AWSTemplateFormatVersion: '2010-09-09' Parameters: Region: Type: String Default: '*' CustomIamPathPrefix: Description: Use for setting a Path prefix for IAM Role and Instance-profile resources Type: String Default: 'parallelcluster' AllowedValues: - 'parallelcluster' - 'path-prefix' CustomIamNamePrefix: Description: Use for setting a Name prefix for IAM Policy resources Type: String Default: 'parallelcluster' AllowedValues: - 'parallelcluster' - 'name-prefix-' EnableIamAdminAccess: Description: WARNING - setting this to true grants IAM admin privileges Type: String Default: true AllowedValues: - true - false EnablePermissionsBoundary: Description: Force iam:CreateRole and iam:PutRolePolicy to use PermissionsBoundary Type: String Default: false AllowedValues: - true - false EnableFSxS3Access: Description: | When set to true the ParallelCluster API can access, write to the S3 buckets specified in the Filed FsxS3Bucket, it is needed to import/export from/to S3 when creating an FSx filesystem. NOTE - setting this to true grants the Lambda function S3 Get*, List* and PutObject privileges on the buckets specified in FsxS3Buckets. Type: String Default: true AllowedValues: - true - false FsxS3Buckets: Description: | Comma separated list of S3 bucket ARNs, to allow the lambda function to import/export from/to S3 when creating an FSx filesystem. NOTE - The setting is used only when EnableFSxS3Access is set to true. (example arn:aws:s3:::,arn:aws:s3:::) Type: String Default: 'arn:*:s3:::integ-tests-*' AllowedPattern: ^((arn:[a-z\-\*]*:s3:[a-z0-9\-]*:([0-9]{12})*:[^,\s\/]+)?(,arn:[a-z\-\*]*:s3:[a-z0-9\-]*:([0-9]{12})*:[^,\s\/]+)*)$|^\*$ ConstraintDescription: | The list of S3 buckets is incorrectly formatted. The list should have the format: arn::s3:::[,arn::s3:::,...] Example: arn:aws:s3:::test-bucket-1,arn:aws:s3:::test-bucket-2,arn:aws:s3:::test-bucket-3 Conditions: EnableIamPolicy: !Equals [!Ref EnableIamAdminAccess, true] EnablePermissionsBoundary: !Equals [!Ref EnablePermissionsBoundary, true] IsMultiRegion: !Equals [!Ref Region, '*'] CreateIamResources: !Equals [true, true] # to keep aligned the resources in the API stack EnableFSxS3AccessCondition: !And - !Equals [!Ref EnableFSxS3Access, true] - !Condition CreateIamResources UseAllBucketsForFSxS3: !Equals [!Ref FsxS3Buckets, "*"] Resources: ParallelClusterUserRole: Type: AWS::IAM::Role Properties: Path: /parallelcluster/ AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRole Principal: AWS: - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root' ManagedPolicyArns: - !Ref ParallelClusterClusterPolicy - !Ref ParallelClusterClusterPolicyBatch - !Ref ParallelClusterBuildImageManagedPolicy - !Ref ParallelClusterDeleteImageManagedPolicy - !Ref ParallelClusterListImagesManagedPolicy - !Ref ParallelClusterDescribeImageManagedPolicy - !Ref ParallelClusterLogRetrievalPolicy - !Ref ParallelClusterLoginNodesStack ### IAM POLICIES DefaultParallelClusterIamAdminPolicy: Type: AWS::IAM::ManagedPolicy Condition: EnableIamPolicy Properties: Roles: - !Ref ParallelClusterUserRole PolicyDocument: Version: '2012-10-17' Statement: - Action: - iam:CreateServiceLinkedRole - iam:DeleteRole - iam:TagRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* Effect: Allow Sid: IamRole - Action: - iam:CreateRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* Effect: Allow Condition: !If - EnablePermissionsBoundary - StringEquals: iam:PermissionsBoundary: - !Ref PermissionsBoundaryPolicy - !Ref AWS::NoValue Sid: IamCreateRole - Action: - iam:PutRolePolicy - iam:DeleteRolePolicy Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* Effect: Allow Sid: IamInlinePolicy Condition: !If - EnablePermissionsBoundary - StringEquals: iam:PermissionsBoundary: - !Ref PermissionsBoundaryPolicy - !Ref AWS::NoValue - Action: - iam:AttachRolePolicy - iam:DetachRolePolicy Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* Condition: ArnLike: iam:PolicyARN: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${CustomIamNamePrefix}* - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${CustomIamNamePrefix}/* - !Sub arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore - !Sub arn:${AWS::Partition}:iam::aws:policy/AWSBatchFullAccess - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonS3ReadOnlyAccess - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSBatchServiceRole - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole - !Sub arn:${AWS::Partition}:iam::aws:policy/EC2InstanceProfileForImageBuilder - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole StringEquals: !If - EnablePermissionsBoundary - iam:PermissionsBoundary: - !Ref PermissionsBoundaryPolicy - !Ref AWS::NoValue Effect: Allow Sid: IamPolicy ### CLUSTER ACTIONS POLICIES ParallelClusterClusterPolicyBatch: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: PolicyDocument: Version: '2012-10-17' Statement: - Action: - iam:PassRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* Effect: Allow Condition: StringEqualsIfExists: iam:PassedToService: - ecs-tasks.amazonaws.com - batch.amazonaws.com - codebuild.amazonaws.com Sid: IamPassRole - Action: - iam:CreateServiceLinkedRole - iam:DeleteServiceLinkedRole Resource: # AWS Batch creates a service linked role automatically for the ComputeEnvironment - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/batch.amazonaws.com/* Effect: Allow Condition: StringEquals: iam:AWSServiceName: - batch.amazonaws.com - Action: - codebuild:* Resource: !Sub arn:${AWS::Partition}:codebuild:${Region}:${AWS::AccountId}:project/pcluster-* Effect: Allow - Action: - ecr:* Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: ECR - Action: - batch:* Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: Batch - Action: - events:* Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Resource: '*' Sid: AmazonCloudWatchEvents - Action: - ecs:DescribeContainerInstances - ecs:ListContainerInstances Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: ECS FSxS3AccessPolicy: Type: AWS::IAM::Policy Condition: EnableFSxS3AccessCondition Properties: PolicyName: FSxS3AccessPolicy PolicyDocument: Version: '2012-10-17' Statement: - Action: - iam:CreateServiceLinkedRole - iam:AttachRolePolicy - iam:PutRolePolicy Resource: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/* Effect: Allow Sid: FSxS3PoliciesAttach - Action: - s3:Get* - s3:List* - s3:PutObject Resource: !Split - "," - !If - UseAllBucketsForFSxS3 - "*" - !Sub ["${FsxS3Buckets},${FsxS3BucketsObjects}", FsxS3BucketsObjects: !Join ["/*,", !Split [",", !Sub "${FsxS3Buckets}/*"]]] Effect: Allow Sid: EnableFSxS3Access Roles: - !Ref ParallelClusterUserRole ParallelClusterClusterPolicy: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: PolicyDocument: Version: '2012-10-17' Statement: - Action: - ec2:Describe* Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: EC2Read - Action: - ec2:AllocateAddress - ec2:AssociateAddress - ec2:AttachNetworkInterface - ec2:AuthorizeSecurityGroupEgress - ec2:AuthorizeSecurityGroupIngress - ec2:CreateLaunchTemplate - ec2:CreateLaunchTemplateVersion - ec2:CreateNetworkInterface - ec2:CreatePlacementGroup - ec2:CreateSecurityGroup - ec2:CreateSnapshot - ec2:CreateTags - ec2:CreateVolume - ec2:DeleteLaunchTemplate - ec2:DeleteNetworkInterface - ec2:DeletePlacementGroup - ec2:DeleteSecurityGroup - ec2:DeleteVolume - ec2:DisassociateAddress - ec2:ModifyLaunchTemplate - ec2:ModifyNetworkInterfaceAttribute - ec2:ModifyVolume - ec2:ModifyVolumeAttribute - ec2:ReleaseAddress - ec2:RevokeSecurityGroupEgress - ec2:RevokeSecurityGroupIngress - ec2:RunInstances - ec2:TerminateInstances Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: