# AWS Identity and Access Management permissions in AWS ParallelCluster
AWS ParallelCluster uses IAM permissions to control access to resources when creating and managing clusters.
**To create and manage clusters in an AWS account, AWS ParallelCluster requires permissions at two levels:**
+ Permissions that the `pcluster` user requires to invoke the `pcluster` CLI commands for creating and managing clusters.
+ Permissions that the cluster resources require to perform cluster actions.
**AWS ParallelCluster uses** an [Amazon EC2 instance profile and role](#iam-ec2-instance-role) to provide cluster resource permissions. To manage cluster resource permissions, AWS ParallelCluster also requires permissions to IAM resources. For more information, see [AWS ParallelCluster user example policies for managing IAM resources](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam).
**`pcluster` users require** IAM permissions to use the [`pcluster`](pcluster-v3.md) CLI to create and manage a cluster and its resources. These permissions are included in IAM policies that can be added to a user or role. For more information on IAM roles, see [Creating a user role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the *AWS Identity and Access Management User Guide*.
You can also use [AWS ParallelCluster configuration parameters to manage IAM permissions](#iam-roles-in-parallelcluster-v3-params-for-iam).
The following sections contain the required permissions with examples.
To use the example policies, replace `{{}}`, `{{}}`, and similar strings with the appropriate values.
The following example policies include Amazon Resource Names (ARNs) for the resources. If you're working in the AWS GovCloud (US) or AWS China partitions, the ARNs must be changed. Specifically, they must be changed from "arn:aws" to "arn:aws-us-gov" for the AWS GovCloud (US) partition or "arn:aws-cn" for the AWS China partition. For more information, see [Amazon Resource Names (ARNs) in AWS GovCloud (US) Regions](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html) in the *AWS GovCloud (US) User Guide* and [ARNs for AWS services in China](https://docs.amazonaws.cn/aws/latest/userguide/ARNs.html) in *Getting Started with AWS services in China*.
You can track changes to the example policies in [AWS ParallelCluster documentation on GitHub](https://github.com/awsdocs/aws-parallelcluster-user-guide/blame/main/doc_source/iam-roles-in-parallelcluster-v3.md).
**Topics**
+ [AWS ParallelCluster Amazon EC2 instance roles](#iam-ec2-instance-role)
+ [AWS ParallelCluster example `pcluster` user policies](#iam-roles-in-parallelcluster-v3-example-user-policies)
+ [AWS ParallelCluster user example policies for managing IAM resources](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)
+ [AWS ParallelCluster configuration parameters to manage IAM permissions](#iam-roles-in-parallelcluster-v3-params-for-iam)
## AWS ParallelCluster Amazon EC2 instance roles
When you create a cluster with the default configuration settings, AWS ParallelCluster uses Amazon EC2 [instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) to automatically create a default cluster Amazon EC2 [instance role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) that provides the permissions required to create and manage the cluster and its resources.
### Alternatives to using the default AWS ParallelCluster instance role
In place of the default AWS ParallelCluster instance role, you can use the `InstanceRole` cluster configuration setting to specify your own existing IAM role for EC2. For more information, see [AWS ParallelCluster configuration parameters to manage IAM permissions](#iam-roles-in-parallelcluster-v3-params-for-iam). Typically, you specify existing IAM roles to fully control the permissions granted to EC2.
If your intent is to add extra policies to the default instance role, we recommend that you pass the additional IAM policies by using the [`AdditionalIamPolicies`](#iam-roles-in-parallelcluster-v3-cluster-config-additionaliampolicies) configuration setting instead of [`InstanceProfile` or `InstanceRole`](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-instanceprofile) settings. You can update `AdditionalIamPolicies` when you update your cluster, however, you can't update the `InstanceRole` when you update your cluster.
## AWS ParallelCluster example `pcluster` user policies
The following examples show the user policies required to create and manage AWS ParallelCluster and its resources by using the `pcluster` CLI. You can attach policies to a user or role.
