g. Setup IAM Permissions 🔑
Be default AWS ParallelCluster API limits the policies you’re allowed to attach with AdditionalIAMPolicies to the following managed policies:
- arn:aws:iam::1234567890:policy/parallelcluster*
- arn:aws:iam::1234567890:policy/parallelcluster/*
- arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- arn:aws:iam::aws:policy/AWSBatchFullAccess
- arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
- arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole
- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
- arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole
- arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
If you try and attach a policy outside of this list, you’ll get an error like:
API: iam:AttachRolePolicy User: ... is not authorized to perform: iam:AttachRolePolicy on resource: role api-cluster-2022-05-09-17-46-53-RoleHeadNode-EXNM6B7GER1S because no identity-based policy allows the iam:AttachRolePolicy action
To fix this, you can add additional IAM permissions to PCM like so:
- Go to the Lambda Console (deeplink) and search for
ParallelClusterFunction - Select the function then
Configuration>Permissions> Click on the role underRole name.
- Select the
AWSXRayDaemonWriteAccesspolicy and remove it - Select
Add permissions>Create inline Policy
- Click on the JSON tab and paste in the following policy. Make sure to change
<account-id>to your aws account id.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::<account-id>:role/parallelcluster/*"
}
]
}
- Click Review Policy, give it a name like
pcluster-attach-detach-policiesand click Save.