcluster
使用者需要 IAM 許可才能使用 pcluster CLI 建立和管理叢集及其資源。這些許可包含在 IAM 政策中,可新增至使用者或角色。如需 IAM 角色的詳細資訊,請參閱使用者指南中的建立使AWS Identity and Access Management 用者角色。
您也可以使用 AWS ParallelCluster 用於管理 IAM 許可的組態參數。
以下各節包含必要的權限和範例。
若要使用範例原則,請以適當的值取代<REGION>
、和類似字串。<AWS
ACCOUNT ID>
下列範例政策包括資源的 Amazon 資源名稱 (ARN)。如果您在 AWS GovCloud (US) 或中 AWS 國分區中工作,則必須更改 ARN。具體來說,它們必須從分割區的「arn: aws」變更為「arn:aws-us-gov",或將中國 AWS GovCloud (US) 分割區的「arn: aws-cn」變更為「arn:」。 AWS 如需詳細資訊,請參閱AWS GovCloud (US) 使用者指南中的AWS GovCloud (US)
區域中的 Amazon 資源名稱 (ARN) 和中國 AWS 服務入門中的中國 AWS
您可以在上的AWS ParallelCluster
文件
主題
AWS ParallelCluster Amazon EC2 實例角色
使用預設組態設定建立叢集時,會 AWS ParallelCluster 使用 Amazon EC2 執行個體設定檔自動建立預設叢集 Amazon EC2 執行個體角色,以提供建立和管理叢集及其資源所需的許可。
使用預設 AWS ParallelCluster 執行個體角色的替代方法
您可以使用InstanceRole
叢集組態設定來代替預設 AWS ParallelCluster 執行個體角色,為 EC2 指定自己的現有 IAM 角色。如需詳細資訊,請參閱 AWS ParallelCluster 用於管理 IAM 許可的組態參數。一般而言,您可以指定現有的 IAM 角色,以完全控制授與 EC2 的許可。
如果您想要將額外政策新增至預設執行個體角色,建議您使用AdditionalIamPolicies組態設定而非InstanceProfile或InstanceRole設定來傳遞額外的 IAM 政策。您可以在更新叢集AdditionalIamPolicies
時進行更新,但是在更新叢集InstanceRole
時無法更新。
AWS ParallelCluster pcluster
使用者策略範例
下列範例顯示使用 pcluster
CLI 建立 AWS ParallelCluster 和管理所需的使用者原則及其資源。您可以將策略附加到使用者或角色。
主題
基本 AWS ParallelCluster pcluster
使用者原則
下列原則顯示執行 AWS ParallelCluster pcluster
命令所需的權限。
包括原則中列出的最後一個動作,以驗證叢集配置中指定的任何密碼。例如, AWS Secrets Manager 密碼用於配置DirectoryService整合。在此情況下,只有在中存在有效密碼時,才會建立叢集PasswordSecretArn。如果省略此動作,則會略過密碼驗證。若要改善您的安全性狀態,建議您僅新增叢集配置中指定的密碼,以縮小此原則陳述式的範圍。
注意
如果現有的 Amazon EFS 檔案系統是叢集中唯一使用的檔案系統,您可以將 Amazon EFS 政策陳述式範例範圍縮減為叢集組態檔中參照SharedStorage 區段的特定檔案系統。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Read" }, { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DisassociateAddress", "ec2:ModifyLaunchTemplate", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Write" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:
<AWS ACCOUNT ID>
:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard", "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms" "cloudwatch:PutCompositeAlarm" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:SimulatePrincipalPolicy", "iam:GetInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/*", "arn:aws:iam::<AWS ACCOUNT ID>
:policy/*", "arn:aws:iam::aws:policy/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/*" ], "Effect": "Allow", "Sid": "IamRead" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamInstanceProfile" }, { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>
:function:parallelcluster-*", "arn:aws:lambda:*:<AWS ACCOUNT ID>
:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::parallelcluster-*", "arn:aws:s3:::aws-parallelcluster-*" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::*-aws-parallelcluster*", "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "elasticfilesystem:*" ], "Resource": [ "arn:aws:elasticfilesystem:*:<AWS ACCOUNT ID>
:*" ], "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateExportTask", "logs:DescribeLogStreams", "logs:DescribeExportTasks", "logs:DescribeMetricFilters", "logs:PutMetricFilter", "logs:DeleteMetricFilter" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*", "Effect": "Allow", "Sid": "ResourceGroupRead" }, { "Sid": "AllowDescribingFileCache", "Effect": "Allow", "Action": [ "fsx:DescribeFileCaches" ], "Resource": "*" }, { "Action": "secretsmanager:DescribeSecret", "Resource": "arn:aws:secretsmanager:<REGION>
:<AWS ACCOUNT ID>
:secret:<SECRET NAME>