EC2Write - Action: - dynamodb:DescribeTable - dynamodb:ListTagsOfResource - dynamodb:CreateTable - dynamodb:DeleteTable - dynamodb:GetItem - dynamodb:PutItem - dynamodb:UpdateItem - dynamodb:Query - dynamodb:TagResource Resource: !Sub arn:${AWS::Partition}:dynamodb:${Region}:${AWS::AccountId}:table/parallelcluster-* Effect: Allow Sid: DynamoDB - Action: - route53:ChangeResourceRecordSets - route53:ChangeTagsForResource - route53:CreateHostedZone - route53:DeleteHostedZone - route53:GetChange - route53:GetHostedZone - route53:ListResourceRecordSets - route53:ListQueryLoggingConfigs Resource: '*' Effect: Allow Sid: Route53HostedZones - Action: - cloudformation:* Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: CloudFormation - Action: - cloudwatch:PutDashboard - cloudwatch:ListDashboards - cloudwatch:DeleteDashboards - cloudwatch:GetDashboard - cloudwatch:PutMetricAlarm - cloudwatch:DeleteAlarms - cloudwatch:DescribeAlarms Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: CloudWatch - Action: - iam:GetRole - iam:GetRolePolicy - iam:GetPolicy - iam:SimulatePrincipalPolicy - iam:GetInstanceProfile Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/* - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/* - !Sub arn:${AWS::Partition}:iam::aws:policy/* - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/* Effect: Allow Sid: IamRead - Action: - iam:CreateInstanceProfile - iam:DeleteInstanceProfile - iam:AddRoleToInstanceProfile - iam:RemoveRoleFromInstanceProfile Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/${CustomIamPathPrefix}/* Effect: Allow Sid: IamInstanceProfile - Action: - iam:PassRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* Effect: Allow Condition: StringEqualsIfExists: iam:PassedToService: - lambda.amazonaws.com - ec2.amazonaws.com - ec2.amazonaws.com.cn - spotfleet.amazonaws.com Sid: IamPassRole - Action: - iam:CreateServiceLinkedRole - iam:DeleteServiceLinkedRole Resource: '*' Effect: Allow Condition: StringEquals: iam:AWSServiceName: - fsx.amazonaws.com - s3.data-source.lustre.fsx.amazonaws.com - Action: - lambda:CreateFunction - lambda:TagResource - lambda:DeleteFunction - lambda:GetFunctionConfiguration - lambda:GetFunction - lambda:InvokeFunction - lambda:AddPermission - lambda:RemovePermission - lambda:UpdateFunctionConfiguration - lambda:ListTags - lambda:UntagResource Resource: - !Sub arn:${AWS::Partition}:lambda:${Region}:${AWS::AccountId}:function:parallelcluster-* - !Sub arn:${AWS::Partition}:lambda:${Region}:${AWS::AccountId}:function:pcluster-* Effect: Allow Sid: Lambda - Action: - s3:* Resource: - !Sub arn:${AWS::Partition}:s3:::parallelcluster-* - !Sub arn:${AWS::Partition}:s3:::aws-parallelcluster-* Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: S3ResourcesBucket - Action: - s3:Get* - s3:List* Resource: !Sub arn:${AWS::Partition}:s3:::${Region}-aws-parallelcluster* Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: S3ParallelClusterReadOnly - Action: - fsx:* Resource: - !Sub arn:${AWS::Partition}:fsx:${Region}:${AWS::AccountId}:* Effect: Allow Sid: FSx - Action: - elasticfilesystem:* Resource: - !Sub arn:${AWS::Partition}:elasticfilesystem:${Region}:${AWS::AccountId}:* Effect: Allow Sid: EFS - Action: - logs:DeleteLogGroup - logs:PutRetentionPolicy - logs:DescribeLogGroups - logs:CreateLogGroup - logs:TagResource - logs:UntagResource - logs:DescribeMetricFilters - logs:PutMetricFilter - logs:deleteMetricFilter Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region Sid: CloudWatchLogs - Action: - resource-groups:ListGroupResources - resource-groups:GetGroupConfiguration Resource: '*' Effect: Allow Sid: ResourceGroupRead - Action: "secretsmanager:GetSecretValue" Resource: !Sub arn:${AWS::Partition}:secretsmanager:${Region}:${AWS::AccountId}:secret:* Effect: