search

aws-samples / pcluster-manager

Manage AWS ParallelCluster through an easy to use web interface
https://pcluster.cloud
Apache License 2.0
65 stars 27 forks source link

Polices needed #380

Open StefanA1309 opened 2 years ago

StefanA1309 commented 2 years ago

Hi it would be nice to have a list of all needed Policies before deploying the CloudFormation Stack. I went through the process interactively with my admin (deployed stack-> run into an policy error -> Had Admin add the policy (repeat until works)). Thanks Stefan

mtfranchetto commented 2 years ago

Hello @StefanA1309, does this document help? https://docs.aws.amazon.com/parallelcluster/latest/ug/iam-roles-in-parallelcluster-v3.html

StefanA1309 commented 2 years ago

Hi @mtfranchetto

maybe we did something wrong, but we started with a user which could create a PC successfully ("standard" one, no batch or image making tested so far). Using this same user to deploy pcluster-manager run into several policy problems.

Comparing the policies we added with the one in your link (for example, one was iam:PutRolePolicy, where we added the resource '*') I do see them listed in web page, so either:

  1. The user deploying pcluster-manager needs more privileges than simply create PC (like image builder feature, which we didn't used so far)
  2. The deployment of pcluster-manager uses resources not covered by the 'standard' setup, like "arn:aws:iam:::instance-profile/parallelcluster/", "arn:aws:iam:::instance-profile/ParallelClusterImage", "arn:aws:iam:::role/parallelcluster/*"

To be clear : We got it to work (*) and really like it, only something is missing in the docu to make the deployment easier. Thanks

(*) The the SSM part needed for the slurm queue doesn't work, don't really understand that one yet as SSM is running on the head node. Guess I need more policies for SSM :(

mtfranchetto commented 2 years ago

Yes, correct. The linked resources are for deploying a new PC cluster, not PCluster Manager itself. Right now we don't have the comprehensive permissions set required to launch PCM (as it's a long list), but we may add it in upcoming release. Is creating PCM stacks with an Admin role a possibility for the time being?

sean-smith commented 1 year ago

Regarding SSM - all you need is to set SSMManagedInstanceCore in the additional policies section. This is automatically added when you enable "Virtual Console" in the UI. Let me know if you can't get this to work. Happy to help - also apologize for the confusion on policies, we'll work to put together a canonical list.