本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Identity and Access Management 中的 許可 AWS ParallelCluster
AWS ParallelCluster 使用 IAM 許可來控制建立和管理叢集時對 資源的存取。
**若要在 AWS 帳戶中建立和管理叢集, AWS ParallelCluster 需要兩個層級的許可:**
+ `pcluster` 使用者叫用 `pcluster` CLI 命令以建立和管理叢集所需的許可。
+ 叢集資源執行叢集動作所需的許可。
**AWS ParallelCluster 使用** [Amazon EC2 執行個體描述檔和角色](#iam-ec2-instance-role)來提供叢集資源許可。若要管理叢集資源許可, AWS ParallelCluster 也需要 IAM 資源的許可。如需詳細資訊,請參閱[AWS ParallelCluster 用於管理 IAM 資源的使用者範例政策](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)。
**`pcluster` 使用者需要** IAM 許可才能使用 [`pcluster`](pcluster-v3.md) CLI 來建立和管理叢集及其資源。這些許可包含在可新增至使用者或角色的 IAM 政策中。如需 IAM 角色的詳細資訊,請參閱*AWS Identity and Access Management 《 使用者指南*》中的[建立使用者角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html)。
您也可以使用 [AWS ParallelCluster 用於管理 IAM 許可的組態參數](#iam-roles-in-parallelcluster-v3-params-for-iam)。
下列各節包含具有範例的必要許可。
若要使用範例政策,請以適當的值取代 ``、 ``和類似的字串。
下列範例政策包含 資源的 Amazon Resource Name (ARNs)。如果您在 AWS GovCloud (US) 或 AWS 中國分割區中作業,則必須變更 ARNs。具體而言,它們必須針對 AWS GovCloud (US) 分割區從 "arn:aws" 變更為 "arn:aws-us-gov",或針對 AWS 中國分割區從 "arn:aws-cn"。如需詳細資訊,請參閱*AWS GovCloud (US) 《 使用者指南*[》中的 AWS GovCloud (US) 區域中的 Amazon Resource Name ARNs)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html),以及[《 中國 AWS 服務入門》中的中國 服務的 ARNs](https://docs.amazonaws.cn/aws/latest/userguide/ARNs.html)。 * AWS *
您可以在 [AWS ParallelCluster GitHub 上追蹤文件中](https://github.com/awsdocs/aws-parallelcluster-user-guide/blame/main/doc_source/iam-roles-in-parallelcluster-v3.md)範例政策的變更。
**Topics**
+ [AWS ParallelCluster Amazon EC2 執行個體角色](#iam-ec2-instance-role)
+ [AWS ParallelCluster 範例`pcluster`使用者政策](#iam-roles-in-parallelcluster-v3-example-user-policies)
+ [AWS ParallelCluster 用於管理 IAM 資源的使用者範例政策](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)
+ [AWS ParallelCluster 用於管理 IAM 許可的組態參數](#iam-roles-in-parallelcluster-v3-params-for-iam)
## AWS ParallelCluster Amazon EC2 執行個體角色
當您使用預設組態設定建立叢集時, AWS ParallelCluster 會使用 Amazon EC2 [執行個體描述](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)檔自動建立預設叢集 Amazon EC2 [執行個體角色](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html),以提供建立和管理叢集及其資源所需的許可。
### 使用預設 AWS ParallelCluster 執行個體角色的替代方案
您可以使用`InstanceRole`叢集組態設定來為 EC2 指定自己的現有 IAM 角色,以取代預設 AWS ParallelCluster 執行個體角色。如需詳細資訊,請參閱[AWS ParallelCluster 用於管理 IAM 許可的組態參數](#iam-roles-in-parallelcluster-v3-params-for-iam)。一般而言,您可以指定現有的 IAM 角色,以完全控制授予 EC2 的許可。
如果您的意圖是將額外的政策新增至預設執行個體角色,建議您使用 [`AdditionalIamPolicies`](#iam-roles-in-parallelcluster-v3-cluster-config-additionaliampolicies) 組態設定而非 [`InstanceProfile`或 `InstanceRole`](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-instanceprofile) 設定來傳遞額外的 IAM 政策。您可以在更新叢集`AdditionalIamPolicies`時更新 ,但是,您無法在更新叢集`InstanceRole`時更新 。
## AWS ParallelCluster 範例`pcluster`使用者政策
下列範例顯示使用 CLI `pcluster` 建立和管理 AWS ParallelCluster 及其資源所需的使用者政策。您可以將政策連接至使用者或角色。
**Topics**
+ [基本 AWS ParallelCluster `pcluster`使用者政策](#iam-roles-in-parallelcluster-v3-base-user-policy)
+ [使用 AWS Batch 排程器時的其他 AWS ParallelCluster `pcluster`使用者政策](#iam-roles-in-parallelcluster-v3-user-policy-batch)
+ [使用 Amazon FSx for Lustre 時的其他 AWS ParallelCluster `pcluster`使用者政策](#iam-roles-in-parallelcluster-v3-user-policy-fsxlustre)
+ [AWS ParallelCluster 映像建置`pcluster`使用者政策](#iam-roles-in-parallelcluster-v3-user-policy-build-image)
### 基本 AWS ParallelCluster `pcluster`使用者政策
下列政策顯示執行 AWS ParallelCluster `pcluster`命令所需的許可。
