Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
# AWS Identity and Access Management ruoli in AWS ParallelCluster
AWS ParallelCluster utilizza i ruoli AWS Identity and Access Management (IAM) per Amazon EC2 per consentire alle istanze di accedere ai AWS servizi per la distribuzione e il funzionamento di un cluster. Per impostazione predefinita, il ruolo IAM per Amazon EC2 viene creato al momento della creazione del cluster. Questo significa che l'utente che crea il cluster deve disporre del livello di autorizzazioni appropriato, come descritto nelle seguenti sezioni.
AWS ParallelCluster utilizza più AWS servizi per distribuire e gestire un cluster. Consulta l'elenco completo nella AWS ParallelCluster sezione [AWS Servizi utilizzati in](aws-services.md).
È possibile tenere traccia delle modifiche alle politiche di esempio nella [AWS ParallelCluster documentazione su GitHub](https://github.com/awsdocs/aws-parallelcluster-user-guide/blame/main/doc_source/iam.md).
**Topics**
+ [Impostazioni predefinite per la creazione di cluster](#defaults)
+ [Utilizzo di un ruolo IAM esistente per Amazon EC2](#using-an-existing-ec2-iam-role)
+ [AWS ParallelCluster esempio di politiche relative a istanze e utenti](#example-parallelcluser-policies)
## Impostazioni predefinite per la creazione di cluster
Quando utilizzi le impostazioni predefinite per la creazione di cluster, il cluster crea un ruolo IAM predefinito per Amazon EC2. L'utente che crea il cluster deve disporre del giusto livello di autorizzazioni per creare tutte le risorse necessarie per avviare il cluster. Ciò include la creazione di un ruolo IAM per Amazon EC2. In genere, l'utente deve disporre delle autorizzazioni di una policy *AdministratorAccess*gestita quando utilizza le impostazioni predefinite. Per informazioni sulle policy gestite, consulta le [policy AWS gestite](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) nella *IAM User Guide*.
## Utilizzo di un ruolo IAM esistente per Amazon EC2
Al posto delle impostazioni predefinite, puoi utilizzarne una esistente [`ec2_iam_role`](cluster-definition.md#ec2-iam-role)per creare un cluster, ma devi definire la politica e il ruolo IAM prima di tentare di avviare il cluster. In genere, scegli un ruolo IAM esistente per Amazon EC2 per ridurre al minimo le autorizzazioni concesse agli utenti quando avviano i cluster. [AWS ParallelCluster esempio di politiche relative a istanze e utenti](#example-parallelcluser-policies)Includono le autorizzazioni minime richieste da AWS ParallelCluster e le relative funzionalità. È necessario creare sia le politiche che i ruoli come politiche individuali in IAM e quindi collegare i ruoli e le politiche alle risorse appropriate. Alcune politiche relative ai ruoli potrebbero aumentare di dimensioni e causare errori di quota. Per ulteriori informazioni, consulta [Risoluzione dei problemi relativi alle dimensioni delle policy IAM](troubleshooting.md#troubleshooting-policy-size-issues). Nelle politiche ****, sostituisci e stringhe simili con i valori appropriati.
Se il tuo intento è aggiungere politiche aggiuntive alle impostazioni predefinite per i nodi del cluster, ti consigliamo di passare le politiche IAM personalizzate aggiuntive con l'[`additional_iam_policies`](cluster-definition.md#additional-iam-policies)impostazione invece di utilizzare le [`ec2_iam_role`](cluster-definition.md#ec2-iam-role)impostazioni.
## AWS ParallelCluster esempio di politiche relative a istanze e utenti
Le seguenti politiche di esempio includono Amazon Resource Names (ARNs) per le risorse. Se state lavorando nelle partizioni AWS GovCloud (US) o in AWS Cina, queste ARNs devono essere cambiate. In particolare, devono essere modificati da «arn:aws» a «arn:aws-us-gov" per la AWS GovCloud (US) partizione o «arn:aws-cn» per la partizione cinese. AWS Per ulteriori informazioni, consulta [Amazon Resource Names (ARNs) in AWS GovCloud (US) Regions](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html) nella *AWS GovCloud (US) User Guide* e [ARNs per AWS i servizi in Cina in](https://docs.amazonaws.cn/aws/latest/userguide/ARNs.html) *Getting Started with AWS services in China*.
Queste politiche includono le autorizzazioni minime attualmente richieste da AWS ParallelCluster, le relative funzionalità e risorse. Alcune politiche relative ai ruoli potrebbero aumentare di dimensioni e causare errori di quota. Per ulteriori informazioni, consulta [Risoluzione dei problemi relativi alle dimensioni delle policy IAM](troubleshooting.md#troubleshooting-policy-size-issues).
