本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Identity and Access Management 中的 角色 AWS ParallelCluster
AWS ParallelCluster 使用 Amazon EC2 的 AWS Identity and Access Management (IAM) 角色,讓執行個體能夠存取叢集部署和操作 AWS 的服務。根據預設,Amazon EC2 的 IAM 角色會在建立叢集時建立。這表示建立叢集的使用者必須擁有適當層級的許可,如以下章節所述。
AWS ParallelCluster 使用多個 AWS 服務來部署和操作叢集。請參閱《 AWS 中使用的服務》中的 AWS ParallelCluster完整清單。
您可以在 AWS ParallelCluster GitHub 上追蹤文件中
建立叢集的預設設定
當您使用預設設定建立叢集時,叢集會建立 Amazon EC2 的預設 IAM 角色。建立叢集的使用者必須擁有適當層級的許可,才能建立啟動叢集所需的所有資源。這包括為 Amazon EC2 建立 IAM 角色。一般而言,使用者在使用預設設定時,必須擁有 AdministratorAccess 受管政策的許可。如需有關 受管政策的資訊,請參閱《IAM 使用者指南》中的 AWS 受管政策。
使用 Amazon EC2 的現有 IAM 角色
除了預設設定,您可以在建立叢集ec2_iam_role時使用現有的 ,但必須先定義 IAM 政策和角色,才能嘗試啟動叢集。一般而言,您可以選擇 Amazon EC2 的現有 IAM 角色,將使用者啟動叢集時授予的許可降至最低。AWS ParallelCluster 範例執行個體和使用者政策 包含 AWS ParallelCluster 及其功能所需的最低許可。您必須在 IAM 中建立政策和角色做為個別政策,然後將角色和政策連接到適當的資源。某些角色政策可能會變得很大,並導致配額錯誤。如需詳細資訊,請參閱對 IAM 政策大小問題進行故障診斷。在政策中,將 <REGION>、<AWS ACCOUNT ID> 和類似的字串取代為適當的值。
如果您的意圖是將額外的政策新增至叢集節點的預設設定,建議您使用 additional_iam_policies設定傳遞額外的自訂 IAM 政策,而不是使用 ec2_iam_role設定。
AWS ParallelCluster 範例執行個體和使用者政策
下列範例政策包含 資源的 Amazon Resource Name (ARNs)。如果您在 AWS GovCloud (US) 或 AWS 中國分割區中工作,則必須變更 ARNs。具體而言,它們必須針對 AWS GovCloud (US) 分割區從 "arn:aws" 變更為 "arn:aws-us-gov",或針對 AWS 中國分割區從 "arn:aws-cn"。如需詳細資訊,請參閱AWS GovCloud (US) 《 使用者指南》中的 AWS GovCloud (US) 區域中的 Amazon Resource Name (ARNs),以及《 中國 AWS 服務入門》中的中國 服務的 ARNs
這些政策包含 目前所需的最低許可、 AWS ParallelCluster其功能和資源。某些角色政策可能會變得很大,並導致配額錯誤。如需詳細資訊,請參閱對 IAM 政策大小問題進行故障診斷。
主題
ParallelClusterInstancePolicy 使用 SGE、 Slurm或 Torque
注意
從 2.11.5 版開始, AWS ParallelCluster 不支援使用 SGE或 Torque排程器。您可以在 和 2.11.4 之前的版本中繼續使用它們,但它們不符合未來更新的資格,也不符合 AWS 服務和 AWS 支援團隊對支援進行故障診斷的資格。
ParallelClusterInstancePolicy 使用 Slurm
下列範例ParallelClusterInstancePolicy使用 Slurm做為排程器。
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:111122223333:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:us-east-1:111122223333:network-interface/*", "arn:aws:ec2:us-east-1:111122223333:instance/*", "arn:aws:ec2:us-east-1:111122223333:volume/*", "arn:aws:ec2:us-east-1::image/<IMAGE ID>", "arn:aws:ec2:us-east-1:111122223333:key-pair/<KEY NAME>", "arn:aws:ec2:us-east-1:111122223333:security-group/*", "arn:aws:ec2:us-east-1:111122223333:launch-template/*", "arn:aws:ec2:us-east-1:111122223333:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::us-east-1-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.us-east-1/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }
ParallelClusterInstancePolicy 使用 SGE或 Torque
下列範例ParallelClusterInstancePolicy會使用 SGE或 Torque做為排程器來設定 。
注意
此政策僅適用於 AWS ParallelCluster 2.11.4 及以前的版本。從 2.11.5 版開始, AWS ParallelCluster 不支援使用 SGE或 Torque排程器。
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:TerminateInstances", "ec2:DescribeLaunchTemplates", "ec2:CreateTags" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2" }, { "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:us-east-1:111122223333:subnet/<COMPUTE SUBNET ID>", "arn:aws:ec2:us-east-1:111122223333:network-interface/*", "arn:aws:ec2:us-east-1:111122223333:instance/*", "arn:aws:ec2:us-east-1:111122223333:volume/*", "arn:aws:ec2:us-east-1::image/<IMAGE ID>", "arn:aws:ec2:us-east-1:111122223333:key-pair/<KEY NAME>", "arn:aws:ec2:us-east-1:111122223333:security-group/*", "arn:aws:ec2:us-east-1:111122223333:launch-template/*", "arn:aws:ec2:us-east-1:111122223333:placement-group/*" ], "Effect": "Allow", "Sid": "EC2RunInstances" }, { "Action": [ "dynamodb:ListTables" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDBList" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": [ "arn:aws:sqs:us-east-1:111122223333:parallelcluster-*" ], "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DescribeTags", "autoscaling:SetInstanceHealth" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "Autoscaling" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": [ "arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "dynamodb:PutItem", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*" ], "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::us-east-1-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3GetObj" }, { "Action": [ "sqs:ListQueues" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "SQSList" }, { "Action": [ "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMPassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } }, { "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::dcv-license.us-east-1/*" ], "Effect": "Allow", "Sid": "DcvLicense" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "GetClusterConfig" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53" } ] }
ParallelClusterInstancePolicy 使用 awsbatch
下列範例ParallelClusterInstancePolicy使用 awsbatch做為排程器。您必須包含指派給 AWS Batch AWS CloudFormation 巢狀堆疊中BatchUserRole定義的 的相同政策。BatchUserRole ARN 是以堆疊輸出形式提供。在此範例中,「<RESOURCES S3 BUCKET>」是 cluster_resource_bucket設定的值;如果cluster_resource_bucket未指定,則「<RESOURCES S3 BUCKET>」是「parallelcluster-*」。下列範例是必要許可的概觀:
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "batch:RegisterJobDefinition", "logs:GetLogEvents" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "cloudformation:DescribeStacks", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "logs:FilterLogEvents", "s3:PutObject", "s3:Get*", "s3:DeleteObject", "iam:PassRole" ], "Resource": [ "arn:aws:batch:us-east-1:111122223333:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_SERIAL_NAME>:1", "arn:aws:batch:us-east-1:111122223333:job-definition/<AWS_BATCH_STACK - JOB_DEFINITION_MNP_NAME>*", "arn:aws:batch:us-east-1:111122223333:job-queue/<AWS_BATCH_STACK - JOB_QUEUE_NAME>", "arn:aws:cloudformation:us-east-1:111122223333:stack/<STACK NAME>/*", "arn:aws:s3:::amzn-s3-demo-bucket/batch/*", "arn:aws:iam::111122223333:role/<AWS_BATCH_STACK - JOB_ROLE>", "arn:aws:ecs:us-east-1:111122223333:cluster/<ECS COMPUTE ENVIRONMENT>", "arn:aws:ecs:us-east-1:111122223333:container-instance/*", "arn:aws:logs:us-east-1:111122223333:log-group:/aws/batch/job:log-stream:*" ], "Effect": "Allow" }, { "Action": [ "s3:List*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "Effect": "Allow" }, { "Action": [ "batch:DescribeJobQueues", "batch:TerminateJob", "batch:DescribeJobs", "batch:CancelJob", "batch:DescribeJobDefinitions", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:AttachVolume", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "fsx:DescribeFileSystems" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource", "logs:CreateLogStream" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CWLogs" } ] }
ParallelClusterUserPolicy 使用 Slurm
下列範例會使用 Slurm 做為排程器來設定 ParallelClusterUserPolicy。在此範例中,「<RESOURCES S3 BUCKET>」是 cluster_resource_bucket設定的值;如果cluster_resource_bucket未指定,則「<RESOURCES S3 BUCKET>」是「parallelcluster-*」。
注意
如果您使用自訂角色 ec2_iam_role = ,則必須變更 IAM 資源以包含該角色的名稱:<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
至:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "ScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::us-east-1-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::111122223333:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::111122223333:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::111122223333:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::111122223333:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*", "arn:aws:lambda:us-east-1:111122223333:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicy 使用 SGE或 Torque
注意
本節僅適用於 AWS ParallelCluster 2.11.4 及 之前的版本。從 2.11.5 版開始, AWS ParallelCluster 不支援使用 SGE或 Torque排程器。
下列範例ParallelClusterUserPolicy使用 SGE或 Torque做為排程器來設定 。在此範例中,「<RESOURCES S3 BUCKET>」是 cluster_resource_bucket設定的值;如果cluster_resource_bucket未指定,則「<RESOURCES S3 BUCKET>」是「parallelcluster-*」。
注意
如果您使用自訂角色 ec2_iam_role = ,則必須變更 IAM 資源以包含該角色的名稱:<role_name>
