pcluster-manager icon indicating copy to clipboard operation
pcluster-manager copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Polices needed

Open StefanA1309 opened this issue 2 years ago • 4 comments

Hi it would be nice to have a list of all needed Policies before deploying the CloudFormation Stack. I went through the process interactively with my admin (deployed stack-> run into an policy error -> Had Admin add the policy (repeat until works)). Thanks Stefan

StefanA1309 avatar Dec 01 '22 10:12 StefanA1309

Hello @StefanA1309, does this document help? https://docs.aws.amazon.com/parallelcluster/latest/ug/iam-roles-in-parallelcluster-v3.html

mtfranchetto avatar Dec 02 '22 08:12 mtfranchetto

Hi @mtfranchetto

maybe we did something wrong, but we started with a user which could create a PC successfully ("standard" one, no batch or image making tested so far). Using this same user to deploy pcluster-manager run into several policy problems.

Comparing the policies we added with the one in your link (for example, one was iam:PutRolePolicy, where we added the resource '*') I do see them listed in web page, so either:

  1. The user deploying pcluster-manager needs more privileges than simply create PC (like image builder feature, which we didn't used so far)
  2. The deployment of pcluster-manager uses resources not covered by the 'standard' setup, like "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/parallelcluster/", "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/ParallelClusterImage", "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster/*"

To be clear : We got it to work (*) and really like it, only something is missing in the docu to make the deployment easier. Thanks

(*) The the SSM part needed for the slurm queue doesn't work, don't really understand that one yet as SSM is running on the head node. Guess I need more policies for SSM :(

StefanA1309 avatar Dec 02 '22 09:12 StefanA1309

Yes, correct. The linked resources are for deploying a new PC cluster, not PCluster Manager itself. Right now we don't have the comprehensive permissions set required to launch PCM (as it's a long list), but we may add it in upcoming release. Is creating PCM stacks with an Admin role a possibility for the time being?

mtfranchetto avatar Dec 05 '22 08:12 mtfranchetto

Regarding SSM - all you need is to set SSMManagedInstanceCore in the additional policies section. This is automatically added when you enable "Virtual Console" in the UI. Let me know if you can't get this to work. Happy to help - also apologize for the confusion on policies, we'll work to put together a canonical list.

sean-smith avatar Dec 05 '22 19:12 sean-smith