本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS Identity and Access Management 中的角色 AWS ParallelCluster
AWS ParallelCluster 使用 Amazon EC2 的 AWS Identity and Access Management (IAM) 角色使实例能够访问用于部署和运行集群的 AWS 服务。默认情况下,Amazon EC2 的 IAM 角色是在创建集群时创建的。这意味着创建集群的用户必须具有适当级别的权限,如以下各节所述。
AWS ParallelCluster 使用多种 AWS 服务来部署和操作集群。请参阅 [AWS ParallelCluster中使用的AWS 服务](aws-services.md)部分中的完整列表。
您可以在[上的AWS ParallelCluster 文档](https://github.com/awsdocs/aws-parallelcluster-user-guide/blame/main/doc_source/iam.md)中跟踪示例政策的更改 GitHub。
**Topics**
+ [创建集群的默认设置](#defaults)
+ [使用 Amazon EC2 的现有 IAM 角色](#using-an-existing-ec2-iam-role)
+ [AWS ParallelCluster 实例和用户策略示例](#example-parallelcluser-policies)
## 创建集群的默认设置
如果在创建集群时使用默认设置,则集群会创建 Amazon EC2 的默认 IAM 角色。创建集群的用户必须具有适当级别的权限才能创建启动集群所需的所有资源。这包括创建 Amazon EC2 的 IAM 角色。通常,用户在使用默认设置时必须具有*AdministratorAccess*托管策略的权限。有关托管策略的信息,请参阅 *IAM 用户指南* 中的 [AWS 托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
## 使用 Amazon EC2 的现有 IAM 角色
创建集群时,您可以使用现有的 [`ec2_iam_role`](cluster-definition.md#ec2-iam-role) 而不使用默认设置,但在尝试启动该集群之前,您必须定义 IAM 策略和角色。通常,您可以选择 Amazon EC2 的现有 IAM 角色来尽可能减少在用户启动集群时向其授予的权限。[AWS ParallelCluster 实例和用户策略示例](#example-parallelcluser-policies)包括所需的最低权限 AWS ParallelCluster 及其功能。您必须在 IAM 中作为单独的策略创建策略和角色,然后将这些角色和策略附加到适当的资源。某些角色策略可能会变得过大并导致配额错误。有关更多信息,请参阅 [排查 IAM 策略大小问题](troubleshooting.md#troubleshooting-policy-size-issues)。在策略中,将{{}}{{}}、和类似的字符串替换为相应的值。
如果您打算在集群节点的默认设置中添加额外的策略,我们建议您使用 [`additional_iam_policies`](cluster-definition.md#additional-iam-policies) 设置传递其他自定义 IAM 策略,而不是使用 [`ec2_iam_role`](cluster-definition.md#ec2-iam-role) 设置。
## AWS ParallelCluster 实例和用户策略示例
以下示例策略包括资源的亚马逊资源名称 (ARNs)。如果您在 AWS GovCloud (US) 或 AWS 中国分区中工作,则必须 ARNs 对其进行更改。具体而言,对于分区,必须将其从 “arn: a aws-us-gov ws” 更改为 “arn:”,对于中国 AWS GovCloud (US) 分区,必须将其从 “arn: aws-cn” 更改为 “arn: aws-cn”。 AWS 有关更多信息,请参阅*AWS GovCloud (US) 用户指南*[中 AWS GovCloud (US) 区域中的 Amazon 资源名称 (ARNs)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html),以及[ARNs 中国 AWS 服务](https://docs.amazonaws.cn/aws/latest/userguide/ARNs.html)*入门 AWS 中的中国服务*。
这些策略包括当前所需的最低权限 AWS ParallelCluster、其功能和资源。某些角色策略可能会变得过大并导致配额错误。有关更多信息,请参阅 [排查 IAM 策略大小问题](troubleshooting.md#troubleshooting-policy-size-issues)。
**Topics**
+ [使用 SGE、Slurm 或 Torque 的 `ParallelClusterInstancePolicy`](#parallelclusterinstancepolicy)
+ [使用 `awsbatch` 的 `ParallelClusterInstancePolicy`](#parallelclusterinstancepolicy-batch)
+ [使用 Slurm 的 `ParallelClusterUserPolicy`](#parallelclusteruserpolicy)
+ [使用 SGE 或 Torque 的 `ParallelClusterUserPolicy`](#parallelclusteruserpolicy-sge-torque)
+ [使用 `awsbatch` 的 `ParallelClusterUserPolicy`](#parallelclusteruserpolicy-batch)
+ [使用 SGE、Slurm 或 Torque 的 `ParallelClusterLambdaPolicy`](#parallelcluster-lambda-policy)
+ [使用 `awsbatch` 的 `ParallelClusterLambdaPolicy`](#parallelcluster-lambda-policy-batch)
+ [适用于用户的 `ParallelClusterUserPolicy`](#parallelclusteruserpolicy-minimal-user)
### 使用 SGE、Slurm 或 Torque 的 `ParallelClusterInstancePolicy`
**注意**
从 2.11.5 版开始, AWS ParallelCluster 不支持使用SGE或Torque调度程序。您可以在 2.11.4 及之前的版本中继续使用它们,但它们没有资格获得 AWS 服务和支持团队的未来更新或故障排除 AWS 支持。
**Topics**
+ [使用 Slurm 的 `ParallelClusterInstancePolicy`](#parallelclusterinstancepolicy-slurm)
+ [使用 SGE 或 Torque 的 `ParallelClusterInstancePolicy`](#parallelclusterinstancepolicy-sge-torque)
#### 使用 Slurm 的 `ParallelClusterInstancePolicy`
以下示例使用 Slurm 作为调度器设置 `ParallelClusterInstancePolicy`。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:subnet/{{}}",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:network-interface/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:instance/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:volume/*",
"arn:aws:ec2:{{us-east-1}}::image/{{}}",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:key-pair/{{}}",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:security-group/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:launch-template/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:placement-group/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstances"
},
{
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBList"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": [