政策中列出的最後一個動作會包含在內,以提供叢集組態中指定之任何秘密的驗證。例如,使用 AWS Secrets Manager 秘密來設定[`DirectoryService`](DirectoryService-v3.md)整合。在此情況下,只有在 中存在有效的秘密時,才會建立叢集[`PasswordSecretArn`](DirectoryService-v3.md#yaml-DirectoryService-PasswordSecretArn)。如果省略此動作,則會略過秘密驗證。為了改善您的安全狀態,建議您僅新增叢集組態中指定的秘密,以縮小此政策陳述式的範圍。
**注意**
如果現有的 Amazon EFS 檔案系統是叢集中使用的唯一檔案系統,您可以將範例 Amazon EFS 政策陳述式縮小為叢集組態檔案[`SharedStorage` 區段](SharedStorage-v3.md)的 中參考的特定檔案系統。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Read"
},
{
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DisassociateAddress",
"ec2:ModifyLaunchTemplate",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2Write"
},
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:TagResource",
"dynamodb:UntagResource"
],
"Resource": "arn:aws:dynamodb:*:111122223333:table/parallelcluster-*",
"Effect": "Allow",
"Sid": "DynamoDB"
},
{
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListQueryLoggingConfigs"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Route53HostedZones"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"cloudwatch:PutDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:DeleteDashboards",
"cloudwatch:GetDashboard",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutCompositeAlarm",
"cloudwatch:TagResource",
"cloudwatch:UntagResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:SimulatePrincipalPolicy",
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:role/*",
"arn:aws:iam::111122223333:policy/*",
"arn:aws:iam::aws:policy/*",
"arn:aws:iam::111122223333:instance-profile/*"
],
"Effect": "Allow",
"Sid": "IamRead"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamInstanceProfile"
},
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetFunction",
"lambda:InvokeFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:parallelcluster-*",
"arn:aws:lambda:*:111122223333:function:pcluster-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*",
"arn:aws:s3:::aws-parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3ResourcesBucket"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::*-aws-parallelcluster*",
"Effect": "Allow",
"Sid": "S3ParallelClusterReadOnly"
},
{
"Action": [
"elasticfilesystem:*"
],
"Resource": [
"arn:aws:elasticfilesystem:*:111122223333:*"
],
"Effect": "Allow",
"Sid": "EFS"
},
{
"Action": [
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:CreateExportTask",
"logs:DescribeLogStreams",
"logs:DescribeExportTasks",
"logs:DescribeMetricFilters",
"logs:PutMetricFilter",
"logs:DeleteMetricFilter",
"logs:ListTagsForResource"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudWatchLogs"
},
{
"Action": [
"resource-groups:ListGroupResources"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ResourceGroupRead"
},
{
"Sid": "AllowDescribingFileCache",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileCaches"
],
"Resource": "*"
},
{
"Action": "secretsmanager:DescribeSecret",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:",
"Effect": "Allow"
}
]
}
```
------
### 使用 AWS Batch 排程器時的其他 AWS ParallelCluster `pcluster`使用者政策
如果您需要使用 AWS Batch 排程器建立和管理叢集,則需要以下額外政策。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamPassRole"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/aws-service-role/batch.amazonaws.com/*"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:*"
],
"Resource": "arn:aws:codebuild:*:111122223333:project/pcluster-*",
"Effect": "Allow"
},
{
"Action": [
