# Minimum permissions for AWS PCS
This section describes the minimum IAM permissions required for an IAM identity (user, group, or role) to use the service.
**Contents**
+ [Minimum permissions to use API actions](#security-min-permissions_api)
+ [Minimum permissions to use tags](#security-min-permissions_tagging)
+ [Minimum permissions to support logs](#security-min-permissions_logging)
+ [Minimum permissions to use Capacity Blocks](#security-min-permissions_capacity-blocks)
+ [Minimum permissions for a service administrator](#security-min-permissions_admin-policy)
## Minimum permissions to use API actions
| API action | Minimum permissions | Additional permissions for the console |
| --- | --- | --- |
| CreateCluster | ec2:CreateNetworkInterface,
ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:GetSecurityGroupsForVpc,
iam:CreateServiceLinkedRole,
secretsmanager:CreateSecret,
secretsmanager:TagResource,
secretsmanager:RotateSecret,
pcs:CreateCluster
| |
| ListClusters | pcs:ListClusters
| |
| GetCluster | pcs:GetCluster
| ec2:DescribeSubnets
|
| DeleteCluster | pcs:DeleteCluster
| |
| CreateComputeNodeGroup | ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:CreateComputeNodeGroup
| iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster
|
| ListComputerNodeGroups | pcs:ListComputeNodeGroups
| pcs:GetCluster
|
| GetComputeNodeGroup | pcs:GetComputeNodeGroup
| ec2:DescribeSubnets
|
| UpdateComputeNodeGroup | ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:UpdateComputeNodeGroup
| pcs:GetComputeNodeGroup,
iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster
|
| DeleteComputeNodeGroup | pcs:DeleteComputeNodeGroup
| |
| CreateQueue | pcs:CreateQueue
| pcs:ListComputeNodeGroups,
pcs:GetCluster
|
| ListQueues | pcs:ListQueues
| pcs:GetCluster
|
| GetQueue | pcs:GetQueue
| |
| UpdateQueue | pcs:UpdateQueue
| pcs:ListComputeNodeGroups,
pcs:GetQueue
|
| DeleteQueue | pcs:DeleteQueue
| |
## Minimum permissions to use tags
The following permissions are required to use tags with your resources in AWS PCS.
```
pcs:ListTagsForResource,
pcs:TagResource,
pcs:UntagResource
```
## Minimum permissions to support logs
AWS PCS sends log data to Amazon CloudWatch Logs (CloudWatch Logs). You must make sure that your identity has the minimum permissions to use CloudWatch Logs. For more information, see [Overview of managing access permissions to your CloudWatch Logs resources](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html) in the *Amazon CloudWatch Logs User Guide*.
For information about permissions required for a service to send logs to CloudWatch Logs, see [Enabling logging from AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-vended-logs-permissions-V2) in the *Amazon CloudWatch Logs User Guide*.
## Minimum permissions to use Capacity Blocks
Amazon EC2 Capacity Blocks for ML is an Amazon EC2 purchasing option that enables you to pay in advance to reserve GPU-based accelerated computing instances within a specific date and time range to support short duration workloads. For more information, see [Using Amazon EC2 Capacity Blocks for ML with AWS PCS](capacity-blocks.md).
You choose to use Capacity Blocks when you create or update a compute node group. The IAM identity you use to create or update the compute node group must have the following permission:
```
ec2:DescribeCapacityReservations
```
## Minimum permissions for a service administrator
The following IAM policy specifies the minimum permissions required for an IAM identity (user, group, or role) to configure and manage the AWS PCS service.
**Note**
Users who don't configure and manage the service don't require these permissions. Users who only run jobs use secure shell (SSH) to connect to the cluster. AWS Identity and Access Management (IAM) doesn't handle authentication or authorization for SSH.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PCSAccess",
"Effect": "Allow",
"Action": [
"pcs:*"
],
"Resource": "*"
},
{
"Sid": "EC2Access",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeImages",
"ec2:GetSecurityGroupsForVpc",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateTags",
"ec2:DescribeCapacityReservations"
],
"Resource": "*"
},
{
"Sid": "IamInstanceProfile",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IamPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/*/AWSPCS*",
"arn:aws:iam::*:role/AWSPCS*",
"arn:aws:iam::*:role/aws-pcs/*",
"arn:aws:iam::*:role/*/aws-pcs/*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "SLRAccess",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/pcs.amazonaws.com/AWSServiceRoleFor*",
"arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleFor*"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"pcs.amazonaws.com",
"spot.amazonaws.com"
]
}
}
},
{
"Sid": "AccessKMSKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "SecretManagementAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:TagResource",
"secretsmanager:UpdateSecret",
"secretsmanager:RotateSecret"
],
"Resource": "*"
},
{
"Sid": "ServiceLogsDelivery",
"Effect": "Allow",
"Action": [
"pcs:AllowVendedLogDeliveryForResource",
"logs:PutDeliverySource",
"logs:PutDeliveryDestination",
"logs:CreateDelivery"
],
"Resource": "*"
}
]
}
```