Allow Sid: DirectoryServicePasswordReadFromSecretsManager - Action: "ssm:GetParameter" Resource: !Sub arn:${AWS::Partition}:ssm:${Region}:${AWS::AccountId}:parameter/* Effect: Allow Sid: DirectoryServicePasswordReadFromSsm ### IMAGE ACTIONS POLICIES ParallelClusterBuildImageManagedPolicy: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: Description: Managed policy to execute pcluster build-image command without IAM permission PolicyDocument: Version: '2012-10-17' Statement: - Sid: EC2 Effect: Allow Action: - ec2:DescribeImages - ec2:DescribeInstanceTypeOfferings - ec2:DescribeInstanceTypes Resource: '*' - Sid: IAM Effect: Allow Action: - iam:CreateInstanceProfile - iam:AddRoleToInstanceProfile - iam:GetRole - iam:GetRolePolicy - iam:GetInstanceProfile Resource: - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/${CustomIamPathPrefix}/*' - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/ParallelClusterImage*' - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/*' - Sid: IAMPassRole Effect: Allow Action: - iam:PassRole Resource: - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/${CustomIamPathPrefix}/*' - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/*' Condition: StringEquals: iam:PassedToService: - lambda.amazonaws.com - ec2.amazonaws.com - ec2.amazonaws.com.cn - Sid: CloudWatch Effect: Allow Action: - logs:CreateLogGroup - logs:TagResource - logs:UntagResource Resource: - !Sub 'arn:${AWS::Partition}:logs:${Region}:${AWS::AccountId}:log-group:/aws/lambda/ParallelClusterImage-*' - Sid: CloudFormation Effect: Allow Action: - cloudformation:DescribeStacks - cloudformation:CreateStack Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${Region}:${AWS::AccountId}:stack/*' - Sid: Lambda Effect: Allow Action: - lambda:CreateFunction - lambda:TagResource - lambda:GetFunction - lambda:AddPermission Resource: - !Sub 'arn:${AWS::Partition}:lambda:${Region}:${AWS::AccountId}:function:ParallelClusterImage-*' - Sid: ImageBuilderGet Effect: Allow Action: - imagebuilder:Get* Resource: '*' - Sid: ImageBuilder Effect: Allow Action: - imagebuilder:CreateImage - imagebuilder:TagResource - imagebuilder:CreateImageRecipe - imagebuilder:CreateComponent - imagebuilder:CreateDistributionConfiguration - imagebuilder:CreateInfrastructureConfiguration Resource: - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:image/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:image-recipe/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:component/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:distribution-configuration/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:infrastructure-configuration/parallelclusterimage-*' - Sid: S3Bucket Effect: Allow Action: - s3:CreateBucket - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*' - Sid: SNS Effect: Allow Action: - sns:GetTopicAttributes - sns:TagResource - sns:CreateTopic - sns:Subscribe - sns:Publish Resource: - !Sub 'arn:${AWS::Partition}:sns:${Region}:${AWS::AccountId}:ParallelClusterImage-*' - Sid: S3Objects Effect: Allow Action: - s3:PutObject - s3:GetObject Resource: - !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*/*' - Action: - iam:CreateServiceLinkedRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder Effect: Allow Condition: StringLike: iam:AWSServiceName: - imagebuilder.amazonaws.com ParallelClusterDeleteImageManagedPolicy: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: Description: Managed policy to execute pcluster delete-image command without IAM permission PolicyDocument: Version: '2012-10-17' Statement: - Sid: EC2 Effect: Allow Action: - ec2:DeregisterImage - ec2:DescribeImages - ec2:DeleteSnapshot Resource: '*' - Sid: IAM Effect: Allow Action: - iam:RemoveRoleFromInstanceProfile Resource: - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/${CustomIamPathPrefix}/*' - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/*' - Sid: ImageBuilder Effect: Allow Action: - imagebuilder:DeleteImage - imagebuilder:GetImage - imagebuilder:CancelImageCreation - imagebuilder:DeleteComponent - imagebuilder:DeleteImageRecipe - imagebuilder:DeleteInfrastructureConfiguration - imagebuilder:DeleteDistributionConfiguration Resource: - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:image/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:image-recipe/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:component/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:distribution-configuration/parallelclusterimage-*' - !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:infrastructure-configuration/parallelclusterimage-*' - Sid: CloudFormation Effect: Allow Action: - cloudformation:DescribeStacks - cloudformation:DeleteStack Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${Region}:${AWS::AccountId}:stack/*' - Sid: Lambda Effect: Allow Action: - lambda:RemovePermission - lambda:DeleteFunction - lambda:AddPermission Resource: - !Sub 'arn:${AWS::Partition}:lambda:${Region}:${AWS::AccountId}:function:ParallelClusterImage-*' - Sid: SNS Effect: Allow Action: - SNS:DeleteTopic - SNS:Unsubscribe - SNS:GetTopicAttributes Resource: - !Sub 'arn:${AWS::Partition}:sns:${Region}:${AWS::AccountId}:ParallelClusterImage-*' - Sid: S3Bucket Effect: Allow Action: - s3:ListBucket - s3:ListBucketVersions Resource: - !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*' - Sid: S3Objects Effect: Allow Action: - s3:PutObject - s3:GetObject - s3:GetObjectVersion - s3:DeleteObject - s3:DeleteObjectVersion Resource: - !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*/*' - Sid: CloudWatch Effect: Allow Action: - logs:DeleteLogGroup Resource: - !Sub 'arn:${AWS::Partition}:logs:${Region}:${AWS::AccountId}:log-group:/aws/imagebuilder/ParallelClusterImage-*' - !Sub 'arn:${AWS::Partition}:logs:${Region}:${AWS::AccountId}:log-group:/aws/lambda/ParallelClusterImage-*' ParallelClusterListImagesManagedPolicy: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: Description: Managed policy to execute pcluster list-images command PolicyDocument: Version: '2012-10-17' Statement: - Sid: EC2 Effect: Allow Action: - ec2:DescribeImages Resource: '*' - Sid: CloudFormation Effect: Allow Action: - cloudformation:DescribeStacks Resource: - '*' ParallelClusterDescribeImageManagedPolicy: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: Description: Managed policy to execute pcluster describe-image command PolicyDocument: Version: '2012-10-17' Statement: - Sid: EC2 Effect: Allow Action: - ec2:DescribeImages Resource: '*' - Sid: CloudFormation Effect: Allow Action: - cloudformation:DescribeStacks Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${Region}:${AWS::AccountId}:stack/*' ### LOG COMMANDS ParallelClusterLogRetrievalPolicy: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: Description: Policies needed to retrieve cluster and images logs PolicyDocument: Version: '2012-10-17' Statement: - Action: - logs:DescribeLogGroups - logs:FilterLogEvents - logs:GetLogEvents - logs:CreateExportTask - logs:DescribeLogStreams - logs:DescribeExportTasks Resource: '*' Effect: Allow Condition: !If - IsMultiRegion - !Ref AWS::NoValue - StringEquals: aws:RequestedRegion: - !Ref Region ### LOGIN NODES ACTIONS ParallelClusterLoginNodesStack: Type: AWS::IAM::ManagedPolicy Condition: CreateIamResources Properties: Description: Policies needed to create LoginNodes stack PolicyDocument: Version: '2012-10-17' Statement: - Action: - autoscaling:CreateAutoScalingGroup - autoscaling:DeleteAutoScalingGroup - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeLifecycleHooks - autoscaling:DescribeScalingActivities - autoscaling:PutLifecycleHook - autoscaling:UpdateAutoScalingGroup - elasticloadbalancing:AddTags - elasticloadbalancing:CreateListener - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateTargetGroup - elasticloadbalancing:DeleteListener - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DeleteTargetGroup - elasticloadbalancing:DescribeListeners - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ModifyLoadBalancerAttributes Resource: '*' Effect: Allow ### INTEG-TESTS POLICIES IntegTestsPolicy: Type: AWS::IAM::ManagedPolicy Properties: Roles: - !Ref ParallelClusterUserRole PolicyDocument: Version: '2012-10-17' Statement: # Required to test AdditionalIamPolicies - Action: - iam:AttachRolePolicy - iam:DetachRolePolicy Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* # Needed to enable capacity reservation access without creating a custom policy in tests - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2FullAccess Effect: Allow # Required to use KMS encryption key in tests - Action: - kms:DescribeKey - kms:Decrypt - kms:GenerateDataKeyWithoutPlainText - kms:ReEncrypt Resource: '*' Effect: Allow - Action: - kms:CreateGrant Resource: '*' Effect: Allow Condition: Bool: kms:GrantIsForAWSResource: true # Required to use test bucket (e.g. to test pre/post_install scripts) - Action: - s3:* Resource: - !Sub arn:${AWS::Partition}:s3:::integ-tests-* Effect: Allow - Action: - cloudwatch:GetMetricData Resource: '*' Effect: Allow ### PERMISSIONS BOUNDARY PermissionsBoundaryPolicy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Action: - route53:ListResourceRecordSets - route53:ChangeResourceRecordSets Effect: Allow Resource: !Sub arn:${AWS::Partition}:route53:::hostedzone/* - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:* - Action: - dynamodb:DescribeTable - dynamodb:Query - dynamodb:GetItem - dynamodb:PutItem - dynamodb:UpdateItem - dynamodb:BatchWriteItem Resource: !Sub arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/parallelcluster-* Effect: Allow - Action: ec2:DescribeInstances Effect: Allow Resource: '*' - Action: ec2:TerminateInstances Condition: StringEquals: ec2:ResourceTag/parallelcluster:node-type: ComputeNode Effect: Allow Resource: '*' - Action: - s3:GetObject Effect: Allow Resource: - !Sub arn:${AWS::Partition}:s3:::${AWS::Region}-aws-parallelcluster/* - !Sub arn:${AWS::Partition}:s3:::dcv-license.${AWS::Region}/* - Action: ec2:RunInstances Resource: '*' Effect: Allow - Action: - iam:PassRole Resource: - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/* Effect: Allow Condition: StringEquals: iam:PassedToService: - ec2.amazonaws.com - ec2.amazonaws.com.cn - batch.amazonaws.com - Action: - ec2:DescribeInstances - ec2:DescribeInstanceStatus - ec2:CreateTags - ec2:DescribeVolumes - ec2:AttachVolume - ec2:DescribeInstanceAttribute Effect: Allow Resource: '*' - Action: - cloudformation:DescribeStackResource - cloudformation:SignalResource - cloudformation:DescribeStacks Effect: Allow Resource: '*' - Action: - s3:DeleteObject - s3:DeleteObjectVersion - s3:ListBucket - s3:ListBucketVersions - s3:GetObject - s3:PutObject - s3:GetObjectVersion Effect: Allow Resource: - !Sub arn:${AWS::Partition}:s3:::parallelcluster-*-v1-do-not-delete - !Sub arn:${AWS::Partition}:s3:::parallelcluster-*-v1-do-not-delete/* - Action: - ecr:BatchDeleteImage - ecr:ListImages Effect: Allow Resource: !Sub arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/*parallelcluster* - Action: - codebuild:BatchGetBuilds - codebuild:StartBuild Effect: Allow Resource: !Sub arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/pcluster-* # Image Build - Action: - iam:DetachRolePolicy - iam:DeleteRole - iam:DeleteRolePolicy Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${CustomIamPathPrefix}/*' Effect: Allow - Action: - iam:DeleteInstanceProfile - iam:RemoveRoleFromInstanceProfile Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/${CustomIamPathPrefix}/*' Effect: Allow - Action: imagebuilder:DeleteInfrastructureConfiguration Resource: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:infrastructure-configuration/parallelclusterimage-*' Effect: Allow - Action: - imagebuilder:DeleteComponent Resource: - !