**Topics**
+ [Base AWS ParallelCluster `pcluster` user policy](#iam-roles-in-parallelcluster-v3-base-user-policy)
+ [Additional AWS ParallelCluster `pcluster` user policy when using AWS Batch scheduler](#iam-roles-in-parallelcluster-v3-user-policy-batch)
+ [Additional AWS ParallelCluster `pcluster` user policy when using Amazon FSx for Lustre](#iam-roles-in-parallelcluster-v3-user-policy-fsxlustre)
+ [AWS ParallelCluster image build `pcluster` user policy](#iam-roles-in-parallelcluster-v3-user-policy-build-image)
### Base AWS ParallelCluster `pcluster` user policy
The following policy shows the permissions required to run AWS ParallelCluster `pcluster` commands.
The last action listed in the policy is included to provide validation of any secrets specified in the cluster configuration. For example, an AWS Secrets Manager secret is used to configure the [`DirectoryService`](DirectoryService-v3.md) integration. In this case, a cluster is created only if a valid secret exists in the [`PasswordSecretArn`](DirectoryService-v3.md#yaml-DirectoryService-PasswordSecretArn). If this action is omitted, secret validation is skipped. To improve your security posture, we recommend that you scope down this policy statement by adding only the secrets specified in your cluster configuration.
**Note**
If existing Amazon EFS file systems are the only file systems used in your cluster, you can scope down the example Amazon EFS policy statements to the specific file systems referenced in the [`SharedStorage` section](SharedStorage-v3.md) of the cluster configuration file.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Read"
},
{
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DisassociateAddress",
"ec2:ModifyLaunchTemplate",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Write"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:TagResource",
"dynamodb:UntagResource"
],
"Resource": "arn:aws:dynamodb:*:{{111122223333}}:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDB"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListQueryLoggingConfigs"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutCompositeAlarm",
"cloudwatch:TagResource",
"cloudwatch:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:SimulatePrincipalPolicy",
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/*",
"arn:aws:iam::{{111122223333}}:policy/*",
"arn:aws:iam::aws:policy/*",
"arn:aws:iam::{{111122223333}}:instance-profile/*"
],
"Effect": "Allow",
"Sid": "IamRead"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:instance-profile/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamInstanceProfile"
},
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:{{111122223333}}:function:parallelcluster-*",
"arn:aws:lambda:*:{{111122223333}}:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*",
"arn:aws:s3:::aws-parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::*-aws-parallelcluster*",
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": [
"arn:aws:elasticfilesystem:*:{{111122223333}}:*"
],
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:CreateExportTask",
"logs:DescribeLogStreams",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:PutMetricFilter",
"logs:DeleteMetricFilter",
"logs:ListTagsForResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"resource-groups:ListGroupResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ResourceGroupRead"
},
{
"Sid": "AllowDescribingFileCache",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileCaches"
],
"Resource": "*"
},
{
"Action": "secretsmanager:DescribeSecret",
"Resource": "arn:aws:secretsmanager:{{us-east-1}}:{{111122223333}}:secret:{{}}",
"Effect": "Allow"
}
]
}
```
------
### Additional AWS ParallelCluster `pcluster` user policy when using AWS Batch scheduler
In case you need to create and manage a cluster with AWS Batch scheduler, the following additional policy is required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/aws-service-role/batch.amazonaws.com/*"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:*"
],
"Resource": "arn:aws:codebuild:*:{{111122223333}}:project/pcluster-*",
"Effect": "Allow"
},
{
"Action": [
"ecr:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"batch:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Batch"
},
{
"Action": [
"events:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AmazonCloudWatchEvents"
},
{
"Action": [
"ecs:DescribeContainerInstances",
"ecs:ListContainerInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECS"
}
]
}
```
------
### Additional AWS ParallelCluster `pcluster` user policy when using Amazon FSx for Lustre
In case you need to create and manage a cluster with Amazon FSx for Lustre, the following additional policy is required.
