Open cailinw opened 2 years ago
demartinofra
commented
2 years ago Hello,
when deploying the API stack a series of IAM roles are created and attached to API resources. Because of this, as reported in https://docs.aws.amazon.com/parallelcluster/latest/ug/api-reference-v3.html, we advise to use an Administrator role for the deployment. Scoping down that role would still require powerful iam:PutRolePolicy and iam:CreateRole which will result in giving the user IAM admin privileges.
cailinw
commented
2 years ago Thank you for the quick response.
Since the Lambda is temporarily assuming a cross-account role to deploy the API in another AWS account, I would not like to directly use Administrator role, even though I understand that is the recommendation.
Can I specify the iam:PutRolePolicy and iam:CreateRole with some prefix when specifying the Resources or some Condition, so that this permission can be limited in some way?
Thank you.
Hello, I'm trying to deploy the ParallelCluster3 API (using the Cloudformation template and the instructions here) from an IAM user that has restricted permissions. May you please provide the full set of IAM permissions that are required to deploy the ParallelCluster3 API using the Cloudformation template? This would be much easier that having to repeatedly attempt deployment and noting the missing policy each time.
Particularly, I want to create the stack from an AWS Lambda, and the Lambda function needs to have the right permissions to create this stack.
Thank you.