Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
AWS Identity and Access Management ruoli in AWS ParallelCluster
AWS ParallelCluster utilizza i ruoli AWS Identity and Access Management (IAM) per Amazon per consentire EC2 alle istanze di accedere ai AWS servizi per la distribuzione e il funzionamento di un cluster. Per impostazione predefinita, il ruolo IAM per Amazon EC2 viene creato al momento della creazione del cluster. Questo significa che l'utente che crea il cluster deve disporre del livello di autorizzazioni appropriato, come descritto nelle seguenti sezioni.
AWS ParallelCluster utilizza più AWS servizi per distribuire e gestire un cluster. Consulta l'elenco completo nella AWS ParallelCluster sezione AWS Servizi utilizzati in.
È possibile tenere traccia delle modifiche alle politiche di esempio nella AWS ParallelCluster
documentazione su GitHub
Argomenti
Impostazioni predefinite per la creazione di cluster
Quando utilizzi le impostazioni predefinite per la creazione di cluster, il cluster crea un ruolo IAM predefinito per Amazon EC2 . L'utente che crea il cluster deve disporre del giusto livello di autorizzazioni per creare tutte le risorse necessarie per avviare il cluster. Ciò include la creazione di un ruolo IAM per Amazon EC2. In genere, l'utente deve disporre delle autorizzazioni di una policy AdministratorAccessgestita quando utilizza le impostazioni predefinite. Per informazioni sulle policy gestite, consulta le policy AWS gestite nella IAM User Guide.
Utilizzo di un ruolo IAM esistente per Amazon EC2
Al posto delle impostazioni predefinite, puoi utilizzare un esistente ec2_iam_roleper creare un cluster, ma devi definire la politica e il ruolo IAM prima di tentare di avviare il cluster. In genere, scegli un ruolo IAM esistente per Amazon per ridurre EC2 al minimo le autorizzazioni concesse agli utenti quando avviano i cluster. AWS ParallelCluster esempio di politiche relative a istanze e utentiIncludono le autorizzazioni minime richieste da AWS ParallelCluster e le relative funzionalità. È necessario creare sia le politiche che i ruoli come politiche individuali in IAM e quindi collegare i ruoli e le politiche alle risorse appropriate. Alcune politiche relative ai ruoli potrebbero aumentare di dimensioni e causare errori di quota. Per ulteriori informazioni, consulta Risoluzione dei problemi relativi alle dimensioni delle policy IAM. Nelle politiche <REGION><AWS ACCOUNT ID>, sostituisci e stringhe simili con i valori appropriati.
Se il tuo intento è aggiungere politiche aggiuntive alle impostazioni predefinite per i nodi del cluster, ti consigliamo di passare le politiche IAM personalizzate aggiuntive con l'additional_iam_policiesimpostazione invece di utilizzare le ec2_iam_roleimpostazioni.
AWS ParallelCluster esempio di politiche relative a istanze e utenti
Le seguenti politiche di esempio includono Amazon Resource Names (ARNs) per le risorse. Se state lavorando nelle partizioni AWS GovCloud (US) o in AWS Cina, queste ARNs devono essere cambiate. In particolare, devono essere modificati da «arn:aws» a «arn:aws-us-gov" per la AWS GovCloud (US) partizione o «arn:aws-cn» per la partizione cinese. AWS Per ulteriori informazioni, consulta Amazon Resource Names (ARNs) in AWS GovCloud (US)
Regions nella AWS GovCloud (US) User Guide e ARNs per AWS i servizi in Cina in
Queste politiche includono le autorizzazioni minime attualmente richieste da AWS ParallelCluster, le relative funzionalità e risorse. Alcune politiche relative ai ruoli potrebbero aumentare di dimensioni e causare errori di quota. Per ulteriori informazioni, consulta Risoluzione dei problemi relativi alle dimensioni delle policy IAM.
Argomenti
ParallelClusterInstancePolicyutilizzando SGESlurm, o Torque
Nota
A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri schedulerSGE. Torque Puoi continuare a utilizzarli nelle versioni fino alla 2.11.4 inclusa, ma non sono idonei per futuri aggiornamenti o supporto per la risoluzione dei problemi da parte dei team di AWS assistenza e AWS supporto.
Argomenti
ParallelClusterInstancePolicy tramite Slurm
L'esempio seguente imposta l'ParallelClusterInstancePolicyutilizzo Slurm come scheduler.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:network-interface/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*", "arn:aws:ec2:<REGION>::image/<IMAGE ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:key-pair/<KEY NAME>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:security-group/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:launch-template/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }
ParallelClusterInstancePolicyutilizzando SGE o Torque
L'esempio seguente imposta l'ParallelClusterInstancePolicyutilizzo di SGE or Torque come scheduler.
