本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS PCS 的最低权限
本节介绍了 IAM 身份(用户、群组或角色)使用该服务所需的最低 IAM 权限。
**Contents**
+ [使用 API 操作的最低权限](#security-min-permissions_api)
+ [使用标签的最低权限](#security-min-permissions_tagging)
+ [支持日志的最低权限](#security-min-permissions_logging)
+ [使用容量块的最低权限](#security-min-permissions_capacity-blocks)
+ [服务管理员的最低权限](#security-min-permissions_admin-policy)
## 使用 API 操作的最低权限
| API 操作 | 最小权限 | 控制台的其他权限 |
| --- | --- | --- |
| CreateCluster | ec2:CreateNetworkInterface,
ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:GetSecurityGroupsForVpc,
iam:CreateServiceLinkedRole,
secretsmanager:CreateSecret,
secretsmanager:TagResource,
secretsmanager:RotateSecret,
pcs:CreateCluster
| |
| ListClusters | pcs:ListClusters
| |
| GetCluster | pcs:GetCluster
| ec2:DescribeSubnets
|
| DeleteCluster | pcs:DeleteCluster
| |
| CreateComputeNodeGroup | ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:CreateComputeNodeGroup
| iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster
|
| ListComputerNodeGroups | pcs:ListComputeNodeGroups
| pcs:GetCluster
|
| GetComputeNodeGroup | pcs:GetComputeNodeGroup
| ec2:DescribeSubnets
|
| UpdateComputeNodeGroup | ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:UpdateComputeNodeGroup
| pcs:GetComputeNodeGroup,
iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster
|
| DeleteComputeNodeGroup | pcs:DeleteComputeNodeGroup
| |
| CreateQueue | pcs:CreateQueue
| pcs:ListComputeNodeGroups,
pcs:GetCluster
|
| ListQueues | pcs:ListQueues
| pcs:GetCluster
|
| GetQueue | pcs:GetQueue
| |
| UpdateQueue | pcs:UpdateQueue
| pcs:ListComputeNodeGroups,
pcs:GetQueue
|
| DeleteQueue | pcs:DeleteQueue
| |
## 使用标签的最低权限
在 AWS PCS 中对资源使用标签需要以下权限。
```
pcs:ListTagsForResource,
pcs:TagResource,
pcs:UntagResource
```
## 支持日志的最低权限
AWS PCS 将日志数据发送到 Amazon CloudWatch 日志(CloudWatch 日志)。您必须确保您的身份具有使用 CloudWatch 日志的最低权限。有关更多信息,请参阅 *Amazon Logs 用户指南中的管理 CloudWatch CloudWatch 日志*[资源访问权限概述](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html)。
有关服务向日志发送日志所需的权限的信息,请参阅 *Amazon CloudWatch Lo [g CloudWatch s 用户指南中的启用 AWS 服务](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-vended-logs-permissions-V2)日志*记录。
## 使用容量块的最低权限
适用于 ML 的 Amazon EC2 容量块是一种 Amazon EC2 购买选项,允许您提前付费在特定日期和时间范围内预留基于 GPU 的加速计算实例,以支持短期工作负载。有关更多信息,请参阅 [将 Amazon EC2 容量块用于带有 AWS PCS 的机器学习](capacity-blocks.md)。
创建或更新计算节点组时,您可以选择使用容量块。您用于创建或更新计算节点组的 IAM 身份必须具有以下权限:
```
ec2:DescribeCapacityReservations
```
## 服务管理员的最低权限
以下 IAM 策略指定了 IAM 身份(用户、群组或角色)配置和管理 AWS PCS 服务所需的最低权限。
**注意**
不配置和管理服务的用户不需要这些权限。仅运行作业的用户使用安全外壳 (SSH) 连接到集群。 AWS Identity and Access Management (IAM) 不处理 SSH 的身份验证或授权。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PCSAccess",
"Effect": "Allow",
"Action": [
"pcs:*"
],
"Resource": "*"
},
{
"Sid": "EC2Access",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeImages",
"ec2:GetSecurityGroupsForVpc",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateTags",
"ec2:DescribeCapacityReservations"
],
"Resource": "*"
},
{
"Sid": "IamInstanceProfile",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IamPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/*/AWSPCS*",
"arn:aws:iam::*:role/AWSPCS*",
"arn:aws:iam::*:role/aws-pcs/*",
"arn:aws:iam::*:role/*/aws-pcs/*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "SLRAccess",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/pcs.amazonaws.com/AWSServiceRoleFor*",
"arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleFor*"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"pcs.amazonaws.com",
"spot.amazonaws.com"
]
}
}
},
{
"Sid": "AccessKMSKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "SecretManagementAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:TagResource",
"secretsmanager:UpdateSecret",
"secretsmanager:RotateSecret"
],
"Resource": "*"
},
{
"Sid": "ServiceLogsDelivery",
"Effect": "Allow",
"Action": [
"pcs:AllowVendedLogDeliveryForResource",
"logs:PutDeliverySource",
"logs:PutDeliveryDestination",
"logs:CreateDelivery"
],
"Resource": "*"
}
]
}
```