Skip to content
This repository has been archived by the owner on Mar 13, 2023. It is now read-only.

Polices needed #380

Open
StefanA1309 opened this issue Dec 1, 2022 · 4 comments
Open

Polices needed #380

StefanA1309 opened this issue Dec 1, 2022 · 4 comments
Assignees
@mtfranchetto
Labels
documentation Improvements or additions to documentation

Comments

@StefanA1309
Copy link

Hi
it would be nice to have a list of all needed Policies before deploying the CloudFormation Stack.
I went through the process interactively with my admin (deployed stack-> run into an policy error -> Had Admin add the policy (repeat until works)).
Thanks
Stefan
@mtfranchetto
Copy link
Contributor

Hello @StefanA1309, does this document help? https://docs.aws.amazon.com/parallelcluster/latest/ug/iam-roles-in-parallelcluster-v3.html

@mtfranchetto mtfranchetto self-assigned this Dec 2, 2022
@StefanA1309
Copy link
Author

Hi @mtfranchetto

maybe we did something wrong, but we started with a user which could create a PC successfully ("standard" one, no batch or image making tested so far).
Using this same user to deploy pcluster-manager run into several policy problems.

Comparing the policies we added with the one in your link (for example, one was iam:PutRolePolicy, where we added the resource '*') I do see them listed in web page, so either:

  1. The user deploying pcluster-manager needs more privileges than simply create PC (like image builder feature, which we didn't used so far)
  2. The deployment of pcluster-manager uses resources not covered by the 'standard' setup, like
    "arn:aws:iam:::instance-profile/parallelcluster/",
    "arn:aws:iam:::instance-profile/ParallelClusterImage    ",
    "arn:aws:iam:::role/parallelcluster/*"

To be clear : We got it to work (*) and really like it, only something is missing in the docu to make the deployment easier.
Thanks

(*) The the SSM part needed for the slurm queue doesn't work, don't really understand that one yet as SSM is running on the head node. Guess I need more policies for SSM :(

@mtfranchetto
Copy link
Contributor

Yes, correct. The linked resources are for deploying a new PC cluster, not PCluster Manager itself.
Right now we don't have the comprehensive permissions set required to launch PCM (as it's a long list), but we may add it in upcoming release.
Is creating PCM stacks with an Admin role a possibility for the time being?

@sean-smith
Copy link
Contributor

Regarding SSM - all you need is to set SSMManagedInstanceCore in the additional policies section. This is automatically added when you enable "Virtual Console" in the UI. Let me know if you can't get this to work. Happy to help - also apologize for the confusion on policies, we'll work to put together a canonical list.

@sean-smith sean-smith added the documentation Improvements or additions to documentation label Dec 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mtfranchetto mtfranchetto

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mtfranchetto @sean-smith @StefanA1309