Nota
Questa politica si applica solo alle AWS ParallelCluster versioni fino alla versione 2.11.4 inclusa. A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri scheduler. SGE Torque
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:network-interface/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:volume/*", "arn:aws:ec2:<REGION>::image/<IMAGE ID>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:key-pair/<KEY NAME>", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:security-group/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:launch-template/*", "arn:aws:ec2:<REGION>:<AWS ACCOUNT ID>:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": [ "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*" ], "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeTags", "autoscaling:SetInstanceHealth" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "Autoscaling" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "sqs:ListQueues" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "SQSList" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }
ParallelClusterInstancePolicy tramite awsbatch
L'esempio seguente imposta l'ParallelClusterInstancePolicyutilizzo awsbatch come scheduler. È necessario includere le stesse politiche assegnate a quelle definite nello stack AWS Batch AWS CloudFormation annidato. BatchUserRole L'ARN BatchUserRole viene fornito come output dello stack. In questo esempio, «<RESOURCES S3 BUCKET>» è il valore dell'cluster_resource_bucketimpostazione; se non cluster_resource_bucket è specificato, «» è «<RESOURCES S3 BUCKET>parallelcluster-*». L'esempio seguente è una panoramica delle autorizzazioni richieste:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "batch:RegisterJobDefinition", "logs:GetLogEvents" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "cloudformation:DescribeStacks", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "logs:FilterLogEvents", "s3:PutObject", "s3:Get*", "s3:DeleteObject", "iam:PassRole" ], "Resource": [ "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_SERIAL_NAME>:1", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_MNP_NAME>*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:job-queue/<AWS_BATCH_STACK - JOB_QUEUE_NAME>", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<STACK NAME>/*", "arn:aws:s3:::<RESOURCES S3 BUCKET>/batch/*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<AWS_BATCH_STACK - JOB_ROLE>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:cluster/<ECS COMPUTE ENVIRONMENT>", "arn:aws:ecs:<REGION>:<AWS ACCOUNT ID>:container-instance/*", "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:log-group:/aws/batch/job:log-stream:*" ], "Effect": "Allow" }, { "Action": [ "s3:List*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow" }, { "Action": [ "batch:DescribeJobQueues", "batch:TerminateJob", "batch:DescribeJobs", "batch:CancelJob", "batch:DescribeJobDefinitions", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:AttachVolume", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:CreateLogStream" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" } ] }
ParallelClusterUserPolicy tramite Slurm
L'esempio seguente imposta ParallelClusterUserPolicy utilizzando Slurm come pianificatore. In questo esempio, «<RESOURCES S3 BUCKET>» è il valore dell'cluster_resource_bucketimpostazione; se non cluster_resource_bucket è specificato, «<RESOURCES S3 BUCKET>» è «parallelcluster-*».
Nota
Se utilizzi un ruolo personalizzato ec2_iam_role =
, devi modificare la risorsa IAM per includere il nome di quel ruolo da:<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
A:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "ScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicyutilizzando SGE o Torque
Nota
Questa sezione si applica solo alle AWS ParallelCluster versioni fino alla versione 2.11.4 inclusa. A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri scheduler. SGE Torque
L'esempio seguente impostaParallelClusterUserPolicy, utilizzando SGE o Torque come scheduler. In questo esempio, «<RESOURCES S3 BUCKET>» è il valore dell'cluster_resource_bucketimpostazione; se non cluster_resource_bucket è specificato, «<RESOURCES S3 BUCKET>» è «parallelcluster-*».
Nota
Se utilizzi un ruolo personalizzato ec2_iam_role =
, devi modificare la risorsa IAM per includere il nome di quel ruolo da:<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
A:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingDescribe" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "autoscaling:PutNotificationConfiguration", "autoscaling:UpdateAutoScalingGroup", "autoscaling:PutScalingPolicy", "autoscaling:DescribeScalingActivities", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "sqs:GetQueueAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSDescribe" }, { "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSModify" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSDescribe" }, { "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSModify" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicy tramite awsbatch
L'esempio seguente imposta l'ParallelClusterUserPolicyutilizzo awsbatch come scheduler. In questo esempio, «<RESOURCES S3 BUCKET>» è il valore dell'cluster_resource_bucketimpostazione; se non cluster_resource_bucket è specificato, «<RESOURCES S3 BUCKET>» è «parallelcluster-*».
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2LaunchTemplate" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "sqs:GetQueueAttributes", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQS" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*", "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*", "arn:aws:iam::<AWS ACCOUNT ID>:role/<PARALLELCLUSTER EC2 ROLE NAME>" ], "Effect": "Allow", "Sid": "IAMRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:PassRole" ], "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAM" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::<RESOURCES S3 BUCKET>" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "logs:*" ], "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:*", "Effect": "Allow", "Sid": "Logs" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:<REGION>:<AWS ACCOUNT ID>:project/parallelcluster-*", "Effect": "Allow", "Sid": "CodeBuild" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" }, { "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterLambdaPolicyutilizzando, o SGESlurmTorque
L'esempio seguente imposta ParallelClusterLambdaPolicy utilizzando SGE, Slurm o Torque come pianificatore.
Nota
A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri schedulerSGE. Torque
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::*" ], "Effect": "Allow", "Sid": "S3BucketPolicy" }, { "Action": [ "ec2:DescribeInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "DescribeInstances" }, { "Action": [ "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "FleetTerminatePolicy" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53DeletePolicy" } ] }
ParallelClusterLambdaPolicy tramite awsbatch
L'esempio seguente imposta l'ParallelClusterLambdaPolicyutilizzo awsbatch come scheduler.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:*", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "ecr:BatchDeleteImage", "ecr:ListImages" ], "Effect": "Allow", "Resource": "*", "Sid": "ECRPolicy" }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Effect": "Allow", "Resource": "*", "Sid": "CodeBuildPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": "*", "Sid": "S3BucketPolicy" } ] }
ParallelClusterUserPolicyper gli utenti
L'esempio seguente imposta l'ParallelClusterUserPolicyopzione per gli utenti che non devono creare o aggiornare i cluster. Sono supportati i seguenti comandi.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "MinimumModify", "Action": [ "autoscaling:UpdateAutoScalingGroup", "batch:UpdateComputeEnvironment", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "dynamodb:GetItem", "dynamodb:PutItem" ], "Effect": "Allow", "Resource": [ "arn:aws:autoscaling:<REGION>:<AWS ACCOUNT ID>:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*", "arn:aws:batch:<REGION>:<AWS ACCOUNT ID>:compute-environment/*", "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/<CLUSTERNAME>/*", "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/<CLUSTERNAME>" ] }, { "Sid": "Describe", "Action": [ "cloudformation:DescribeStacks", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus" ], "Effect": "Allow", "Resource": "*" } ] }