", "Effect": "Allow" } ] }
使用 AWS Batch
排程器時的其他使用 AWS ParallelCluster pcluster
者原
如果您需要使用 AWS Batch 排程器建立和管理叢集,則需要下列額外原則。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/aws-service-role/batch.amazonaws.com/*" ], "Effect": "Allow" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:*:<AWS ACCOUNT ID>
:project/pcluster-*", "Effect": "Allow" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" } ] }
使用亞馬遜 FSx 進行光澤時的其他用 AWS ParallelCluster pcluster
戶政策
如果您需要使用適用於 Lustre 的 Amazon FSx 建立和管理叢集,則需要以下額外政策。
注意
如果現有 Amazon FSx 檔案系統是叢集中唯一使用的檔案系統,您可以將 Amazon FSx 政策陳述式範例範圍縮減為叢集組態檔中參照的SharedStorage 區段特定檔案系統。
{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fsx:*" ], "Resource": [ "arn:aws:fsx:*:
<AWS ACCOUNT ID>
:*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "iam:CreateServiceLinkedRole", "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*", "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "arn:aws:s3:::<S3 NAME>
", "Effect": "Allow" } ] }
AWS ParallelCluster 圖像構建pcluster
用戶策略
打算使用建立自訂 Amazon EC2 映像的使用者 AWS ParallelCluster 必須具有以下一組許可。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeImages", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DeregisterImage", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/ParallelClusterImage*", "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAM" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:*:<AWS ACCOUNT ID>
:log-group:/aws/imagebuilder/ParallelClusterImage-*", "arn:aws:logs:*:<AWS ACCOUNT ID>
:log-group:/aws/lambda/ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:<AWS ACCOUNT ID>
:stack/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:DeleteFunction", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:<AWS ACCOUNT ID>
:function:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "imagebuilder:Get*" ], "Resource": "*", "Effect": "Allow", "Sid": "ImageBuilderGet" }, { "Action": [ "imagebuilder:CreateImage", "imagebuilder:TagResource", "imagebuilder:CreateImageRecipe", "imagebuilder:CreateComponent", "imagebuilder:CreateDistributionConfiguration", "imagebuilder:CreateInfrastructureConfiguration", "imagebuilder:DeleteImage", "imagebuilder:DeleteComponent", "imagebuilder:DeleteImageRecipe", "imagebuilder:DeleteInfrastructureConfiguration", "imagebuilder:DeleteDistributionConfiguration" ], "Resource": [ "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:image/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:image-recipe/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:component/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:distribution-configuration/parallelclusterimage-*", "arn:aws:imagebuilder:*:<AWS ACCOUNT ID>
:infrastructure-configuration/parallelclusterimage-*" ], "Effect": "Allow", "Sid": "ImageBuilder" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::parallelcluster-*" ], "Effect": "Allow", "Sid": "S3Bucket" }, { "Action": [ "sns:GetTopicAttributes", "sns:TagResource", "sns:CreateTopic", "sns:Subscribe", "sns:Publish", "SNS:DeleteTopic", "SNS:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:<AWS ACCOUNT ID>
:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "S3Objects" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } } ] }
AWS ParallelCluster 管理 IAM 資源的使用者範例政策
使用 AWS ParallelCluster 建立叢集或自訂 AMI 時,必須提供包含許可的 IAM 政策,才能將必要的許可集授與 AWS ParallelCluster 元件。這些 IAM 資源可由 AWS ParallelCluster 自動建立,也可以在建立叢集或自訂映像時作為輸入提供。
