Open cartalla opened 1 year ago
The problem is in the Lambda role:
parallelcluster-ui-3-6-1-ParallelClusterApi-9ALFVY8XOAU9-PclusterPolicies-YXC-DefaultParallelClusterIamAdminPolicy-1M144USWNSB2D
I updated the following statement and added a line that doesn't require the policy to start with parallelcluster and I was able to add my policy.
{
"Action": [
"iam:PutRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "arn:aws:iam::415233562408:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamInlinePolicy"
},
{
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::415233562408:policy/*",
"arn:aws:iam::415233562408:policy/parallelcluster*",
"arn:aws:iam::415233562408:policy/parallelcluster/*",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
"arn:aws:iam::aws:policy/AWSBatchFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
"arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
"arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
"arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
}
},
Hi @cartalla, this is a known issue with PCluster. Look at https://github.com/aws-samples/pcluster-manager/issues/384#issuecomment-1338008307 for more info. There's also another workaround available in the comment. I'm closing the issue for the moment. Feel free to open a new one if you need help.
Why is this closed? This point to an issue in the old pcluster-manager repo which is superceded by this one. Also, since this is such a simple bug fix, why hasn't it been fixed in the several releases since it was filed? I just hit this again during testing with a new version of pcluster and all I'm doing is following the instructions to use the slurm db.
I have also just hit this issue, so not sure why it is closed! The workaround is very much a workaround, not a fix.
More fundamentally I'm wondering why there is a list of allowed policies that one can attach/detach via the UI in the first place, especially given there is no such restriction when creating/updating a cluster via the CLI. Is it because of the security implications of users assuming the UI IAM role when they are using the UI? It would be good to know what the rationale for this is.
UPDATE: Found this https://docs.aws.amazon.com/parallelcluster/latest/ug/iam-roles-in-parallelcluster-v3.html#iam-roles-in-parallelcluster-v3-privileged-iam-access
Hi @regoawt , thanks for raising up our attention on this. The rationale behind that limitation was security: disabling by default the privileged IAM access mode. Such rationale is still valid, but I agree with you all that we should provide a smoother customer experience to enable it. We will let you know here our plans for it.
Thanks for the reply @gmarciani, I can see why this is the default behaviour, makes sense. But yes, looking forward to having an easier way around it!
Description
I tried to add a new IAM policy to the Head node of an existing cluster. When I do I get the following error in the CFN stack for the cluster and the update fails:
Steps to reproduce the issue
Expected behaviour
Update succeeds and new managed policy added to the head node role.
Actual behaviour
Update fails
Required info
In order to help us determine the root cause of the issue, please provide the following information:
Additional info
The following information is not required but helpful:
If having problems with cluster creation or update
YAML file generated by the ParallelCluster UI
If having problems with custom image creation
YAML file of the custom image