"ecr:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"batch:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "Batch"
},
{
"Action": [
"events:*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AmazonCloudWatchEvents"
},
{
"Action": [
"ecs:DescribeContainerInstances",
"ecs:ListContainerInstances"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECS"
}
]
}
```
------
### 使用 Amazon FSx for Lustre 時的其他 AWS ParallelCluster `pcluster`使用者政策
如果您需要使用 Amazon FSx for Lustre 建立和管理叢集,則需要以下額外政策。
**注意**
如果現有的 Amazon FSx 檔案系統是叢集中使用的唯一檔案系統,您可以將範例 Amazon FSx 政策陳述式縮小為叢集組態檔案[`SharedStorage` 區段](SharedStorage-v3.md)的 中參考的特定檔案系統。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"fsx.amazonaws.com",
"s3.data-source.lustre.fsx.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fsx:*"
],
"Resource": [
"arn:aws:fsx:*:111122223333:*"
],
"Effect": "Allow",
"Sid": "FSx"
},
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/*",
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Effect": "Allow"
}
]
}
```
------
### AWS ParallelCluster 映像建置`pcluster`使用者政策
想要使用 建立自訂 Amazon EC2 映像的使用者 AWS ParallelCluster 必須擁有下列一組許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DeregisterImage",
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:CreateRole",
"iam:TagRole",
"iam:GetRole",
"iam:PutRolePolicy",
"iam:GetRolePolicy",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*",
"arn:aws:iam::111122223333:instance-profile/ParallelClusterImage*",
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAM"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lambda.amazonaws.com",
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*",
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IAMPassRole"
},
{
"Action": [
"logs:GetLogEvents",
"logs:CreateLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:DeleteLogGroup"
],
"Resource": [
"arn:aws:logs:*:111122223333:log-group:/aws/imagebuilder/ParallelClusterImage-*",
"arn:aws:logs:*:111122223333:log-group:/aws/lambda/ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack"
],
"Resource": [
"arn:aws:cloudformation:*:111122223333:stack/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:DeleteFunction",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "Lambda"
},
{
"Action": [
"imagebuilder:Get*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ImageBuilderGet"
},
{
"Action": [
"imagebuilder:CreateImage",
"imagebuilder:TagResource",
"imagebuilder:CreateImageRecipe",
"imagebuilder:CreateComponent",
"imagebuilder:CreateDistributionConfiguration",
"imagebuilder:CreateInfrastructureConfiguration",
"imagebuilder:DeleteImage",
"imagebuilder:DeleteComponent",
"imagebuilder:DeleteImageRecipe",
"imagebuilder:DeleteInfrastructureConfiguration",
"imagebuilder:DeleteDistributionConfiguration"
],
"Resource": [
"arn:aws:imagebuilder:*:111122223333:image/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:image-recipe/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:component/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:distribution-configuration/parallelclusterimage-*",
"arn:aws:imagebuilder:*:111122223333:infrastructure-configuration/parallelclusterimage-*"
],
"Effect": "Allow",
"Sid": "ImageBuilder"
},
{
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*"
],
"Effect": "Allow",
"Sid": "S3Bucket"
},
{
"Action": [
"sns:GetTopicAttributes",
"sns:TagResource",
"sns:CreateTopic",
"sns:Subscribe",
"sns:Publish",
"SNS:DeleteTopic",
"SNS:Unsubscribe"
],
"Resource": [
