Closed fabfacts closed 4 years ago
Hello @extremoburo ,
You need to provide S3 full acces IAM ROLE. https://console.aws.amazon.com/iam/home?region=ap-southeast-2#/roles , CREATE ROLE HERE.
First of all , create your cluster with this command. pcluster create clustername --norollback, then ssh into your master node and send the content of cfn-init.log file.
Hello @Palak-15
thanks for replying , well it's not due to S3 as it fails before, no master instance is created. From the stack on Cloudformation I could check that it happens in the nested substack "FSXSubstack" and the error it's clear:
Embedded stack arn:aws:cloudformation:us-east-1:123456:stack/parallelcluster-burotest-FSXSubstack-1234/1234 was not successfully created: The following resource(s) failed to create: [FileSystem].
more into details:
User: arn:aws:iam::1234:user/cfnclustermanager is not authorized to perform: fsx:CreateFileSystem on resource: arn:aws:fsx:us-east-1:1234:file-system/* (Service: AmazonFSx; Status Code: 400; Error Code: AccessDeniedException; Request ID: 1234)
that's why I'm thinking I need to add or update the User policy to my custom role, at least adding "fsx:CreateFileSystem" permissions but I fear it's not the only one.
If there is a way to check missing permission without actually creating/deleting a cluster for any change it would be appreciated, it will save some money and time. For instance I could create the cluster without custom role thus using admin full permissions and see what policy/roles are auto-created, it will cost come dollars but maybe could help. let me know what you think guys. not in hurry.
concerning the S3 ARN I've given full permissions with a bucket policy to the VPC I'm creating the cluster in, I though it could be ok but I may be wrong. In anycase I think main issue the one above.
Thanks in advance. F.
Thanks @extremoburo for reporting this, I've marked it as a bug and we'll update this when we update the policy.
thanks @sean-smith
Environment:
Configuration
Bug description and how to reproduce:
I guess this is actually more like a simple question than a bug.
error:
I'm almost sure Fsx Lustre creation need extra IAM permissions in my custom IAM User policy , could you suggest me which policy to add ? I haven't found it in the documentation.
to reproduce:
Just create a new cluster with the template above:
pcluster create -t test mytest