"arn:aws:cloudformation:{{us-east-1}}:{{111122223333}}:stack/parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3GetObj"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "IAMPassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dcv-license.{{us-east-1}}/*"
],
"Effect": "Allow",
"Sid": "DcvLicense"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "GetClusterConfig"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53"
}
]
}
```
------
#### 使用 SGE 或 Torque 的 `ParallelClusterInstancePolicy`
以下示例使用 SGE 或 Torque 作为调度器设置 `ParallelClusterInstancePolicy`。
**注意**
本政策仅适用于 AWS ParallelCluster 2.11.4 及以下版本。从版本 2.11.5 开始, AWS ParallelCluster 不支持使用 SGE 或 Torque 调度器。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:subnet/{{}}",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:network-interface/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:instance/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:volume/*",
"arn:aws:ec2:{{us-east-1}}::image/{{}}",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:key-pair/{{}}",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:security-group/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:launch-template/*",
"arn:aws:ec2:{{us-east-1}}:{{111122223333}}:placement-group/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstances"
},
{
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBList"
},
{
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:{{us-east-1}}:{{111122223333}}:parallelcluster-*"
],
"Effect": "Allow",
"Sid": "SQSQueue"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeTags",
"autoscaling:SetInstanceHealth"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "Autoscaling"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": [
"arn:aws:cloudformation:{{us-east-1}}:{{111122223333}}:stack/parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3GetObj"
},
{
"Action": [
"sqs:ListQueues"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "SQSList"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "IAMPassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dcv-license.{{us-east-1}}/*"
],
"Effect": "Allow",
"Sid": "DcvLicense"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "GetClusterConfig"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53"
}
]
}
```
------
### 使用 `awsbatch` 的 `ParallelClusterInstancePolicy`
以下示例使用 `awsbatch` 作为调度器设置 `ParallelClusterInstancePolicy`。您必须包括分配给 AWS Batch CloudFormation 嵌套堆栈中定义的相同策略。`BatchUserRole``BatchUserRole` ARN 作为堆栈输出提供。在此示例中,“{{}}” 是[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)设置的值;如果未指定,则 “” 为 “[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)parallelcluster-\*{{}}”。以下示例概述了所需的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"batch:RegisterJobDefinition",
"logs:GetLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"batch:SubmitJob",
"cloudformation:DescribeStacks",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"logs:FilterLogEvents",
"s3:PutObject",
"s3:Get*",
"s3:DeleteObject",
"iam:PassRole"
],
"Resource": [
"arn:aws:batch:{{us-east-1}}:{{111122223333}}:job-definition/{{}}:1",
"arn:aws:batch:{{us-east-1}}:{{111122223333}}:job-definition/{{}}*",
"arn:aws:batch:{{us-east-1}}:{{111122223333}}:job-queue/{{}}",
"arn:aws:cloudformation:{{us-east-1}}:{{111122223333}}:stack/{{}}/*",
"arn:aws:s3:::{{amzn-s3-demo-bucket}}/batch/*",
"arn:aws:iam::{{111122223333}}:role/{{}}",
"arn:aws:ecs:{{us-east-1}}:{{111122223333}}:cluster/{{}}",
"arn:aws:ecs:{{us-east-1}}:{{111122223333}}:container-instance/*",
"arn:aws:logs:{{us-east-1}}:{{111122223333}}:log-group:/aws/batch/job:log-stream:*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:List*"
],
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}"
],
"Effect": "Allow"
},
{
"Action": [
"batch:DescribeJobQueues",
"batch:TerminateJob",
"batch:DescribeJobs",
"batch:CancelJob",
"batch:DescribeJobDefinitions",
"batch:ListJobs",
"batch:DescribeComputeEnvironments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:AttachVolume",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:CreateLogStream"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
}
]
}
```
------
### 使用 Slurm 的 `ParallelClusterUserPolicy`
以下示例使用 Slurm 作为调度器设置 `ParallelClusterUserPolicy`。在此示例中,“{{}}” 是[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)设置的值;如果未指定,则 “” 为 “[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)parallelcluster-\*{{}}”。