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/parallelcluster-*"
至:
"Resource": "arn:aws:iam::<AWS ACCOUNT
ID>:role/<role_name>"
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingDescribe" }, { "Action": [ "autoscaling:CreateAutoScalingGroup", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "autoscaling:PutNotificationConfiguration", "autoscaling:UpdateAutoScalingGroup", "autoscaling:PutScalingPolicy", "autoscaling:DescribeScalingActivities", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection" ], "Resource": "*", "Effect": "Allow", "Sid": "AutoScalingModify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBDescribe" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "DynamoDBModify" }, { "Action": [ "sqs:GetQueueAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSDescribe" }, { "Action": [ "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQSModify" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSDescribe" }, { "Action": [ "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNSModify" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormationDescribe" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudFormationModify" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::us-east-1-aws-parallelcluster*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::111122223333:role/<PARALLELCLUSTER EC2 ROLE NAME>", "arn:aws:iam::111122223333:role/parallelcluster-*" ], "Effect": "Allow", "Sid": "IAMModify" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::111122223333:role/aws-service-role/*", "Effect": "Allow", "Sid": "IAMServiceLinkedRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "arn:aws:iam::111122223333:instance-profile/*", "Effect": "Allow", "Sid": "IAMCreateInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "ec2:DescribeNetworkInterfaceAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "EFSDescribe" }, { "Action": [ "ssm:GetParametersByPath" ], "Resource": "*", "Effect": "Allow", "Sid": "SSMDescribe" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:TagResource", "logs:UntagResource" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*", "arn:aws:lambda:us-east-1:111122223333:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterUserPolicy 使用 awsbatch
下列範例ParallelClusterUserPolicy使用 awsbatch做為排程器。在此範例中,「<RESOURCES S3 BUCKET>」是 cluster_resource_bucket設定的值;如果cluster_resource_bucket未指定,則「<RESOURCES S3 BUCKET>」是「parallelcluster-*」。
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribePlacementGroups", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:DescribeAddresses", "ec2:CreateTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Describe" }, { "Action": [ "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2LaunchTemplate" }, { "Action": [ "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DescribeNatGateways", "ec2:CreateNatGateway", "ec2:DescribeInternetGateways", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:ModifySubnetAttribute" ], "Resource": "*", "Effect": "Allow", "Sid": "NetworkingEasyConfig" }, { "Action": [ "ec2:CreateVolume", "ec2:RunInstances", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:ModifyVolumeAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:DeleteSecurityGroup", "ec2:DisassociateAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:ReleaseAddress", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Modify" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:ListStacks", "cloudformation:GetTemplate", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "sqs:GetQueueAttributes", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:TagQueue" ], "Resource": "*", "Effect": "Allow", "Sid": "SQS" }, { "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl" ], "Resource": "arn:aws:sqs:us-east-1:111122223333:parallelcluster-*", "Effect": "Allow", "Sid": "SQSQueue" }, { "Action": [ "sns:ListTopics", "sns:GetTopicAttributes", "sns:CreateTopic", "sns:Subscribe", "sns:Unsubscribe", "sns:DeleteTopic" ], "Resource": "*", "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:TagRole", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::111122223333:role/parallelcluster-*", "arn:aws:iam::111122223333:role/<PARALLELCLUSTER EC2 ROLE NAME>" ], "Effect": "Allow", "Sid": "IAMRole" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:PassRole" ], "Resource": "arn:aws:iam::111122223333:instance-profile/*", "Effect": "Allow", "Sid": "IAMInstanceProfile" }, { "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetPolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "*", "Effect": "Allow", "Sid": "IAM" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::us-east-1-aws-parallelcluster/*" ], "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "Effect": "Allow", "Sid": "S3Delete" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:TagResource", "lambda:ListTags", "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*", "arn:aws:lambda:us-east-1:111122223333:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "logs:*" ], "Resource": "arn:aws:logs:us-east-1:111122223333:*", "Effect": "Allow", "Sid": "Logs" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:us-east-1:111122223333:project/parallelcluster-*", "Effect": "Allow", "Sid": "CodeBuild" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" }, { "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*", "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "fsx:*" ], "Resource": "*", "Effect": "Allow", "Sid": "FSx" }, { "Sid": "CloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*" } ] }
ParallelClusterLambdaPolicy 使用 SGE、 Slurm或 Torque
下列範例會使用 SGE、Slurm 或 Torque 做為排程器來設定 ParallelClusterLambdaPolicy。
注意
從 2.11.5 版開始, AWS ParallelCluster 不支援使用 SGE或 Torque排程器。
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*", "Effect": "Allow", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::*" ], "Effect": "Allow", "Sid": "S3BucketPolicy" }, { "Action": [ "ec2:DescribeInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "DescribeInstances" }, { "Action": [ "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "FleetTerminatePolicy" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDBTable" }, { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": [ "arn:aws:route53:::hostedzone/*" ], "Effect": "Allow", "Sid": "Route53DeletePolicy" } ] }
ParallelClusterLambdaPolicy 使用 awsbatch
下列範例ParallelClusterLambdaPolicy使用 awsbatch做為排程器。
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "arn:aws:logs:*:*:*", "Sid": "CloudWatchLogsPolicy" }, { "Action": [ "ecr:BatchDeleteImage", "ecr:ListImages" ], "Effect": "Allow", "Resource": "*", "Sid": "ECRPolicy" }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild" ], "Effect": "Allow", "Resource": "*", "Sid": "CodeBuildPolicy" }, { "Action": [ "s3:DeleteBucket", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": "*", "Sid": "S3BucketPolicy" } ] }
ParallelClusterUserPolicy 適用於 使用者
下列範例ParallelClusterUserPolicy為不需要建立或更新叢集的使用者設定 。支援下列命令。
- JSON
-
-
{ "Version": "2012-10-17" , "Statement": [ { "Sid": "MinimumModify", "Action": [ "autoscaling:UpdateAutoScalingGroup", "batch:UpdateComputeEnvironment", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "dynamodb:GetItem", "dynamodb:PutItem" ], "Effect": "Allow", "Resource": [ "arn:aws:autoscaling:us-east-1:111122223333:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*", "arn:aws:batch:us-east-1:111122223333:compute-environment/*", "arn:aws:cloudformation:us-east-1:111122223333:stack/<CLUSTERNAME>/*", "arn:aws:dynamodb:us-east-1:111122223333:table/<CLUSTERNAME>" ] }, { "Sid": "Describe", "Action": [ "cloudformation:DescribeStacks", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus" ], "Effect": "Allow", "Resource": "*" } ] }
使用 競價型執行個體
支援的排程器 AWS ParallelCluster