IAM instance profiles for AWS Parallel Computing Service - AWS PCS
RequirementsAdditional policies

IAM instance profiles for AWS Parallel Computing Service

Applications that run on an EC2 instance must include AWS credentials in any AWS API requests they make. We recommend you use an IAM role to manage temporary credentials on the EC2 instance. You can define an instance profile to do this, and attach it to your instances. For more information, see IAM roles for Amazon EC2 in the Amazon Elastic Compute Cloud User Guide.

Note

When you use the AWS Management Console to create an IAM role for Amazon EC2, the console creates an instance profile automatically and gives it the same name as the IAM role. If you use the AWS CLI, AWS API actions, or an AWS SDK to create the IAM role, you create the instance profile as a separate action. For more information, see Instance profiles in the Amazon Elastic Compute Cloud User Guide.

You must specify the Amazon Resource Name (ARN) of an instance profile when you create a compute node groups. You can choose different instance profiles for some or all compute node groups.

Requirements

IAM role of the instance profile

The IAM role associated with the instance profile must have /aws-pcs/ in its path, or its name must start with AWSPCS.

Example IAM role ARNs

  • arn:aws:iam::*:role/AWSPCS-example-role-1

  • arn:aws:iam::*:role/aws-pcs/example-role-2

Permissions

The IAM role associated with the instance profile for AWS PCS must include the following policy.

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "pcs:RegisterComputeNodeGroupInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Additional policies

Consider adding managed policies to the instance profile. For example:

You can also include your own IAM policies that support your specific use case.