AWS PCS 的最低許可 - AWS PCS
使用 API 動作的最小許可使用標籤的最低許可支援日誌的最低許可使用容量區塊的最小許可服務管理員的最低許可

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

AWS PCS 的最低許可

本節說明 IAM 身分 (使用者、群組或角色) 使用服務所需的最低 IAM 許可。

使用 API 動作的最小許可

API 動作 最低許可 主控台的其他許可

CreateCluster

 
ec2:CreateNetworkInterface,
ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups, 
ec2:GetSecurityGroupsForVpc, 
iam:CreateServiceLinkedRole,
secretsmanager:CreateSecret,
secretsmanager:TagResource,
secretsmanager:RotateSecret,
pcs:CreateCluster

ListClusters

 
pcs:ListClusters

GetCluster

 
pcs:GetCluster
 
ec2:DescribeSubnets

DeleteCluster

 
pcs:DeleteCluster

CreateComputeNodeGroup

 
ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:CreateComputeNodeGroup
 
iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster

ListComputerNodeGroups

 
pcs:ListComputeNodeGroups
 
pcs:GetCluster

GetComputeNodeGroup

 
pcs:GetComputeNodeGroup
 
ec2:DescribeSubnets

UpdateComputeNodeGroup

 
ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:UpdateComputeNodeGroup
 
pcs:GetComputeNodeGroup,
iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster

DeleteComputeNodeGroup

 
pcs:DeleteComputeNodeGroup

CreateQueue

 
pcs:CreateQueue
 
pcs:ListComputeNodeGroups,
pcs:GetCluster

ListQueues

 
pcs:ListQueues
 
pcs:GetCluster

GetQueue

 
pcs:GetQueue

UpdateQueue

 
pcs:UpdateQueue
 
pcs:ListComputeNodeGroups,
pcs:GetQueue

DeleteQueue

 
pcs:DeleteQueue

使用標籤的最低許可

在 AWS PCS 中將標籤與資源搭配使用需要下列許可。

pcs:ListTagsForResource,
pcs:TagResource,
pcs:UntagResource

支援日誌的最低許可

AWS PCS 會將日誌資料傳送至 Amazon CloudWatch Logs (CloudWatch Logs)。您必須確定您的身分具有使用 CloudWatch Logs 的最低許可。如需詳細資訊,請參閱《Amazon CloudWatch Logs 使用者指南》中的管理 CloudWatch Logs 資源存取許可的概觀Amazon CloudWatch

如需有關服務將日誌傳送至 CloudWatch Logs 所需的許可資訊,請參閱《Amazon CloudWatch Logs 使用者指南》中的啟用來自 AWS 服務的日誌記錄

使用容量區塊的最小許可

Amazon EC2 Capacity Blocks for ML 是一種 Amazon EC2 購買選項,可讓您預先付費,在特定日期和時間範圍內保留 GPU 加速運算執行個體,以支援短期工作負載。如需詳細資訊,請參閱搭配 AWS PCS 使用適用於 ML 的 Amazon EC2 容量區塊

當您建立或更新運算節點群組時,您可以選擇使用容量區塊。您用來建立或更新運算節點群組的 IAM 身分必須具有下列許可:

ec2:DescribeCapacityReservations

服務管理員的最低許可

下列 IAM 政策指定 IAM 身分 (使用者、群組或角色) 設定和管理 AWS PCS 服務所需的最低許可。

注意

不設定和管理服務的使用者不需要這些許可。僅執行任務的使用者會使用安全殼層 (SSH) 連線到叢集。 AWS Identity and Access Management (IAM) 不會處理 SSH 的身分驗證或授權。

{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "PCSAccess",
      "Effect": "Allow",
      "Action": [
        "pcs:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "EC2Access",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DescribeImages",
        "ec2:GetSecurityGroupsForVpc",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeVpcs",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeLaunchTemplateVersions",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInstanceTypeOfferings",
        "ec2:RunInstances",
        "ec2:CreateFleet",
        "ec2:CreateTags",
        "ec2:DescribeCapacityReservations"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IamInstanceProfile",
      "Effect": "Allow",
      "Action": [
        "iam:GetInstanceProfile"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IamPassRole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/*/AWSPCS*",
        "arn:aws:iam::*:role/AWSPCS*",
        "arn:aws:iam::*:role/aws-pcs/*",
        "arn:aws:iam::*:role/*/aws-pcs/*"
      ],
      "Condition": {
        "StringEquals": {
           "iam:PassedToService": [
             "ec2.amazonaws.com"
           ]
        }
      }
    },
    {
      "Sid": "SLRAccess",
      "Effect": "Allow",
      "Action": [
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": [
        "arn:aws:iam::*:role/aws-service-role/pcs.amazonaws.com/AWSServiceRoleFor*",
        "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleFor*"
      ],
      "Condition": {
        "StringLike": {
          "iam:AWSServiceName": [
            "pcs.amazonaws.com",
            "spot.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "AccessKMSKey",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:CreateGrant",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SecretManagementAccess",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:TagResource",
        "secretsmanager:UpdateSecret",
        "secretsmanager:RotateSecret"
      ],
      "Resource": "*"
    },
    { 
       "Sid": "ServiceLogsDelivery",
       "Effect": "Allow",
       "Action": [
         "pcs:AllowVendedLogDeliveryForResource",
         "logs:PutDeliverySource",
         "logs:PutDeliveryDestination",
         "logs:CreateDelivery"
       ],
       "Resource": "*"
    }
  ]
}