您可以使用下列模式,透過在組態中使用其他 IAM 政策,為使用 AWS ParallelCluster 者提供存取 IAM 資源所需的許可。
特權 IAM 存取模式
使用此模式, AWS ParallelCluster 自動建立所有必要的 IAM 資源。這些 IAM 政策的範圍縮小為僅啟用叢集資源的存取權。
若要啟用「特權 IAM」存取模式,請將下列政策新增至使用者角色。
注意
如果您設定 HeadNode/Iam/AdditionalPolicies或 Scheduling//SlurmQueuesIam/AdditionalPolicies參數,則必須提供 AWS ParallelCluster 使用者附加和卸離每個其他原則的角色原則的權限,如下列原則所示。將其他原則 ARN 新增至附加和卸離角色原則的條件。
警告
此模式可讓使用者在 AWS 帳戶
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
受限制的 IAM 存取模式
如果沒有向使用者授與其他 IAM 政策,則叢集或自訂映像組建所需的 IAM 角色必須由管理員手動建立,並在叢集設定中傳遞。
建立叢集時,需要下列參數:
建置自訂映像檔時,需要下列參數:
-
Build / Iam / InstanceRole | InstanceProfile
作為上述參數一部分傳遞的 IAM 角色必須在/parallelcluster/
路徑前綴上創建。如果無法執行此操作,則需要更新使用者原則以授與特定自訂角色的iam:PassRole
權限,如下列範例所示。
{ "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [
<list all custom IAM roles>
], "Effect": "Allow", "Sid": "IamPassRole" }
警告
目前此模式不允許管理 AWS Batch 叢集,因為並非所有 IAM 角色都可以在叢集配置中傳遞。
PermissionsBoundary
模式
此模式會委派建 AWS ParallelCluster 立 IAM 角色,這些角色繫結至已設定的 IAM 許可界限。如需 IAM 許可界限的詳細資訊,請參閱《IAM 使用者指南》中的 IAM 實體的許可界限。
需要將下列原則新增至使用者角色。
在政策中,將 < permissions-boundary-arn >
取代為要強制執行為許可界限的 IAM 政策 ARN。
警告
如果您設定 HeadNode//AdditionalPolicies或 Iam//SchedulingSlurmQueuesIam/AdditionalPolicies參數,則必須授與使用者為每個其他原則附加和中斷連結角色原則的權限,如下列原則所示。將其他原則 ARN 新增至附加和卸離角色原則的條件。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>
] } }, "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>
] } }, "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [<permissions-boundary-arn>
] }, "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster*", "arn:aws:iam::<AWS ACCOUNT ID>
:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }
啟用此模式時,您必須在建立或更新叢集時,在 Iam/PermissionsBoundary配置參數中指定權限邊界 ARN,以及在建立自訂映像時在 Build/Iam/PermissionBoundary參數中指定權限邊界 ARN。
AWS ParallelCluster 用於管理 IAM 許可的組態參數
AWS ParallelCluster 公開一系列組態選項,以自訂和管理在叢集或自訂 AMI 建立程序期間使用的 IAM 許可和角色。
叢集組態
主節點 IAM 角色
HeadNode / Iam / InstanceRole | InstanceProfile
使用此選項,您可以覆寫指派給叢集頭節點的預設 IAM 角色。有關其他詳細信息,請參閱InstanceProfile參考。
以下是當排程器為 Slurm 時,作為此角色一部分使用的最小原則集:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
受管理的 IAM 政策。如需詳細資訊,請參閱 Amazon 使用 CloudWatch 者指南中的建立 IAM 角色和使用者以搭配 CloudWatch 代理程式使用。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
受管理的 IAM 政策。如需詳細資訊,請參閱《AWS Systems Manager 使用指南》 AWS Systems Manager中的AWS 受管理策略。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::
<REGION>
-aws-parallelcluster/*", "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem" ], "Resource": "arn:aws:dynamodb:<REGION>
:<AWS ACCOUNT ID>
:table/parallelcluster-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Action": "ec2:TerminateInstances", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ] "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute", "ec2:DescribeCapacityReservations" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:instance/*", "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>
:<AWS ACCOUNT ID>
:secret:<SECRET_ID>
", "Effect": "Allow" } ] }
請注意,如果使用 SchedulingSlurmQueuesIam///InstanceRole覆寫運算 IAM 角色,則上述報告的頭節點策略需要在iam:PassRole
權限Resource
部分中包含此類角色。
以下是當排程器為時,作為此角色一部分使用的最小原則集 AWS Batch:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
受管理的 IAM 政策。如需詳細資訊,請參閱 Amazon 使用 CloudWatch 者指南中的建立 IAM 角色和使用者以搭配 CloudWatch 代理程式使用。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
受管理的 IAM 政策。如需詳細資訊,請參閱《AWS Systems Manager 使用指南》 AWS Systems Manager中的AWS 受管理策略。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::dcv-license.