**Note**
If existing Amazon FSx file systems are the only file systems used in your cluster, you can scope down the example Amazon FSx policy statements to the specific file systems referenced in the [`SharedStorage` section](SharedStorage-v3.md) of the cluster configuration file.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fsx:*"
],
"Resource": [
"arn:aws:fsx:*:{{111122223333}}:*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::{{amzn-s3-demo-bucket}}",
"Effect": "Allow"
}
]
}
```
------
### AWS ParallelCluster image build `pcluster` user policy
Users that intend to create custom Amazon EC2 images with AWS ParallelCluster must have the following set of permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:CreateRole",
"iam:TagRole",
"iam:GetRole",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:instance-profile/parallelcluster/*",
"arn:aws:iam::{{111122223333}}:instance-profile/ParallelClusterImage*",
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAM"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:instance-profile/parallelcluster/*",
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAMPassRole"
},
{
"Action": [
"logs:GetLogEvents",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:DeleteLogGroup"
],
"Resource": [
"arn:aws:logs:*:{{111122223333}}:log-group:/aws/imagebuilder/ParallelClusterImage-*",
"arn:aws:logs:*:{{111122223333}}:log-group:/aws/lambda/ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack"
],
"Resource": [
"arn:aws:cloudformation:*:{{111122223333}}:stack/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:DeleteFunction",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:{{111122223333}}:function:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"imagebuilder:Get*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ImageBuilderGet"
},
{
"Action": [
"imagebuilder:CreateImage",
"imagebuilder:TagResource",
"imagebuilder:CreateImageRecipe",
"imagebuilder:CreateComponent",
"imagebuilder:CreateDistributionConfiguration",
"imagebuilder:CreateInfrastructureConfiguration",
"imagebuilder:DeleteImage",
"imagebuilder:DeleteComponent",
"imagebuilder:DeleteImageRecipe",
"imagebuilder:DeleteInfrastructureConfiguration",
"imagebuilder:DeleteDistributionConfiguration"
],
"Resource": [
"arn:aws:imagebuilder:*:{{111122223333}}:image/parallelclusterimage-*",
"arn:aws:imagebuilder:*:{{111122223333}}:image-recipe/parallelclusterimage-*",
"arn:aws:imagebuilder:*:{{111122223333}}:component/parallelclusterimage-*",
"arn:aws:imagebuilder:*:{{111122223333}}:distribution-configuration/parallelclusterimage-*",
"arn:aws:imagebuilder:*:{{111122223333}}:infrastructure-configuration/parallelclusterimage-*"
],
"Effect": "Allow",
"Sid": "ImageBuilder"
},
{
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3Bucket"
},
{
"Action": [
"sns:GetTopicAttributes",
"sns:TagResource",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Publish",
"SNS:DeleteTopic",
"SNS:Unsubscribe"
],
"Resource": [
"arn:aws:sns:*:{{111122223333}}:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "S3Objects"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "imagebuilder.amazonaws.com"
}
}
}
]
}
```
------
## AWS ParallelCluster user example policies for managing IAM resources
When using AWS ParallelCluster to create clusters or custom AMIs, IAM policies must be provided that contain permissions to grant the required set of permissions to AWS ParallelCluster components. These IAM resources can be either automatically created by AWS ParallelCluster or be provided as input when creating a cluster or a custom image.
You can use the following modes to provide the AWS ParallelCluster user with the permissions required to access IAM resources by using additional IAM policies in the configuration.
**Topics**
+ [Privileged IAM access mode](#iam-roles-in-parallelcluster-v3-privileged-iam-access)
+ [Restricted IAM access mode](#iam-roles-in-parallelcluster-v3-restricted-iam-access)
+ [`PermissionsBoundary` mode](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)
### Privileged IAM access mode
With this mode, AWS ParallelCluster automatically creates all necessary IAM resources. These IAM policies are scoped down to enable access to cluster resources only.
To enable Privileged IAM access mode, add the following policy to the user role.
