Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
# AWS Identity and Access Management funciones en AWS ParallelCluster
AWS ParallelCluster utiliza funciones AWS Identity and Access Management (IAM) para Amazon EC2 a fin de permitir que las instancias AWS accedan a los servicios para la implementación y el funcionamiento de un clúster. De forma predeterminada, el rol de IAM para Amazon EC2 se crea al crear el clúster. Esto significa que el usuario que crea el clúster debe tener el nivel de permisos adecuado, tal como se describe en las siguientes secciones.
AWS ParallelCluster utiliza varios AWS servicios para implementar y operar un clúster. Consulte la lista completa en la sección [AWS Servicios de AWS que se utilizan en AWS ParallelCluster](aws-services.md).
Puede realizar un seguimiento de los cambios en las políticas de ejemplo de [AWS ParallelCluster la documentación sobre GitHub](https://github.com/awsdocs/aws-parallelcluster-user-guide/blame/main/doc_source/iam.md).
**Topics**
+ [Configuración predeterminada para la creación de clústeres](#defaults)
+ [Uso de un rol de IAM ya existente para un rol de Amazon EC2](#using-an-existing-ec2-iam-role)
+ [AWS ParallelCluster ejemplos de políticas de instancia y usuario](#example-parallelcluser-policies)
## Configuración predeterminada para la creación de clústeres
Al usar la configuración predeterminada para la creación del clúster, este crea un rol de IAM predeterminado para Amazon EC2. El usuario que crea el clúster debe tener el nivel de permisos adecuado para crear todos los recursos necesarios para lanzar el clúster, incluido un rol de para . Esto incluye crear un rol de IAM para Amazon EC2. Por lo general, el usuario debe tener los permisos de una política *AdministratorAccess*administrada cuando utiliza la configuración predeterminada. Para obtener más información sobre las políticas administradas, consulte [Políticas administradas por AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) en la *Guía del usuario de IAM*.
## Uso de un rol de IAM ya existente para un rol de Amazon EC2
En lugar de la configuración predeterminada, puede usar un [`ec2_iam_role`](cluster-definition.md#ec2-iam-role) existente cuando cree un clúster, pero debe definir el rol y la política de IAM antes de intentar lanzar el clúster. Normalmente, elige un rol de IAM ya existente para que Amazon EC2 reduzca los permisos concedidos a los usuarios a medida que lanzan clústeres. [AWS ParallelCluster ejemplos de políticas de instancia y usuario](#example-parallelcluser-policies)Incluyen los permisos mínimos requeridos AWS ParallelCluster y sus funciones. Debe crear ambas como políticas individuales en y luego asociarlas a los recursos adecuados. Algunas de las políticas de roles pueden aumentar de tamaño y provocar errores de cuota. Para obtener más información, consulte [Solución de problemas de tamaño de políticas de IAM](troubleshooting.md#troubleshooting-policy-size-issues). En las políticas ****, sustituya y cadenas similares por los valores adecuados.
Si su intención es añadir políticas adicionales a la configuración predeterminada de los nodos del clúster, le recomendamos que apruebe las políticas de IAM personalizadas adicionales utilizando la configuración de [`additional_iam_policies`](cluster-definition.md#additional-iam-policies) en lugar de la de [`ec2_iam_role`](cluster-definition.md#ec2-iam-role).
## AWS ParallelCluster ejemplos de políticas de instancia y usuario
Las siguientes políticas de ejemplo incluyen Amazon Resource Names (ARNs) para los recursos. Si está trabajando en las particiones AWS GovCloud (US) o en AWS China, ARNs debe cambiarlas. En concreto, deben cambiarse de «arn:aws» a «arn:aws-us-gov» para la AWS GovCloud (US) partición o «arn:aws-cn» para la partición de China. AWS Para obtener más información, consulte [Nombres de recursos de Amazon (ARNs) en AWS GovCloud (US) las regiones](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html) en la *Guía del AWS GovCloud (US) usuario* y [ARNs para obtener información sobre AWS los servicios en China](https://docs.amazonaws.cn/aws/latest/userguide/ARNs.html) en *Introducción a AWS los servicios en China*.