"arn:aws:sns:*:111122223333:ParallelClusterImage-*"
],
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*/*"
],
"Effect": "Allow",
"Sid": "S3Objects"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "imagebuilder.amazonaws.com"
}
}
}
]
}
```
------
## AWS ParallelCluster 用於管理 IAM 資源的使用者範例政策
使用 AWS ParallelCluster 建立叢集或自訂 AMIs 時,必須提供包含許可的 IAM 政策,以將必要的許可集授予 AWS ParallelCluster 元件。這些 IAM 資源可由 自動建立, AWS ParallelCluster 或在建立叢集或自訂映像時提供做為輸入。
您可以使用下列模式,透過在組態中使用其他 IAM 政策,為 AWS ParallelCluster 使用者提供存取 IAM 資源所需的許可。
**Topics**
+ [特殊權限 IAM 存取模式](#iam-roles-in-parallelcluster-v3-privileged-iam-access)
+ [受限的 IAM 存取模式](#iam-roles-in-parallelcluster-v3-restricted-iam-access)
+ [`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)
### 特殊權限 IAM 存取模式
在此模式下, AWS ParallelCluster 會自動建立所有必要的 IAM 資源。這些 IAM 政策的範圍縮小,只能存取叢集資源。
若要啟用特殊權限 IAM 存取模式,請將下列政策新增至使用者角色。
**注意**
如果您設定 [`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`AdditionalPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies)或 [`Scheduling`](Scheduling-v3.md) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues)/ / [`AdditionalPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies) 參數,您必須為 AWS ParallelCluster 使用者提供為每個額外政策連接和分離角色政策的許可,如下列政策所示。將其他政策 ARNs 新增至連接和分離角色政策的條件。
**警告**
此模式可讓使用者在 中擁有 IAM 管理員權限 AWS 帳戶
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::111122223333:policy/parallelcluster*",
"arn:aws:iam::111122223333:policy/parallelcluster/*",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
```
------
### 受限的 IAM 存取模式
當沒有將其他 IAM 政策授予使用者時,叢集或自訂映像建置所需的 IAM 角色需要由管理員手動建立,並在叢集組態中傳遞。
建立叢集時,需要下列參數:
+ [`Iam`](Iam-v3.md) / [`Roles`](Iam-v3.md#yaml-Iam-Roles) / [`LambdaFunctionsRole`](Iam-v3.md#yaml-Iam-Roles-LambdaFunctionsRole)
+ [`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`InstanceRole`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceRole) \$1 [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile)
+ [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) \$1 [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)
建置自訂映像時,需要下列參數:
+ [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`InstanceRole`](Build-v3.md#yaml-build-image-Build-Iam-InstanceRole) \$1 [`InstanceProfile`](Build-v3.md#yaml-build-image-Build-Iam-InstanceProfile)
+ [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`CleanupLambdaRole`](Build-v3.md#yaml-build-image-Build-Iam-CleanupLambdaRole)
作為上述所列參數的一部分傳遞的 IAM 角色必須在`/parallelcluster/`路徑字首上建立。如果無法這麼做,則需要更新使用者政策,才能授予特定自訂角色的`iam:PassRole`許可,如下列範例所示。
```
{
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"lambda.amazonaws.com",
"ec2.amazonaws.com",
"spotfleet.amazonaws.com",
"batch.amazonaws.com",
"codebuild.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
],
"Effect": "Allow",
"Sid": "IamPassRole"
}
```
**警告**
目前此模式不允許管理 AWS Batch 叢集,因為並非所有 IAM 角色都可以在叢集組態中傳遞。
### `PermissionsBoundary` 模式
此模式會委派 AWS ParallelCluster 建立繫結至已設定 IAM 許可界限的 IAM 角色。如需 IAM 許可界限的詳細資訊,請參閱《[IAM 使用者指南》中的 IAM 實體的許可界限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)。 **
下列政策需要新增至使用者角色。
在政策中,將 ** 取代為要強制執行為許可界限的 IAM 政策 ARN。
**警告**
如果您設定 [`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`AdditionalPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies)或 [`Scheduling`](Scheduling-v3.md) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues)/ / [`AdditionalPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies) 參數,您必須授予使用者許可,以連接和分離每個額外政策的角色政策,如下列政策所示。將其他政策 ARNs 新增至連接和分離角色政策的條件。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:TagRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