**Note**
If you configure [`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`AdditionalPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies) or [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`AdditionalPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies) parameters, you must provide the AWS ParallelCluster user with permission to attach and detach role policies for each additional policy as shown in the following policy. Add the additional policy ARNs to the condition for attaching and detaching role policies.
**Warning**
This mode enables the user to have IAM Administrator privileges in the AWS account
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::{{111122223333}}:policy/parallelcluster*",
"arn:aws:iam::{{111122223333}}:policy/parallelcluster/*",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
```
------
### Restricted IAM access mode
When no additional IAM policies are granted to the user, IAM roles required by clusters or custom image build need to be manually created by an administrator and passed as part of the cluster configuration.
When creating a cluster the following parameters are required:
+ [`Iam`](Iam-v3.md) / [`Roles`](Iam-v3.md#yaml-Iam-Roles) / [`LambdaFunctionsRole`](Iam-v3.md#yaml-Iam-Roles-LambdaFunctionsRole)
+ [`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`InstanceRole`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceRole) \| [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile)
+ [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) \| [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)
When building a custom image the following parameters are required:
+ [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`InstanceRole`](Build-v3.md#yaml-build-image-Build-Iam-InstanceRole) \| [`InstanceProfile`](Build-v3.md#yaml-build-image-Build-Iam-InstanceProfile)
+ [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`CleanupLambdaRole`](Build-v3.md#yaml-build-image-Build-Iam-CleanupLambdaRole)
The IAM roles passed as part of the above listed parameters must be created on the `/parallelcluster/` path prefix. If this isn't possible, the user policy needs to be updated to grant `iam:PassRole` permission on the specific custom roles, as in the following example.
```
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
{{}}
],
"Effect": "Allow",
"Sid": "IamPassRole"
}
```
**Warning**
Currently this mode does not allow the management of AWS Batch clusters because not all IAM roles can be passed in the cluster configuration.
### `PermissionsBoundary` mode
This mode delegates to AWS ParallelCluster the creation of IAM roles that are bound to the configured IAM permissions boundary. For more information on IAM permissions boundaries, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
The following policy needs to be added to the user role.
In the policy, replace {{}} with the IAM policy ARN to be enforced as permissions boundary.
**Warning**
If you configure the [`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`AdditionalPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies) or [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`AdditionalPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies) parameters, you must grant the user permission to attach and detach role policies for each additional policy as shown in the following policy. Add the additional policy ARNs to the condition for attaching and detaching role policies.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"{{}}"
]
}
},
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"{{}}"
]
}
},
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"{{}}"
]
},
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::{{111122223333}}:policy/parallelcluster*",
"arn:aws:iam::{{111122223333}}:policy/parallelcluster/*",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
```
------
When this mode is enabled, you must specify the permissions boundary ARN in the [`Iam`](Iam-v3.md) / [`PermissionsBoundary`](Iam-v3.md#yaml-Iam-PermissionsBoundary) configuration parameter when creating or updating a cluster and in the [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`PermissionBoundary`](Build-v3.md#yaml-build-image-Build-Iam-PermissionsBoundary) parameter when building a custom image.
## AWS ParallelCluster configuration parameters to manage IAM permissions
AWS ParallelCluster exposes a series of configuration options to customize and manage the IAM permissions and roles that are used in a cluster or during the custom AMI creation process.
**Topics**
+ [Cluster configuration](#iam-roles-in-parallelcluster-v3-cluster-config)
+ [Custom Image configuration](#iam-roles-in-parallelcluster-v3-custom-image-configuration)
### Cluster configuration
**Topics**
+ [Head node IAM role](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-instanceprofile)
+ [Amazon S3 access](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-s3access)
+ [Additional IAM policies](#iam-roles-in-parallelcluster-v3-cluster-config-additionaliampolicies)
+ [AWS Lambda functions role](#iam-roles-in-parallelcluster-v3-cluster-config-lambdafunctionsrole)
+ [Compute nodes IAM role](#iam-roles-in-parallelcluster-v3-cluster-config-slurmqueues-instanceprofile)
+ [Permissions boundary](#iam-roles-in-parallelcluster-v3-cluster-config-permissionsboundary)
#### Head node IAM role
[`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`InstanceRole`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceRole) \| [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile)
With this option, you override the default IAM role that's assigned to the head node of the cluster. For additional details, please refer to the [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile) reference.