**Topics**
+ [`ParallelClusterInstancePolicy`utilizzando SGESlurm, o Torque](#parallelclusterinstancepolicy)
+ [`ParallelClusterInstancePolicy` tramite `awsbatch`](#parallelclusterinstancepolicy-batch)
+ [`ParallelClusterUserPolicy` tramite Slurm](#parallelclusteruserpolicy)
+ [`ParallelClusterUserPolicy`utilizzando SGE o Torque](#parallelclusteruserpolicy-sge-torque)
+ [`ParallelClusterUserPolicy` tramite `awsbatch`](#parallelclusteruserpolicy-batch)
+ [`ParallelClusterLambdaPolicy`utilizzando, o SGE Slurm Torque](#parallelcluster-lambda-policy)
+ [`ParallelClusterLambdaPolicy` tramite `awsbatch`](#parallelcluster-lambda-policy-batch)
+ [`ParallelClusterUserPolicy`per gli utenti](#parallelclusteruserpolicy-minimal-user)
### `ParallelClusterInstancePolicy`utilizzando SGESlurm, o Torque
**Nota**
A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri schedulerSGE. Torque Puoi continuare a utilizzarli nelle versioni fino alla 2.11.4 inclusa, ma non sono idonei per futuri aggiornamenti o supporto per la risoluzione dei problemi da parte dei team di AWS assistenza e AWS supporto.
**Topics**
+ [`ParallelClusterInstancePolicy` tramite Slurm](#parallelclusterinstancepolicy-slurm)
+ [`ParallelClusterInstancePolicy`utilizzando SGE o Torque](#parallelclusterinstancepolicy-sge-torque)
#### `ParallelClusterInstancePolicy` tramite Slurm
L'esempio seguente imposta l'`ParallelClusterInstancePolicy`utilizzo Slurm come scheduler.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:subnet/",
"arn:aws:ec2:us-east-1:111122223333:network-interface/*",
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*",
"arn:aws:ec2:us-east-1::image/",
"arn:aws:ec2:us-east-1:111122223333:key-pair/",
"arn:aws:ec2:us-east-1:111122223333:security-group/*",
"arn:aws:ec2:us-east-1:111122223333:launch-template/*",
"arn:aws:ec2:us-east-1:111122223333:placement-group/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstances"
},
{
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBList"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3GetObj"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "IAMPassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dcv-license.us-east-1/*"
],
"Effect": "Allow",
"Sid": "DcvLicense"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "GetClusterConfig"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53"
}
]
}
```
------
#### `ParallelClusterInstancePolicy`utilizzando SGE o Torque
L'esempio seguente imposta l'`ParallelClusterInstancePolicy`utilizzo di SGE or Torque come scheduler.
**Nota**
Questa politica si applica solo alle AWS ParallelCluster versioni fino alla versione 2.11.4 inclusa. A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri scheduler. SGE Torque
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:subnet/",
"arn:aws:ec2:us-east-1:111122223333:network-interface/*",
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*",
"arn:aws:ec2:us-east-1::image/",
"arn:aws:ec2:us-east-1:111122223333:key-pair/",
"arn:aws:ec2:us-east-1:111122223333:security-group/*",
"arn:aws:ec2:us-east-1:111122223333:launch-template/*",
"arn:aws:ec2:us-east-1:111122223333:placement-group/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstances"
},
{
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBList"
},
{
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:us-east-1:111122223333:parallelcluster-*"
],
"Effect": "Allow",
"Sid": "SQSQueue"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeTags",
"autoscaling:SetInstanceHealth"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "Autoscaling"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3GetObj"
},
{
"Action": [
"sqs:ListQueues"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "SQSList"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "IAMPassRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::dcv-license.us-east-1/*"
],
"Effect": "Allow",
"Sid": "DcvLicense"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "GetClusterConfig"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53"
}
]
}
```
------
### `ParallelClusterInstancePolicy` tramite `awsbatch`
L'esempio seguente imposta l'`ParallelClusterInstancePolicy`utilizzo `awsbatch` come scheduler. È necessario includere le stesse politiche assegnate a quelle definite nello stack AWS Batch CloudFormation annidato. `BatchUserRole` L'ARN `BatchUserRole` viene fornito come output dello stack. In questo esempio, «**» è il valore dell'[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)impostazione; se non [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) è specificato, «» è «**parallelcluster-\$1». L'esempio seguente è una panoramica delle autorizzazioni richieste:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"batch:RegisterJobDefinition",
"logs:GetLogEvents"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"batch:SubmitJob",
"cloudformation:DescribeStacks",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances",
"logs:FilterLogEvents",
"s3:PutObject",
"s3:Get*",
"s3:DeleteObject",
"iam:PassRole"
],
"Resource": [
"arn:aws:batch:us-east-1:111122223333:job-definition/:1",
"arn:aws:batch:us-east-1:111122223333:job-definition/*",
"arn:aws:batch:us-east-1:111122223333:job-queue/",
"arn:aws:cloudformation:us-east-1:111122223333:stack//*",
"arn:aws:s3:::amzn-s3-demo-bucket/batch/*",
"arn:aws:iam::111122223333:role/",