""
]
}
},
"Action": [
"iam:CreateRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*"
],
"Effect": "Allow",
"Sid": "IamCreateRole"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
""
]
}
},
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
""
]
},
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::111122223333:policy/parallelcluster*",
"arn:aws:iam::111122223333:policy/parallelcluster/*",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
}
]
}
```
------
啟用此模式時,您必須在建立或更新叢集時在 [`Iam`](Iam-v3.md) / [`PermissionsBoundary`](Iam-v3.md#yaml-Iam-PermissionsBoundary)組態參數中指定許可界限 ARN,並在建置自訂映像時在 [`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`PermissionBoundary`](Build-v3.md#yaml-build-image-Build-Iam-PermissionsBoundary) 參數中指定許可界限 ARN。
## AWS ParallelCluster 用於管理 IAM 許可的組態參數
AWS ParallelCluster 會公開一系列組態選項,以自訂和管理叢集或自訂 AMI 建立程序期間所使用的 IAM 許可和角色。
**Topics**
+ [叢集組態](#iam-roles-in-parallelcluster-v3-cluster-config)
+ [自訂映像組態](#iam-roles-in-parallelcluster-v3-custom-image-configuration)
### 叢集組態
**Topics**
+ [前端節點 IAM 角色](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-instanceprofile)
+ [Amazon S3 存取](#iam-roles-in-parallelcluster-v3-cluster-config-headnode-s3access)
+ [其他 IAM 政策](#iam-roles-in-parallelcluster-v3-cluster-config-additionaliampolicies)
+ [AWS Lambda 函數角色](#iam-roles-in-parallelcluster-v3-cluster-config-lambdafunctionsrole)
+ [運算節點 IAM 角色](#iam-roles-in-parallelcluster-v3-cluster-config-slurmqueues-instanceprofile)
+ [許可界限](#iam-roles-in-parallelcluster-v3-cluster-config-permissionsboundary)
#### 前端節點 IAM 角色
[`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`InstanceRole`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceRole) \$1 [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile)
使用此選項,您可以覆寫指派給叢集前端節點的預設 IAM 角色。如需其他詳細資訊,請參閱 [`InstanceProfile`](HeadNode-v3.md#yaml-HeadNode-Iam-InstanceProfile)參考。
以下是排程器為 Slurm 時,要做為此角色一部分使用的一組最少政策:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` 受管 IAM 政策。如需詳細資訊,請參閱《Amazon [ CloudWatch 使用者指南》中的建立 IAM 角色和使用者以搭配 CloudWatch 代理程式使用](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html)。 *Amazon CloudWatch *
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 受管 IAM 政策。如需詳細資訊,請參閱*AWS Systems Manager 《 使用者指南*》中的 [AWS 的 受管政策 AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ 其他 IAM 政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*",
"arn:aws:s3:::dcv-license.us-east-1/*",
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Action": "ec2:TerminateInstances",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*",
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeCapacityReservations"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:",
"Effect": "Allow"
}
]
}
```
------
請注意,如果 [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) 用於覆寫運算 IAM 角色,上述報告的前端節點政策需要在`iam:PassRole`許可的 `Resource`區段中包含此類角色。
以下是排程器為 時,要做為此角色一部分使用的一組最少政策 AWS Batch:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` 受管 IAM 政策。如需詳細資訊,請參閱《Amazon [ CloudWatch 使用者指南》中的建立 IAM 角色和使用者以搭配 CloudWatch 代理程式使用](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html)。 *Amazon CloudWatch *
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 受管 IAM 政策。如需詳細資訊,請參閱*AWS Systems Manager 《 使用者指南*》中的 [AWS 的 受管政策 AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ 其他 IAM 政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