**注意**
如果使用自定义角色 [`ec2_iam_role`](cluster-definition.md#ec2-iam-role)` = {{}}`,则必须更改 IAM 资源以包括该角色的名称,更改前:
`"Resource": "arn:aws:iam::{{}}:role/parallelcluster-*"`
更改后:
`"Resource": "arn:aws:iam::{{}}:role/{{}}"`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ScalingModify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBDescribe"
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBModify"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListQueryLoggingConfigs"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationDescribe"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CloudFormationModify"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/{{}}",
"arn:aws:iam::{{111122223333}}:role/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "IAMModify"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/aws-service-role/*",
"Effect": "Allow",
"Sid": "IAMServiceLinkedRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "arn:aws:iam::{{111122223333}}:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMCreateInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"ec2:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFSDescribe"
},
{
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SSMDescribe"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:{{us-east-1}}:{{111122223333}}:function:parallelcluster-*",
"arn:aws:lambda:{{us-east-1}}:{{111122223333}}:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### 使用 SGE 或 Torque 的 `ParallelClusterUserPolicy`
**注意**
本节仅适用于 AWS ParallelCluster 2.11.4 及以下的版本。从版本 2.11.5 开始, AWS ParallelCluster 不支持使用 SGE 或 Torque 调度器。
以下示例使用 SGE 或 Torque 作为调度器设置 `ParallelClusterUserPolicy`。在此示例中,“{{}}” 是[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)设置的值;如果未指定,则 “” 为 “[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)parallelcluster-\*{{}}”。
**注意**
如果使用自定义角色 [`ec2_iam_role`](cluster-definition.md#ec2-iam-role)` = {{}}`,则必须更改 IAM 资源以包括该角色的名称,更改前:
`"Resource": "arn:aws:iam::{{}}:role/parallelcluster-*"`
更改后:
`"Resource": "arn:aws:iam::{{}}:role/{{}}"`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoScalingDescribe"
},
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"autoscaling:PutNotificationConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:PutScalingPolicy",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoScalingModify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBDescribe"
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBModify"
},
{
"Action": [
"sqs:GetQueueAttributes"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQSDescribe"
},
{
"Action": [
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:TagQueue"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQSModify"
},
{
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNSDescribe"
},
{
"Action": [
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:DeleteTopic"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNSModify"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationDescribe"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CloudFormationModify"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/{{}}",
"arn:aws:iam::{{111122223333}}:role/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "IAMModify"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/aws-service-role/*",
"Effect": "Allow",
"Sid": "IAMServiceLinkedRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "arn:aws:iam::{{111122223333}}:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMCreateInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"ec2:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFSDescribe"
},
{
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SSMDescribe"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:{{us-east-1}}:{{111122223333}}:function:parallelcluster-*",
"arn:aws:lambda:{{us-east-1}}:{{111122223333}}:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### 使用 `awsbatch` 的 `ParallelClusterUserPolicy`