<REGION>
/*", "arn:aws:s3:::<REGION>
-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>
:role/parallelcluster/*", "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, "Action": [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "batch:TerminateJob", "logs:GetLogEvents", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", ], "Resource": [ "arn:aws:logs:<REGION>
:<AWS ACCOUNT ID>
:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*", "arn:aws:ecs:<REGION>
:<AWS ACCOUNT ID>
:container-instance/AWSBatch-PclusterComputeEnviron*", "arn:aws:ecs:<REGION>
:<AWS ACCOUNT ID>
:cluster/AWSBatch-Pcluster*", "arn:aws:batch:<REGION>
:<AWS ACCOUNT ID>
:job-queue/PclusterJobQueue*", "arn:aws:batch:<REGION>
:<AWS ACCOUNT ID>
:job-definition/PclusterJobDefinition*:*", "arn:aws:batch:<REGION>
:<AWS ACCOUNT ID>
:job/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:instance/*", "arn:aws:ec2:<REGION>
:<AWS ACCOUNT ID>
:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>
:<AWS ACCOUNT ID>
:secret:<SECRET_ID>
", "Effect": "Allow" } ] }
Amazon S3 訪問
HeadNode/Iam/S3Access或 SchedulingSlurmQueues/S3Access
在這些組態區段中,您可以在建立此類角色時,將額外的 Amazon S3 政策授予與叢集的主節點或運算節點關聯的 IAM 角色,以自訂 Amazon S3 存取 AWS ParallelCluster。如需詳細資訊,請參閱每個組態參數的參考文件。
此參數只能在使用或設定使用者時使特權 IAM 存取模式用PermissionsBoundary 模式。
其他 IAM 政策
HeadNode/Iam/AdditionalIamPolicies或 SlurmQueuesIam/AdditionalIamPolicies
使用此選項可在建立此類角色時,將其他受管 IAM 政策附加至與叢集的主節點或運算節點相關聯的 IAM 角色 AWS ParallelCluster。
警告
若要使用此選項,請確定已授iam:AttachRolePolicy
與使用AWS ParallelCluster 者,以及需要附加的 IAM 政策的iam:DetachRolePolicy
許可。
AWS Lambda 函數角色
Iam / Roles / LambdaFunctionsRole
此選項會覆寫附加至叢集建立程序期間所使用之所有 AWS Lambda 功能的角色。 AWS Lambda 需要配置為允許擔任角色的主參與者。
注意
如果設LambdaFunctionsVpcConfig定 DeploymentSettings/,則LambdaFunctionsRole
必須包含AWS Lambda 角色權限才能設定 VPC 組態。
以下是作為此角色一部分使用的最小原則集:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow" }, { "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Effect": "Allow", "Resource": "arn:aws:logs:
<REGION>
:<AWS ACCOUNT ID>
:log-group:/aws/lambda/pcluster-*" }, { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ] } ] }
運算節點 IAM 角色
Scheduling / SlurmQueues / Iam / InstanceRole | InstanceProfile
此選項允許覆寫指派給叢集運算節點的 IAM 角色。如需詳細資訊,請參閱 InstanceProfile。
以下是作為此角色一部分使用的最小原則集:
-
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
受管理的 IAM 政策。如需詳細資訊,請參閱 Amazon 使用 CloudWatch 者指南中的建立 IAM 角色和使用者以搭配 CloudWatch代理程式使用。 -
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
受管理的 IAM 政策。如需詳細資訊,請參閱《AWS Systems Manager 使用指南》 AWS Systems Manager中的AWS 受管理策略。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:PutItem", "dynamodb:GetItem" ], "Resource": "arn:aws:dynamodb:
<REGION>
:<AWS ACCOUNT ID>
:table/parallelcluster-*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<REGION>
-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Action": "ec2:DescribeInstanceAttribute", "Resource": "*", "Effect": "Allow" }, { "Action": "cloudformation:DescribeStackResource", "Resource": [ "arn:aws:cloudformation:<REGION>
:<AWS ACCOUNT ID>
:stack/*/*" ], "Effect" "Allow" } ] }
許可界限
此參數會強制 AWS ParallelCluster 將指定的 IAM 政策作PermissionsBoundary
為叢集部署一部分建立的所有 IAM 角色附加。
PermissionsBoundary 模式如需定義此設定時使用者所需的原則清單,請參閱。
