本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS PCS 的最低許可
本節說明 IAM 身分 (使用者、群組或角色) 使用服務所需的最低 IAM 許可。
**Contents**
+ [使用 API 動作的最低許可](#security-min-permissions_api)
+ [使用標籤的最低許可](#security-min-permissions_tagging)
+ [支援日誌的最低許可](#security-min-permissions_logging)
+ [使用容量區塊的最小許可](#security-min-permissions_capacity-blocks)
+ [服務管理員的最低許可](#security-min-permissions_admin-policy)
## 使用 API 動作的最低許可
| API 動作 | 最低許可 | 主控台的其他許可 |
| --- | --- | --- |
| CreateCluster | ec2:CreateNetworkInterface,
ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:GetSecurityGroupsForVpc,
iam:CreateServiceLinkedRole,
secretsmanager:CreateSecret,
secretsmanager:TagResource,
secretsmanager:RotateSecret,
pcs:CreateCluster
| |
| ListClusters | pcs:ListClusters
| |
| GetCluster | pcs:GetCluster
| ec2:DescribeSubnets
|
| DeleteCluster | pcs:DeleteCluster
| |
| CreateComputeNodeGroup | ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:CreateComputeNodeGroup
| iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster
|
| ListComputerNodeGroups | pcs:ListComputeNodeGroups
| pcs:GetCluster
|
| GetComputeNodeGroup | pcs:GetComputeNodeGroup
| ec2:DescribeSubnets
|
| UpdateComputeNodeGroup | ec2:DescribeVpcs,
ec2:DescribeSubnets,
ec2:DescribeSecurityGroups,
ec2:DescribeLaunchTemplates,
ec2:DescribeLaunchTemplateVersions,
ec2:DescribeInstanceTypes,
ec2:DescribeInstanceTypeOfferings,
ec2:RunInstances,
ec2:CreateFleet,
ec2:CreateTags,
iam:PassRole,
iam:GetInstanceProfile,
pcs:UpdateComputeNodeGroup
| pcs:GetComputeNodeGroup,
iam:ListInstanceProfiles,
ec2:DescribeImages,
pcs:GetCluster
|
| DeleteComputeNodeGroup | pcs:DeleteComputeNodeGroup
| |
| CreateQueue | pcs:CreateQueue
| pcs:ListComputeNodeGroups,
pcs:GetCluster
|
| ListQueues | pcs:ListQueues
| pcs:GetCluster
|
| GetQueue | pcs:GetQueue
| |
| UpdateQueue | pcs:UpdateQueue
| pcs:ListComputeNodeGroups,
pcs:GetQueue
|
| DeleteQueue | pcs:DeleteQueue
| |
## 使用標籤的最低許可
在 AWS PCS 中將標籤與資源搭配使用需要下列許可。
```
pcs:ListTagsForResource,
pcs:TagResource,
pcs:UntagResource
```
## 支援日誌的最低許可
AWS PCS 會將日誌資料傳送至 Amazon CloudWatch Logs (CloudWatch Logs)。您必須確定您的身分具有使用 CloudWatch Logs 的最低許可。如需詳細資訊,請參閱《Amazon [ CloudWatch Logs 使用者指南》中的管理 CloudWatch Logs 資源存取許可的概觀](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-access-control-overview-cwl.html)。 *Amazon CloudWatch *
如需有關服務將日誌傳送至 CloudWatch Logs 所需的許可資訊,請參閱《*Amazon CloudWatch Logs 使用者指南*》中的[啟用來自 AWS 服務的日誌記錄](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-vended-logs-permissions-V2)。
## 使用容量區塊的最小許可
Amazon EC2 Capacity Blocks for ML 是一種 Amazon EC2 購買選項,可讓您預先付費,在特定日期和時間範圍內保留 GPU 加速運算執行個體,以支援短期工作負載。如需詳細資訊,請參閱[搭配 AWS PCS 使用適用於 ML 的 Amazon EC2 容量區塊](capacity-blocks.md)。
當您建立或更新運算節點群組時,您可以選擇使用容量區塊。您用來建立或更新運算節點群組的 IAM 身分必須具有下列許可:
```
ec2:DescribeCapacityReservations
```
## 服務管理員的最低許可
下列 IAM 政策指定 IAM 身分 (使用者、群組或角色) 設定和管理 AWS PCS 服務所需的最低許可。
**注意**
不設定和管理服務的使用者不需要這些許可。僅執行任務的使用者會使用安全殼層 (SSH) 連線到叢集。 AWS Identity and Access Management (IAM) 不會處理 SSH 的身分驗證或授權。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PCSAccess",
"Effect": "Allow",
"Action": [
"pcs:*"
],
"Resource": "*"
},
{
"Sid": "EC2Access",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeImages",
"ec2:GetSecurityGroupsForVpc",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:CreateTags",
"ec2:DescribeCapacityReservations"
],
"Resource": "*"
},
{
"Sid": "IamInstanceProfile",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": "*"
},
{
"Sid": "IamPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/*/AWSPCS*",
"arn:aws:iam::*:role/AWSPCS*",
"arn:aws:iam::*:role/aws-pcs/*",
"arn:aws:iam::*:role/*/aws-pcs/*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "SLRAccess",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/pcs.amazonaws.com/AWSServiceRoleFor*",
"arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleFor*"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"pcs.amazonaws.com",
"spot.amazonaws.com"
]
}
}
},
{
"Sid": "AccessKMSKey",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "SecretManagementAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:TagResource",
"secretsmanager:UpdateSecret",
"secretsmanager:RotateSecret"
],
"Resource": "*"
},
{
"Sid": "ServiceLogsDelivery",
"Effect": "Allow",
"Action": [
"pcs:AllowVendedLogDeliveryForResource",
"logs:PutDeliverySource",
"logs:PutDeliveryDestination",
"logs:CreateDelivery"
],
"Resource": "*"
}
]
}
```