Estas políticas incluyen los permisos mínimos que actualmente requieren sus funciones y recursos. AWS ParallelCluster Algunas de las políticas de roles pueden aumentar de tamaño y provocar errores de cuota. Para obtener más información, consulte [Solución de problemas de tamaño de políticas de IAM](troubleshooting.md#troubleshooting-policy-size-issues).
**Topics**
+ [`ParallelClusterInstancePolicy`usando SGESlurm, o Torque](#parallelclusterinstancepolicy)
+ [`ParallelClusterInstancePolicy` con `awsbatch`](#parallelclusterinstancepolicy-batch)
+ [`ParallelClusterUserPolicy` con Slurm](#parallelclusteruserpolicy)
+ [`ParallelClusterUserPolicy`usando o SGE Torque](#parallelclusteruserpolicy-sge-torque)
+ [`ParallelClusterUserPolicy` con `awsbatch`](#parallelclusteruserpolicy-batch)
+ [`ParallelClusterLambdaPolicy`usando, o SGE Slurm Torque](#parallelcluster-lambda-policy)
+ [`ParallelClusterLambdaPolicy` con `awsbatch`](#parallelcluster-lambda-policy-batch)
+ [`ParallelClusterUserPolicy` para usuarios](#parallelclusteruserpolicy-minimal-user)
### `ParallelClusterInstancePolicy`usando SGESlurm, o Torque
**nota**
A partir de la versión 2.11.5, AWS ParallelCluster no admite el uso de nuestros programadoresSGE. Torque Puede seguir utilizándolos en las versiones anteriores a la 2.11.4 (inclusive), pero no son aptas para recibir actualizaciones futuras ni asistencia para la solución de problemas por parte de los equipos de AWS servicio y AWS soporte.
**Topics**
+ [`ParallelClusterInstancePolicy` con Slurm](#parallelclusterinstancepolicy-slurm)
+ [`ParallelClusterInstancePolicy`usando o SGE Torque](#parallelclusterinstancepolicy-sge-torque)
#### `ParallelClusterInstancePolicy` con Slurm
En el ejemplo siguiente se establece `ParallelClusterInstancePolicy`, utilizando Slurm como programador.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:subnet/",
"arn:aws:ec2:us-east-1:111122223333:network-interface/*",
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*",
"arn:aws:ec2:us-east-1::image/",
"arn:aws:ec2:us-east-1:111122223333:key-pair/",
"arn:aws:ec2:us-east-1:111122223333:security-group/*",
"arn:aws:ec2:us-east-1:111122223333:launch-template/*",
"arn:aws:ec2:us-east-1:111122223333:placement-group/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstances"
},
{
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBList"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3GetObj"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "IAMPassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dcv-license.us-east-1/*"
],
"Effect": "Allow",
"Sid": "DcvLicense"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "GetClusterConfig"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53"
}
]
}
```
------
#### `ParallelClusterInstancePolicy`usando o SGE Torque
En el ejemplo siguiente se establece `ParallelClusterInstancePolicy`, utilizando SGE, o como programador.