自定義映像配置
EC2 Image Builder 的執行個體角色
Build / Iam / InstanceRole | InstanceProfile
使用此選項,您可以覆寫指派給 EC2 Image Builder 啟動之 Amazon EC2 執行個體的 IAM 角色,以建立自訂 AMI。
以下是作為此角色一部分使用的最小原則集:
-
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
受管理的 IAM 政策。如需詳細資訊,請參閱《AWS Systems Manager 使用指南》 AWS Systems Manager中的AWS 受管理策略。 -
arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder
受管理的 IAM 政策。如需詳細資訊,請參閱 Image Builder 使用指南中的EC2InstanceProfileForImageBuilder
政策。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:ModifyImageAttribute" ], "Resource": "arn:aws:ec2:
<REGION>
::image/*", "Effect": "Allow" } ] }
AWS Lambda 清理角色
Build / Iam / CleanupLambdaRole
此選項會覆寫附加至自訂映像檔建置程序期間所使用之所有 AWS Lambda 函數的角色。 AWS Lambda 需要配置為允許擔任角色的主參與者。
注意
如果設LambdaFunctionsVpcConfig定 DeploymentSettings/,則CleanupLambdaRole
必須包含AWS Lambda 角色權限才能設定 VPC 組態。
以下是作為此角色一部分使用的最小原則集:
-
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
受管理的 IAM 政策。如需詳細資訊,請參閱AWS Lambda 開發人員指南中的 Lambda 功能AWS 受管政策。 -
其他 IAM 政策:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::
<AWS ACCOUNT ID>
:role/parallelcluster/*", "Effect": "Allow" }, { "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>
:instance-profile/parallelcluster/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteInfrastructureConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:infrastructure-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteComponent" ], "Resource": [ "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:component/parallelclusterimage-*/*" ], "Effect": "Allow" }, { "Action": "imagebuilder:DeleteImageRecipe", "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:image-recipe/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteDistributionConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:distribution-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteImage", "imagebuilder:GetImage", "imagebuilder:CancelImageCreation" ], "Resource": "arn:aws:imagebuilder:<REGION>
:<AWS ACCOUNT ID>
:image/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "cloudformation:DeleteStack", "Resource": "arn:aws:cloudformation:<REGION>
:<AWS ACCOUNT ID>
:stack/*/*", "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:<REGION>
::image/*", "Effect": "Allow" }, { "Action": "tag:TagResources", "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:<REGION>
:<AWS ACCOUNT ID>
:function:ParallelClusterImage-*", "Effect": "Allow" }, { "Action": "logs:DeleteLogGroup", "Resource": "arn:aws:logs:<REGION>
:<AWS ACCOUNT ID>
:log-group:/aws/lambda/ParallelClusterImage-*:*", "Effect": "Allow" }, { "Action": [ "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:GetSubscriptionAttributes", "SNS:Unsubscribe" ], "Resource": "arn:aws:sns:<REGION>
:<AWS ACCOUNT ID>
:ParallelClusterImage-*", "Effect": "Allow" } ] }
其他 IAM 政策
Build / Iam / AdditionalIamPolicies
您可以使用此選項將其他受管 IAM 政策附加到與 EC2 Image Builder 用來產生自訂 AMI 之 Amazon EC2 執行個體相關聯的角色。
警告
若要使用此選項,請確定已授iam:AttachRolePolicy
與使用AWS ParallelCluster者,以及需要附加的 IAM 政策的iam:DetachRolePolicy
許可。
許可界限
Build / Iam / PermissionsBoundary
此參數強制 AWS ParallelCluster 將指定的 IAM 政策作為附加PermissionsBoundary
到作為自訂 AMI 組建一部分建立的所有 IAM 角色。
如需使用此類功能所需的原則清單,請PermissionsBoundary 模式參閱。