],
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::dcv-license.us-east-1/*",
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"batch.amazonaws.com"
]
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/parallelcluster/*",
"arn:aws:iam::111122223333:instance-profile/parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": [
"batch:DescribeJobQueues",
"batch:DescribeJobs",
"batch:ListJobs",
"batch:DescribeComputeEnvironments"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"batch:SubmitJob",
"batch:TerminateJob",
"logs:GetLogEvents",
"ecs:ListContainerInstances",
"ecs:DescribeContainerInstances"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*",
"arn:aws:ecs:us-east-1:111122223333:container-instance/AWSBatch-PclusterComputeEnviron*",
"arn:aws:ecs:us-east-1:111122223333:cluster/AWSBatch-Pcluster*",
"arn:aws:batch:us-east-1:111122223333:job-queue/PclusterJobQueue*",
"arn:aws:batch:us-east-1:111122223333:job-definition/PclusterJobDefinition*:*",
"arn:aws:batch:us-east-1:111122223333:job/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTags",
"ec2:AttachVolume"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-east-1:111122223333:volume/*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:SignalResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:",
"Effect": "Allow"
}
]
}
```
------
#### Amazon S3 存取
[`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`S3Access`](HeadNode-v3.md#yaml-HeadNode-Iam-S3Access)或 [`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`S3Access`](HeadNode-v3.md#yaml-HeadNode-Iam-S3Access)
在這些組態區段中,當 建立 Amazon S3 角色時,您可以將其他 Amazon S3 政策授予與叢集前端節點或運算節點相關聯的 IAM 角色,以自訂 Amazon S3 存取 AWS ParallelCluster。如需詳細資訊,請參閱每個組態參數的參考文件。
只有在使用 [特殊權限 IAM 存取模式](#iam-roles-in-parallelcluster-v3-privileged-iam-access)或 設定使用者時,才能使用此參數[`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)。
#### 其他 IAM 政策
[`HeadNode`](HeadNode-v3.md) / [`Iam`](HeadNode-v3.md#HeadNode-v3-Iam) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) [`AdditionalIamPolicies`](HeadNode-v3.md#yaml-HeadNode-Iam-AdditionalIamPolicies)或 / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [`AdditionalIamPolicies`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-AdditionalIamPolicies)
使用此選項,將其他受管 IAM 政策連接至建立此類角色時與叢集前端節點或運算節點相關聯的 IAM 角色 AWS ParallelCluster。
**警告**
若要使用此選項,請確定已授予[AWS ParallelCluster 使用者](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)`iam:AttachRolePolicy`和需要連接之 IAM 政策的`iam:DetachRolePolicy`許可。
#### AWS Lambda 函數角色
[`Iam`](Iam-v3.md#yaml-Iam-Roles) / [`Roles`](Iam-v3.md#yaml-Iam-Roles) / [`LambdaFunctionsRole`](Iam-v3.md#yaml-Iam-Roles-LambdaFunctionsRole)
此選項會覆寫連接到叢集建立程序期間使用之所有 AWS Lambda 函數的角色。 AWS Lambda 需要設定為允許擔任該角色的委託人。
**注意**
如果[`LambdaFunctionsVpcConfig`](DeploymentSettings-cluster-v3.md#DeploymentSettings-cluster-v3-LambdaFunctionsVpcConfig)設定 [`DeploymentSettings`](DeploymentSettings-cluster-v3.md) /, `LambdaFunctionsRole`必須包含[AWS Lambda 角色許可](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions),才能設定 VPC 組態。
以下是要做為此角色一部分使用的一組最少政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
],
"Resource": "arn:aws:route53:::hostedzone/*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:111122223333:log-group:/aws/lambda/pcluster-*"
},
{