Here is the minimal set of policies to be used as part of this role when the scheduler is Slurm:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` managed IAM policy. For more information, see [Create IAM roles and users for use with the CloudWatch agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) in the *Amazon CloudWatch User Guide*.
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` managed IAM policy. For more information, see [AWS managed policies for AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies) in the *AWS Systems Manager User Guide*.
+ Additional IAM policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster/*",
"arn:aws:s3:::dcv-license.us-east-1/*",
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem"
],
"Resource": "arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*",
"arn:aws:iam::{{111122223333}}:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeCapacityReservations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:instance/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:{{us-east-1}}:{{111122223333}}:secret:{{}}",
"Effect": "Allow"
}
]
}
```
------
Note that in case [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) is used to override the compute IAM role, the head node policy reported above needs to include such role in the `Resource` section of the `iam:PassRole` permission.
Here is the minimal set of policies to be used as part of this role when the scheduler is AWS Batch:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` managed IAM policy. For more information, see [Create IAM roles and users for use with the CloudWatch agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) in the *Amazon CloudWatch User Guide*.
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` managed IAM policy. For more information, see [AWS managed policies for AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies) in the *AWS Systems Manager User Guide*.
+ Additional IAM policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::dcv-license.{{us-east-1}}/*",
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster/*",
"arn:aws:iam::{{111122223333}}:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"batch:DescribeJobQueues",
"batch:DescribeJobs",
"batch:ListJobs",
"batch:DescribeComputeEnvironments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"batch:SubmitJob",
"batch:TerminateJob",
"logs:GetLogEvents",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances"
],
"Resource": [
"arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*",
"arn:aws:ecs:{{us-east-1}}:{{111122223333}}:container-instance/AWSBatch-PclusterComputeEnviron*",
"arn:aws:ecs:{{us-east-1}}:{{111122223333}}:cluster/AWSBatch-Pcluster*",
"arn:aws:batch:{{us-east-1}}:{{111122223333}}:job-queue/PclusterJobQueue*",
"arn:aws:batch:{{us-east-1}}:{{111122223333}}:job-definition/PclusterJobDefinition*:*",
"arn:aws:batch:{{us-east-1}}:{{111122223333}}:job/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:instance/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:{{us-east-1}}:{{111122223333}}:secret:{{}}",
"Effect": "Allow"
}
]
}
```
------
#### Amazon S3 access
[`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`S3Access`](HeadNode-v3.md#yaml-HeadNode-Iam-S3Access) or [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`S3Access`](HeadNode-v3.md#yaml-HeadNode-Iam-S3Access)
In these configuration sections, you can customize the Amazon S3 access by granting additional Amazon S3 policies to the IAM roles associated with the head node or compute nodes of the cluster when such roles are created by AWS ParallelCluster. For more information, see the reference documentation for each of the configuration parameter.
This parameter can be only used when the user is configured with [Privileged IAM access mode](#iam-roles-in-parallelcluster-v3-privileged-iam-access) or [`PermissionsBoundary` mode](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode).
#### Additional IAM policies
[`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`AdditionalIamPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies) or [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`AdditionalIamPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies)
Use this option to attach additional managed IAM policies to the IAM roles associated with the head node or compute nodes of the cluster when such roles are created by AWS ParallelCluster.
**Warning**
To use this option, make sure the [AWS ParallelCluster user](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam) is granted `iam:AttachRolePolicy` and `iam:DetachRolePolicy` permissions for the IAM policies that need to be attached.