"arn:aws:ecs:us-east-1:111122223333:cluster/",
"arn:aws:ecs:us-east-1:111122223333:container-instance/*",
"arn:aws:logs:us-east-1:111122223333:log-group:/aws/batch/job:log-stream:*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow"
},
{
"Action": [
"batch:DescribeJobQueues",
"batch:TerminateJob",
"batch:DescribeJobs",
"batch:CancelJob",
"batch:DescribeJobDefinitions",
"batch:ListJobs",
"batch:DescribeComputeEnvironments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:AttachVolume",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:CreateLogStream"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CWLogs"
}
]
}
```
------
### `ParallelClusterUserPolicy` tramite Slurm
L'esempio seguente imposta `ParallelClusterUserPolicy` utilizzando Slurm come pianificatore. In questo esempio, «**» è il valore dell'[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)impostazione; se non [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) è specificato, «**» è «parallelcluster-\$1».
**Nota**
Se utilizzi un ruolo personalizzato [`ec2_iam_role`](cluster-definition.md#ec2-iam-role)` = `, devi modificare la risorsa IAM per includere il nome di quel ruolo da:
`"Resource": "arn:aws:iam:::role/parallelcluster-*"`
A:
`"Resource": "arn:aws:iam:::role/"`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ScalingModify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBDescribe"
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBModify"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListQueryLoggingConfigs"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationDescribe"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CloudFormationModify"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::111122223333:role/",
"arn:aws:iam::111122223333:role/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "IAMModify"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/*",
"Effect": "Allow",
"Sid": "IAMServiceLinkedRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMCreateInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"ec2:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFSDescribe"
},
{
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SSMDescribe"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*",
"arn:aws:lambda:us-east-1:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### `ParallelClusterUserPolicy`utilizzando SGE o Torque
**Nota**
Questa sezione si applica solo alle AWS ParallelCluster versioni fino alla versione 2.11.4 inclusa. A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri scheduler. SGE Torque
L'esempio seguente imposta`ParallelClusterUserPolicy`, utilizzando SGE o Torque come scheduler. In questo esempio, «**» è il valore dell'[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)impostazione; se non [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) è specificato, «**» è «parallelcluster-\$1».
**Nota**
Se utilizzi un ruolo personalizzato [`ec2_iam_role`](cluster-definition.md#ec2-iam-role)` = `, devi modificare la risorsa IAM per includere il nome di quel ruolo da:
`"Resource": "arn:aws:iam:::role/parallelcluster-*"`
A:
`"Resource": "arn:aws:iam:::role/"`
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoScalingDescribe"
},
{
"Action": [
"autoscaling:CreateAutoScalingGroup",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"autoscaling:PutNotificationConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:PutScalingPolicy",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AutoScalingModify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBDescribe"
},
{
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DynamoDBModify"
},
{
"Action": [
"sqs:GetQueueAttributes"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQSDescribe"
},
{
"Action": [
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:TagQueue"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQSModify"
},
{
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNSDescribe"
},
{
"Action": [
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:DeleteTopic"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNSModify"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationDescribe"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CloudFormationModify"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::111122223333:role/",
"arn:aws:iam::111122223333:role/parallelcluster-*"
],
"Effect": "Allow",
"Sid": "IAMModify"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/*",
"Effect": "Allow",
"Sid": "IAMServiceLinkedRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMCreateInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"ec2:DescribeNetworkInterfaceAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFSDescribe"
},
{
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SSMDescribe"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*",
"arn:aws:lambda:us-east-1:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### `ParallelClusterUserPolicy` tramite `awsbatch`
L'esempio seguente imposta l'`ParallelClusterUserPolicy`utilizzo `awsbatch` come scheduler. In questo esempio, «**» è il valore dell'[`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section)impostazione; se non [`cluster_resource_bucket`](cluster-definition.md#cluster-resource-bucket-section) è specificato, «**» è «parallelcluster-\$1».