"Action": "ec2:DescribeInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:TerminateInstances",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/parallelcluster:node-type": "Compute"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete",
"arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*"
]
}
]
}
```
------
#### 運算節點 IAM 角色
[`Scheduling`](Scheduling-v3.md) / [`SlurmQueues`](Scheduling-v3.md#Scheduling-v3-SlurmQueues) / [`Iam`](Scheduling-v3.md#Scheduling-v3-SlurmQueues-Iam) / [` InstanceRole`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceRole) \$1 [`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)
此選項可讓 覆寫指派給叢集運算節點的 IAM 角色。如需詳細資訊,請參閱[`InstanceProfile`](Scheduling-v3.md#yaml-Scheduling-SlurmQueues-Iam-InstanceProfile)。
以下是要做為此角色一部分使用的一組最少政策:
+ `arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy` 受管 IAM 政策。如需詳細資訊,請參閱《Amazon [ CloudWatch 使用者指南》中的建立 IAM 角色和使用者以搭配 CloudWatch 代理程式使用](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html)。 *Amazon CloudWatch *
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 受管 IAM 政策。如需詳細資訊,請參閱*AWS Systems Manager 《 使用者指南*》中的 [AWS 的 受管政策 AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ 其他 IAM 政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:GetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:111122223333:table/parallelcluster-*",
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::us-east-1-aws-parallelcluster/*"
],
"Effect": "Allow"
},
{
"Action": "ec2:DescribeInstanceAttribute",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "cloudformation:DescribeStackResource",
"Resource": [
"arn:aws:cloudformation:us-east-1:111122223333:stack/*/*"
],
"Effect": "Allow"
}
]
}
```
------
#### 許可界限
[`Iam`](Iam-v3.md) / [`PermissionsBoundary`](Iam-v3.md#yaml-Iam-PermissionsBoundary)
此參數 AWS ParallelCluster 會強制將指定的 IAM 政策做為 `PermissionsBoundary` 連接到建立為叢集部署一部分的所有 IAM 角色。
如需定義此設定時使用者所需的政策清單,[`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)請參閱 。
### 自訂映像組態
**Topics**
+ [EC2 Image Builder 的執行個體角色](#iam-roles-in-parallelcluster-v3-custom-image-configuration-instancerole)
+ [AWS Lambda 清除角色](#iam-roles-in-parallelcluster-v3-custom-image-configuration-cleanuplambdarole)
+ [其他 IAM 政策](#iam-roles-in-parallelcluster-v3-custom-image-configuration-additionaliampolicies)
+ [許可界限](#iam-roles-in-parallelcluster-v3-custom-image-configuration-permissionsboundary)
#### EC2 Image Builder 的執行個體角色
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`InstanceRole`](Build-v3.md#yaml-build-image-Build-Iam-InstanceRole) \$1 [`InstanceProfile`](Build-v3.md#yaml-build-image-Build-Iam-InstanceProfile)
使用此選項,您可以覆寫指派給 Amazon EC2 EC2 執行個體的 IAM 角色,以建立自訂 AMI。
以下是要做為此角色一部分使用的一組最少政策:
+ `arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore` 受管 IAM 政策。如需詳細資訊,請參閱*AWS Systems Manager 《 使用者指南*》中的 [AWS 的 受管政策 AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/security_iam_service-with-iam.html#managed-policies)。
+ `arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder` 受管 IAM 政策。如需詳細資訊,請參閱《*映像建置器使用者指南*》中的[`EC2InstanceProfileForImageBuilder`政策](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam-awsmanpol.html#sec-iam-manpol-EC2InstanceProfileForImageBuilder)。
+ 其他 IAM 政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:ModifyImageAttribute"
],
"Resource": "arn:aws:ec2:us-east-1::image/*",
"Effect": "Allow"
}
]
}
```
------
#### AWS Lambda 清除角色
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`CleanupLambdaRole`](Build-v3.md#yaml-build-image-Build-Iam-CleanupLambdaRole)