#### AWS Lambda functions role
[`Iam`](Iam-v3.md#yaml-Iam-Roles) / [`Roles`](Iam-v3.md#yaml-Iam-Roles) / [`LambdaFunctionsRole`](Iam-v3.md#yaml-Iam-Roles-LambdaFunctionsRole)
This option overrides the role attached to all AWS Lambda functions that are used during the cluster creation process. AWS Lambda needs to be configured as the principal allowed to assume the role.
**Note**
If [`DeploymentSettings`](DeploymentSettings-cluster-v3.md) / [`LambdaFunctionsVpcConfig`](DeploymentSettings-cluster-v3.md#DeploymentSettings-cluster-v3-LambdaFunctionsVpcConfig) is set, the `LambdaFunctionsRole` must include the [AWS Lambda role permission](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions) to set the VPC configuration.
Here is the minimal set of policies to be used as part of this role:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:/aws/lambda/pcluster-*"
},
{
"Action": "ec2:DescribeInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:TerminateInstances",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete",
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
]
}
]
}
```
------
#### Compute nodes IAM role
[`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [` InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) \| [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)
This option allows to override the IAM role that is assigned to the compute nodes of the cluster. For more information, see [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile).
Here is the minimal set of policies to be used as part of this role:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` managed IAM policy. For more information, see [Create IAM roles and users for use with the CloudWatch agent](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) in the *Amazon CloudWatch User Guide*.
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` managed IAM policy. For more information, see [AWS managed policies for AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies) in the *AWS Systems Manager User Guide*.
+ Additional IAM policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:GetItem"
],
"Resource": "arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": "ec2:DescribeInstanceAttribute",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "cloudformation:DescribeStackResource",
"Resource": [
"arn:aws:cloudformation:{{us-east-1}}:{{111122223333}}:stack/*/*"
],
"Effect": "Allow"
}
]
}
```
------
#### Permissions boundary
[`Iam`](Iam-v3.md) / [`PermissionsBoundary`](Iam-v3.md#yaml-Iam-PermissionsBoundary)
This parameter forces AWS ParallelCluster to attach the given IAM policy as a `PermissionsBoundary` to all IAM roles that are created as part of a cluster deployment.
See [`PermissionsBoundary` mode](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode) for the list of policies required by the user when this setting is defined.
### Custom Image configuration
**Topics**
+ [Instance role for EC2 Image Builder](#iam-roles-in-parallelcluster-v3-custom-image-configuration-instancerole)
+ [AWS Lambda cleanup role](#iam-roles-in-parallelcluster-v3-custom-image-configuration-cleanuplambdarole)
+ [Additional IAM policies](#iam-roles-in-parallelcluster-v3-custom-image-configuration-additionaliampolicies)
+ [Permissions boundary](#iam-roles-in-parallelcluster-v3-custom-image-configuration-permissionsboundary)
#### Instance role for EC2 Image Builder
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`InstanceRole`](Build-v3.md#yaml-build-image-Build-Iam-InstanceRole) \| [`InstanceProfile`](Build-v3.md#yaml-build-image-Build-Iam-InstanceProfile)
With this option you override the IAM role that is assigned to the Amazon EC2 instance launched by EC2 Image Builder to create a custom AMI.
Here is the minimal set of policies to be used as part of this role:
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` managed IAM policy. For more information, see [AWS managed policies for AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies) in the *AWS Systems Manager User Guide*.
+ `arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder` managed IAM policy. For more information, see [`EC2InstanceProfileForImageBuilder` policy](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam-awsmanpol.html#sec-iam-manpol-EC2InstanceProfileForImageBuilder) in the *Image Builder User Guide*.
+ Additional IAM policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:ModifyImageAttribute"
],
"Resource": "arn:aws:ec2:{{us-east-1}}::image/*",
"Effect": "Allow"
}
]
}
```
------
#### AWS Lambda cleanup role
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`CleanupLambdaRole`](Build-v3.md#yaml-build-image-Build-Iam-CleanupLambdaRole)
This option overrides the role attached to all AWS Lambda functions that are used during the custom image build process. AWS Lambda needs to be configured as the principal allowed to assume the role.