**nota**
Esta política solo se aplica a AWS ParallelCluster las versiones anteriores a la 2.11.4 (inclusive). A partir de la versión 2.11.5, AWS ParallelCluster no admite el uso de programadores de SGE o Torque.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:subnet/",
"arn:aws:ec2:us-east-1:111122223333:network-interface/*",
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*",
"arn:aws:ec2:us-east-1::image/",
"arn:aws:ec2:us-east-1:111122223333:key-pair/",
"arn:aws:ec2:us-east-1:111122223333:security-group/*",
"arn:aws:ec2:us-east-1:111122223333:launch-template/*",
"arn:aws:ec2:us-east-1:111122223333:placement-group/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstances"
},
{
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBList"
},
{
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:us-east-1:111122223333:parallelcluster-*"
],
"Effect": "Allow",
"Sid": "SQSQueue"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeTags",
"autoscaling:SetInstanceHealth"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "Autoscaling"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3GetObj"
},
{
"Action": [
"sqs:ListQueues"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "SQSList"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "IAMPassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dcv-license.us-east-1/*"
],
"Effect": "Allow",
"Sid": "DcvLicense"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "GetClusterConfig"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53"
}
]
}
```
------
### `ParallelClusterInstancePolicy` con `awsbatch`
En el ejemplo siguiente se establece `ParallelClusterInstancePolicy`, utilizando `awsbatch` como programador. Debe incluir las mismas políticas que se asignan a las `BatchUserRole` definidas en la pila AWS Batch CloudFormation anidada. El ARN de `BatchUserRole` se proporciona como una salida de la pila. En este ejemplo, «**» es el valor de la [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) configuración; si no [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) se especifica, «**» es «parallelcluster-\$1». En el siguiente ejemplo se muestra un resumen de los permisos necesarios:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"batch:RegisterJobDefinition",
"logs:GetLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"batch:SubmitJob",
"cloudformation:DescribeStacks",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"logs:FilterLogEvents",
"s3:PutObject",
"s3:Get*",
"s3:DeleteObject",
"iam:PassRole"
],
"Resource": [
"arn:aws:batch:us-east-1:111122223333:job-definition/:1",
"arn:aws:batch:us-east-1:111122223333:job-definition/*",
"arn:aws:batch:us-east-1:111122223333:job-queue/",
"arn:aws:cloudformation:us-east-1:111122223333:stack//*",
"arn:aws:s3:::amzn-s3-demo-bucket/batch/*",
"arn:aws:iam::111122223333:role/",
"arn:aws:ecs:us-east-1:111122223333:cluster/",
"arn:aws:ecs:us-east-1:111122223333:container-instance/*",
"arn:aws:logs:us-east-1:111122223333:log-group:/aws/batch/job:log-stream:*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow"
},
{
"Action": [
"batch:DescribeJobQueues",
"batch:TerminateJob",
"batch:DescribeJobs",
"batch:CancelJob",
"batch:DescribeJobDefinitions",
"batch:ListJobs",
"batch:DescribeComputeEnvironments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:AttachVolume",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:CreateLogStream"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
}
]
}
```
------
### `ParallelClusterUserPolicy` con Slurm
En el ejemplo siguiente se establece `ParallelClusterUserPolicy`, utilizando Slurm como programador. En este ejemplo, «**» es el valor de la [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) configuración; si no se especifica, «» [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) es «parallelcluster-\$1**».
**nota**
Si utiliza un rol personalizado, , debe cambiar el recurso de ` = ` para que incluya el nombre de ese rol de:
`"Resource": "arn:aws:iam:::role/parallelcluster-*"`
Para:
`"Resource": "arn:aws:iam:::role/"`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ScalingModify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBDescribe"
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBModify"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListQueryLoggingConfigs"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationDescribe"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CloudFormationModify"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::111122223333:role/",
"arn:aws:iam::111122223333:role/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "IAMModify"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/*",
"Effect": "Allow",
"Sid": "IAMServiceLinkedRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMCreateInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"ec2:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFSDescribe"
},
{
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SSMDescribe"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*",
"arn:aws:lambda:us-east-1:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### `ParallelClusterUserPolicy`usando o SGE Torque
**nota**
Esta sección solo se aplica a AWS ParallelCluster las versiones anteriores a la 2.11.4 (inclusive). A partir de la versión 2.11.5, AWS ParallelCluster no admite el uso de programadores de SGE o Torque.
En el ejemplo siguiente se establece `ParallelClusterUserPolicy`, utilizando SGE, o como programador. En este ejemplo, «**» es el valor de la [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) configuración; si no [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) se especifica, «» es «**parallelcluster-\$1».