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribePlacementGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Describe"
},
{
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2LaunchTemplate"
},
{
"Action": [
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:DescribeNatGateways",
"ec2:CreateNatGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "NetworkingEasyConfig"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:DeleteSecurityGroup",
"ec2:DisassociateAddress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ReleaseAddress",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Modify"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:TagResource"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDB"
},
{
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:ListStacks",
"cloudformation:GetTemplate",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack"
],
"Resource": "arn:aws:cloudformation:us-east-1:111122223333:stack/parallelcluster-*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:CreateQueue",
"sqs:SetQueueAttributes",
"sqs:DeleteQueue",
"sqs:TagQueue"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SQS"
},
{
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": "arn:aws:sqs:us-east-1:111122223333:parallelcluster-*",
"Effect": "Allow",
"Sid": "SQSQueue"
},
{
"Action": [
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:DeleteTopic"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"iam:PassRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:TagRole",
"iam:SimulatePrincipalPolicy"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster-*",
"arn:aws:iam::111122223333:role/"
],
"Effect": "Allow",
"Sid": "IAMRole"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:PassRole"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/*",
"Effect": "Allow",
"Sid": "IAMInstanceProfile"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetPolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "IAM"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
],
"Effect": "Allow",
"Sid": "S3Delete"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:us-east-1:111122223333:function:parallelcluster-*",
"arn:aws:lambda:us-east-1:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:*",
"Effect": "Allow",
"Sid": "Logs"
},
{
"Action": [
"codebuild:*"
],
"Resource": "arn:aws:codebuild:us-east-1:111122223333:project/parallelcluster-*",
"Effect": "Allow",
"Sid": "CodeBuild"
},
{
"Action": [
"ecr:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"batch:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Batch"
},
{
"Action": [
"events:*"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AmazonCloudWatchEvents"
},
{
"Action": [
"ecs:DescribeContainerInstances",
"ecs:ListContainerInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECS"
},
{
"Action": [
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"fsx:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FSx"
},
{
"Sid": "CloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard"
],
"Resource": "*"
}
]
}
```
------
### `ParallelClusterLambdaPolicy`utilizzando, o SGE Slurm Torque
L'esempio seguente imposta `ParallelClusterLambdaPolicy` utilizzando SGE, Slurm o Torque come pianificatore.
**Nota**
A partire dalla versione 2.11.5, AWS ParallelCluster non supporta l'uso dei nostri schedulerSGE. Torque
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow",
"Sid": "CloudWatchLogsPolicy"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow",
"Sid": "S3BucketPolicy"
},
{
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "DescribeInstances"
},
{
"Action": [
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "FleetTerminatePolicy"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
],
"Effect": "Allow",
"Sid": "Route53DeletePolicy"
}
]
}
```
------
### `ParallelClusterLambdaPolicy` tramite `awsbatch`
L'esempio seguente imposta l'`ParallelClusterLambdaPolicy`utilizzo `awsbatch` come scheduler.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*",
"Sid": "CloudWatchLogsPolicy"
},
{
"Action": [
"ecr:BatchDeleteImage",
"ecr:ListImages"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ECRPolicy"
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "CodeBuildPolicy"
},
{
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "S3BucketPolicy"
}
]
}
```
------
### `ParallelClusterUserPolicy`per gli utenti
L'esempio seguente imposta l'`ParallelClusterUserPolicy`opzione per gli utenti che non devono creare o aggiornare i cluster. Sono supportati i seguenti comandi.
+ [`pcluster dcv`](pcluster.dcv.md)
+ [`pcluster instances`](pcluster.instances.md)
+ [`pcluster list`](pcluster.list.md)
+ [`pcluster ssh`](pcluster.ssh.md)
+ [`pcluster start`](pcluster.start.md)
+ [`pcluster status`](pcluster.status.md)
+ [`pcluster stop`](pcluster.stop.md)
+ [`pcluster version`](pcluster.version.md)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MinimumModify",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"batch:UpdateComputeEnvironment",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplate",
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Effect": "Allow",
"Resource": [
"arn:aws:autoscaling:us-east-1:111122223333:autoScalingGroup:*:autoScalingGroupName/parallelcluster-*",
"arn:aws:batch:us-east-1:111122223333:compute-environment/*",
"arn:aws:cloudformation:us-east-1:111122223333:stack//*",
"arn:aws:dynamodb:us-east-1:111122223333:table/"
]
},
{
"Sid": "Describe",
"Action": [
"cloudformation:DescribeStacks",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------