**Note**
If [`DeploymentSettings`](DeploymentSettings-build-image-v3.md) / [`LambdaFunctionsVpcConfig`](DeploymentSettings-build-image-v3.md#DeploymentSettings-build-image-v3-LambdaFunctionsVpcConfig) is set, the `CleanupLambdaRole` must include the [AWS Lambda role permission](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions) to set the VPC configuration.
Here is the minimal set of policies to be used as part of this role:
+ `arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole` managed IAM policy. For more information, see [AWS managed policies for Lambda features](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-features) in the *AWS Lambda Developer Guide*.
+ Additional IAM policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:DetachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/parallelcluster/*",
"Effect": "Allow"
},
{
"Action": [
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::{{111122223333}}:instance-profile/parallelcluster/*",
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteInfrastructureConfiguration",
"Resource": "arn:aws:imagebuilder:{{us-east-1}}:{{111122223333}}:infrastructure-configuration/parallelclusterimage-*",
"Effect": "Allow"
},
{
"Action": [
"imagebuilder:DeleteComponent"
],
"Resource": [
"arn:aws:imagebuilder:{{us-east-1}}:{{111122223333}}:component/parallelclusterimage-*/*"
],
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteImageRecipe",
"Resource": "arn:aws:imagebuilder:{{us-east-1}}:{{111122223333}}:image-recipe/parallelclusterimage-*/*",
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteDistributionConfiguration",
"Resource": "arn:aws:imagebuilder:{{us-east-1}}:{{111122223333}}:distribution-configuration/parallelclusterimage-*",
"Effect": "Allow"
},
{
"Action": [
"imagebuilder:DeleteImage",
"imagebuilder:GetImage",
"imagebuilder:CancelImageCreation"
],
"Resource": "arn:aws:imagebuilder:{{us-east-1}}:{{111122223333}}:image/parallelclusterimage-*/*",
"Effect": "Allow"
},
{
"Action": "cloudformation:DeleteStack",
"Resource": "arn:aws:cloudformation:{{us-east-1}}:{{111122223333}}:stack/*/*",
"Effect": "Allow"
},
{
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:{{us-east-1}}::image/*",
"Effect": "Allow"
},
{
"Action": "tag:TagResources",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:DeleteFunction",
"lambda:RemovePermission"
],
"Resource": "arn:aws:lambda:{{us-east-1}}:{{111122223333}}:function:ParallelClusterImage-*",
"Effect": "Allow"
},
{
"Action": "logs:DeleteLogGroup",
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:/aws/lambda/ParallelClusterImage-*:*",
"Effect": "Allow"
},
{
"Action": [
"SNS:GetTopicAttributes",
"SNS:DeleteTopic",
"SNS:GetSubscriptionAttributes",
"SNS:Unsubscribe"
],
"Resource": "arn:aws:sns:{{us-east-1}}:{{111122223333}}:ParallelClusterImage-*",
"Effect": "Allow"
}
]
}
```
------
#### Additional IAM policies
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`AdditionalIamPolicies`](Build-v3.md#yaml-build-image-Build-Iam-AdditionalIamPolicies)
You use this option to attach additional managed IAM policies to the role associated with the Amazon EC2 instance used by EC2 Image Builder to produce the custom AMI.
**Warning**
To use this option, make sure the [AWS ParallelClusteruser](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam) is granted `iam:AttachRolePolicy` and `iam:DetachRolePolicy` permissions for the IAM policies that need to be attached.
#### Permissions boundary
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`PermissionsBoundary`](Build-v3.md#yaml-build-image-Build-Iam-PermissionsBoundary)
This parameter forces AWS ParallelCluster to attach the given IAM policy as a `PermissionsBoundary` to all IAM roles that are created as part of custom AMI build.
See [`PermissionsBoundary` mode](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode) for the list of policies required to use such functionality.