**nota**
Si utiliza un rol personalizado, , debe cambiar el recurso de ` = ` para que incluya el nombre de ese rol de:
`"Resource": "arn:aws:iam:::role/parallelcluster-*"`
Para:
`"Resource": "arn:aws:iam:::role/"`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoScalingDescribe"
},
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"autoscaling:PutNotificationConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:PutScalingPolicy",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoScalingModify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBDescribe"
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBModify"
},
{
"Action": [
"sqs:GetQueueAttributes"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQSDescribe"
},
{
"Action": [
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:TagQueue"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQSModify"
},
{
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNSDescribe"
},
{
"Action": [
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:DeleteTopic"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNSModify"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationDescribe"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CloudFormationModify"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::111122223333:role/",
"arn:aws:iam::111122223333:role/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "IAMModify"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/*",
"Effect": "Allow",
"Sid": "IAMServiceLinkedRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMCreateInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"ec2:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFSDescribe"
},
{
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SSMDescribe"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*",
"arn:aws:lambda:us-east-1:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### `ParallelClusterUserPolicy` con `awsbatch`
En el ejemplo siguiente se establece `ParallelClusterUserPolicy`, utilizando `awsbatch` como programador. En este ejemplo, «**» es el valor de la [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) configuración; si no se especifica, «» [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) es «parallelcluster-\$1**».
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2LaunchTemplate"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDB"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Resource": "arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:TagQueue"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQS"
},
{
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:parallelcluster-*",
"Effect": "Allow",
"Sid": "SQSQueue"
},
{
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:DeleteTopic"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster-*",
"arn:aws:iam::111122223333:role/"
],
"Effect": "Allow",
"Sid": "IAMRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:PassRole"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAM"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*",
"arn:aws:lambda:us-east-1:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:*",
"Effect": "Allow",
"Sid": "Logs"
},
{
"Action": [
"codebuild:*"
],
"Resource": "arn:aws:codebuild:us-east-1:111122223333:project/parallelcluster-*",
"Effect": "Allow",
"Sid": "CodeBuild"
},
{
"Action": [
"ecr:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"batch:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Batch"
},
{
"Action": [
"events:*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AmazonCloudWatchEvents"
},
{
"Action": [
"ecs:DescribeContainerInstances",
"ecs:ListContainerInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECS"
},
{
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### `ParallelClusterLambdaPolicy`usando, o SGE Slurm Torque
En el ejemplo siguiente se establece `ParallelClusterLambdaPolicy`, utilizando SGE, Slurm o Torque como programador.
**nota**
A partir de la versión 2.11.5, AWS ParallelCluster no admite el uso de planificadores o. SGE Torque
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow",
"Sid": "CloudWatchLogsPolicy"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow",
"Sid": "S3BucketPolicy"
},
{
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DescribeInstances"
},
{
"Action": [
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FleetTerminatePolicy"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53DeletePolicy"
}
]
}
```
------
### `ParallelClusterLambdaPolicy` con `awsbatch`
En el ejemplo siguiente se establece `ParallelClusterLambdaPolicy`, utilizando `awsbatch` como programador.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*",
"Sid": "CloudWatchLogsPolicy"
},
{
"Action": [
"ecr:BatchDeleteImage",
"ecr:ListImages"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ECRPolicy"
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CodeBuildPolicy"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "S3BucketPolicy"
}
]
}
```
------
### `ParallelClusterUserPolicy` para usuarios
El siguiente ejemplo establece la `ParallelClusterUserPolicy` para los usuarios que no necesitan crear o actualizar clústeres. Se admiten los siguientes comandos:
+ [`pcluster dcv`](pcluster.dcv.md)
+ [`pcluster instances`](pcluster.instances.md)
+ [`pcluster list`](pcluster.list.md)
+ [`pcluster ssh`](pcluster.ssh.md)
+ [`pcluster start`](pcluster.start.md)
+ [`pcluster status`](pcluster.status.md)
+ [`pcluster stop`](pcluster.stop.md)
+ [`pcluster version`](pcluster.version.md)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MinimumModify",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"batch:UpdateComputeEnvironment",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Effect": "Allow",
"Resource": [
"arn:aws:autoscaling:us-east-1:111122223333:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*",
"arn:aws:batch:us-east-1:111122223333:compute-environment/*",
"arn:aws:cloudformation:us-east-1:111122223333:stack//*",
"arn:aws:dynamodb:us-east-1:111122223333:table/"
]
},
{
"Sid": "Describe",
"Action": [
"cloudformation:DescribeStacks",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------