pcluster-manager icon indicating copy to clipboard operation
pcluster-manager copied to clipboard
verified publisher icon aws-samples

Create new cluster fails due to missing iam:AttachRolePolicy permission

Open verdimrc opened this issue 3 years ago • 3 comments

The us-west-2 quick-launch fails to create a new cluster because of missing iam:AttachRolePolicy permission.

The quick fix is to add that permission to the ParallelClusterUserRole from the pcluster-manager-ParallelClusterApi stack.

verdimrc avatar Dec 02 '22 10:12 verdimrc

Hello @verdimrc, can you explain a bit more what you were trying to do? Also, a sample of the YAML config file would help, since a cluster with the "default" configuration should be created without issues.

mtfranchetto avatar Dec 05 '22 08:12 mtfranchetto

To elaborate - this is caused by the ParallelCluster API, it limits the IAM policies you can attach to the instances to the following list:

{
    "Condition": {
        "ArnLike": {
            "iam:PolicyARN": [
                "arn:aws:iam::822857487308:policy/parallelcluster*",
                "arn:aws:iam::822857487308:policy/parallelcluster/*",
                "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
                "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
                "arn:aws:iam::aws:policy/AWSBatchFullAccess",
                "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
                "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
                "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
                "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
                "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
                "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
                "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
            ]
        }
    },
    "Action": [
        "iam:AttachRolePolicy",
        "iam:DetachRolePolicy"
    ],
    "Resource": "arn:aws:iam::822857487308:role/parallelcluster/*",
    "Effect": "Allow",
    "Sid": "IamPolicy"
}

There is a workaround, documented here: https://ml.hpcworkshops.com/01-getting-started/06-iam-permissions.html Also a Github issue here: https://github.com/aws/aws-parallelcluster/issues/4031 & https://github.com/aws-samples/pcluster-manager/issues/268

I'll leave this issue open for tracking until this is resolved.

sean-smith avatar Dec 05 '22 19:12 sean-smith

I should add, if you want to scope this down to just iam:AttachRolePolicy and iam:DetachRolePolicy you can add a policy like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
               "iam:AttachRolePolicy",
               "iam:DetachRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<account-id>:role/parallelcluster/*"
        }
    ]
}

See https://pcluster.cloud/02-tutorials/07-setup-iam.html for detailed setup instructions.

sean-smith avatar Dec 16 '22 20:12 sean-smith