以下示例使用 `awsbatch` 作为调度器设置 `ParallelClusterUserPolicy`。在此示例中,“{{}}” 是[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)设置的值;如果未指定,则 “” 为 “[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)parallelcluster-\*{{}}”。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2LaunchTemplate"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDB"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Resource": "arn:aws:cloudformation:{{us-east-1}}:{{111122223333}}:stack/parallelcluster-*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:TagQueue"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQS"
},
{
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:{{us-east-1}}:{{111122223333}}:parallelcluster-*",
"Effect": "Allow",
"Sid": "SQSQueue"
},
{
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:DeleteTopic"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::{{111122223333}}:role/parallelcluster-*",
"arn:aws:iam::{{111122223333}}:role/{{}}"
],
"Effect": "Allow",
"Sid": "IAMRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:PassRole"
],
"Resource": "arn:aws:iam::{{111122223333}}:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAM"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::{{us-east-1}}-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::{{amzn-s3-demo-bucket}}"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:{{us-east-1}}:{{111122223333}}:function:parallelcluster-*",
"arn:aws:lambda:{{us-east-1}}:{{111122223333}}:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:*",
"Effect": "Allow",
"Sid": "Logs"
},
{
"Action": [
"codebuild:*"
],
"Resource": "arn:aws:codebuild:{{us-east-1}}:{{111122223333}}:project/parallelcluster-*",
"Effect": "Allow",
"Sid": "CodeBuild"
},
{
"Action": [
"ecr:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"batch:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Batch"
},
{
"Action": [
"events:*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AmazonCloudWatchEvents"
},
{
"Action": [
"ecs:DescribeContainerInstances",
"ecs:ListContainerInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECS"
},
{
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### 使用 SGE、Slurm 或 Torque 的 `ParallelClusterLambdaPolicy`
以下示例使用 SGE、Slurm 或 Torque 作为调度器设置 `ParallelClusterLambdaPolicy`。
**注意**
从 2.11.5 版开始, AWS ParallelCluster 不支持使用SGE或Torque调度程序。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow",
"Sid": "CloudWatchLogsPolicy"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow",
"Sid": "S3BucketPolicy"
},
{
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DescribeInstances"
},
{
"Action": [
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FleetTerminatePolicy"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53DeletePolicy"
}
]
}
```
------
### 使用 `awsbatch` 的 `ParallelClusterLambdaPolicy`
以下示例使用 `awsbatch` 作为调度器设置 `ParallelClusterLambdaPolicy`。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*",
"Sid": "CloudWatchLogsPolicy"
},
{
"Action": [
"ecr:BatchDeleteImage",
"ecr:ListImages"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ECRPolicy"
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CodeBuildPolicy"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "S3BucketPolicy"
}
]
}
```
------
### 适用于用户的 `ParallelClusterUserPolicy`
以下示例设置适用于不需要创建或更新集群的用户的 `ParallelClusterUserPolicy`。支持以下命令。
+ [`pcluster dcv`](pcluster.dcv.md)
+ [`pcluster instances`](pcluster.instances.md)
+ [`pcluster list`](pcluster.list.md)
+ [`pcluster ssh`](pcluster.ssh.md)
+ [`pcluster start`](pcluster.start.md)
+ [`pcluster status`](pcluster.status.md)
+ [`pcluster stop`](pcluster.stop.md)
+ [`pcluster version`](pcluster.version.md)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MinimumModify",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"batch:UpdateComputeEnvironment",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Effect": "Allow",
"Resource": [
"arn:aws:autoscaling:{{us-east-1}}:{{111122223333}}:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*",
"arn:aws:batch:{{us-east-1}}:{{111122223333}}:compute-environment/*",
"arn:aws:cloudformation:{{us-east-1}}:{{111122223333}}:stack/{{}}/*",
"arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/{{}}"
]
},
{
"Sid": "Describe",
"Action": [
"cloudformation:DescribeStacks",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------