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:component/parallelclusterimage-*/*' Effect: Allow - Action: imagebuilder:DeleteImageRecipe Resource: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:image-recipe/parallelclusterimage-*/*' Effect: Allow - Action: imagebuilder:DeleteDistributionConfiguration Resource: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:distribution-configuration/parallelclusterimage-*' Effect: Allow - Action: - imagebuilder:DeleteImage - imagebuilder:GetImage - imagebuilder:CancelImageCreation Resource: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:image/parallelclusterimage-*/*' Effect: Allow - Action: cloudformation:DeleteStack Resource: !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*/*' Effect: Allow - Action: ec2:CreateTags Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}::image/*' Effect: Allow - Action: tag:TagResources Resource: '*' Effect: Allow - Action: - lambda:DeleteFunction - lambda:RemovePermission Resource: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:ParallelClusterImage-*' Effect: Allow - Action: logs:DeleteLogGroup Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/ParallelClusterImage-*:*' Effect: Allow - Action: - SNS:GetTopicAttributes - SNS:DeleteTopic - SNS:GetSubscriptionAttributes - SNS:Unsubscribe Resource: !Sub 'arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:ParallelClusterImage-*' Effect: Allow - Action: - ec2:CreateTags - ec2:ModifyImageAttribute Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}::image/*' Effect: Allow # From arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - Effect: Allow Action: - ssm:DescribeAssociation - ssm:GetDeployablePatchSnapshotForInstance - ssm:GetDocument - ssm:DescribeDocument - ssm:GetManifest - ssm:GetParameter - ssm:GetParameters - ssm:ListAssociations - ssm:ListInstanceAssociations - ssm:PutInventory - ssm:PutComplianceItems - ssm:PutConfigurePackageResult - ssm:UpdateAssociationStatus - ssm:UpdateInstanceAssociationStatus - ssm:UpdateInstanceInformation Resource: "*" - Effect: Allow Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel Resource: "*" - Effect: Allow Action: - ec2messages:AcknowledgeMessage - ec2messages:DeleteMessage - ec2messages:FailMessage - ec2messages:GetEndpoint - ec2messages:GetMessages - ec2messages:SendReply Resource: "*" # From arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder - Effect: Allow Action: - imagebuilder:GetComponent Resource: "*" - Effect: Allow Action: - kms:Decrypt Resource: "*" Condition: ForAnyValue:StringEquals: kms:EncryptionContextKeys: aws:imagebuilder:arn aws:CalledVia: - imagebuilder.amazonaws.com - Effect: Allow Action: - s3:GetObject Resource: !Sub arn:${AWS::Partition}:s3:::ec2imagebuilder* - Effect: Allow Action: - logs:CreateLogStream - logs:CreateLogGroup - logs:PutLogEvents - logs:TagResource - logs:UntagResource Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:/aws/imagebuilder/* - Effect: Allow Action: - cloudwatch:PutDashboard - cloudwatch:ListDashboards - cloudwatch:DeleteDashboards - cloudwatch:GetDashboard - cloudwatch:PutMetricAlarm - cloudwatch:DeleteAlarms - cloudwatch:DescribeAlarms Resource: "*" # - Effect: Allow # TODO: Refactor it, comment it out now to workaround exceeds quota for PolicySize: 6144 # Action: # - logs:DescribeMetricFilters # - logs:PutMetricFilter # - logs:deleteMetricFilter # Resource: "*" Outputs: ParallelClusterUserRole: Value: !GetAtt ParallelClusterUserRole.Arn