此選項會覆寫附加至自訂映像建置程序期間使用之所有 AWS Lambda 函數的角色。 AWS Lambda 需要設定為允許擔任該角色的主體。
**注意**
如果[`LambdaFunctionsVpcConfig`](DeploymentSettings-build-image-v3.md#DeploymentSettings-build-image-v3-LambdaFunctionsVpcConfig)設定 [`DeploymentSettings`](DeploymentSettings-build-image-v3.md) /, `CleanupLambdaRole`必須包含[AWS Lambda 角色許可](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-permissions),才能設定 VPC 組態。
以下是要做為此角色一部分使用的一組最少政策:
+ `arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole` 受管 IAM 政策。如需詳細資訊,請參閱《 *AWS Lambda 開發人員指南*》中的 [AWS Lambda 功能的 受管政策](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-features)。
+ 其他 IAM 政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:DetachRolePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::111122223333:role/parallelcluster/*",
"Effect": "Allow"
},
{
"Action": [
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::111122223333:instance-profile/parallelcluster/*",
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteInfrastructureConfiguration",
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:infrastructure-configuration/parallelclusterimage-*",
"Effect": "Allow"
},
{
"Action": [
"imagebuilder:DeleteComponent"
],
"Resource": [
"arn:aws:imagebuilder:us-east-1:111122223333:component/parallelclusterimage-*/*"
],
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteImageRecipe",
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:image-recipe/parallelclusterimage-*/*",
"Effect": "Allow"
},
{
"Action": "imagebuilder:DeleteDistributionConfiguration",
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:distribution-configuration/parallelclusterimage-*",
"Effect": "Allow"
},
{
"Action": [
"imagebuilder:DeleteImage",
"imagebuilder:GetImage",
"imagebuilder:CancelImageCreation"
],
"Resource": "arn:aws:imagebuilder:us-east-1:111122223333:image/parallelclusterimage-*/*",
"Effect": "Allow"
},
{
"Action": "cloudformation:DeleteStack",
"Resource": "arn:aws:cloudformation:us-east-1:111122223333:stack/*/*",
"Effect": "Allow"
},
{
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:us-east-1::image/*",
"Effect": "Allow"
},
{
"Action": "tag:TagResources",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:DeleteFunction",
"lambda:RemovePermission"
],
"Resource": "arn:aws:lambda:us-east-1:111122223333:function:ParallelClusterImage-*",
"Effect": "Allow"
},
{
"Action": "logs:DeleteLogGroup",
"Resource": "arn:aws:logs:us-east-1:111122223333:log-group:/aws/lambda/ParallelClusterImage-*:*",
"Effect": "Allow"
},
{
"Action": [
"SNS:GetTopicAttributes",
"SNS:DeleteTopic",
"SNS:GetSubscriptionAttributes",
"SNS:Unsubscribe"
],
"Resource": "arn:aws:sns:us-east-1:111122223333:ParallelClusterImage-*",
"Effect": "Allow"
}
]
}
```
------
#### 其他 IAM 政策
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`AdditionalIamPolicies`](Build-v3.md#yaml-build-image-Build-Iam-AdditionalIamPolicies)
您可以使用此選項,將其他受管 IAM 政策連接至與 Amazon EC2 EC2 執行個體相關聯的角色。
**警告**
若要使用此選項,請確定已授予[AWS ParallelCluster使用者](#iam-roles-in-parallelcluster-v3-user-policy-manage-iam)`iam:AttachRolePolicy`和需要連接之 IAM 政策的`iam:DetachRolePolicy`許可。
#### 許可界限
[`Build`](Build-v3.md) / [`Iam`](Build-v3.md#Build-v3-Iam) / [`PermissionsBoundary`](Build-v3.md#yaml-build-image-Build-Iam-PermissionsBoundary)
此參數 AWS ParallelCluster 會強制將指定的 IAM 政策做為 `PermissionsBoundary` 連接到建立為自訂 AMI 組建一部分的所有 IAM 角色。
如需使用此類功能所需的政策清單,[`PermissionsBoundary` 模式](#iam-roles-in-parallelcluster-v3-permissionsboundary-mode)請參閱 。