Skip to content

Commit a7bcb2a

Browse files
gmarcianigmarciani
committed
[Policies] Refactor ParallelCluster policies defined in CloudFormation template
'parallelcluster-policies.yaml', to prevent deployment failures caused by IAM limits being exceeded. Signed-off-by: Giacomo Marciani <mgiacomo@amazon.com>
1 parent e3521b9 commit a7bcb2a

File tree

4 files changed

+56
-92
lines changed

4 files changed

+56
-92
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,10 @@ CHANGELOG
2525
instead of looping over `MaximumNetworkCards` range.
2626
- Fail cluster creation when using instance types P3, G3, P2 and G2 because their GPU architecture is not compatible with Open Source Nvidia Drivers (OpenRM) introduced as part of 3.8.0 release.
2727

28+
**BUG FIXES**
29+
- Refactor IAM policies defined in CloudFormation template `parallelclutser-policies.yaml` to prevent ParallelCluster API deployment failure
30+
caused by policies exceeding IAM limits.
31+
2832
3.8.0
2933
------
3034

cloudformation/custom_resource/cluster.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -115,9 +115,10 @@ Resources:
115115
ManagedPolicyArns: !Split
116116
- ","
117117
- !Sub
118-
- ${LambdaExecutionPolicy},${ClusterPolicy},${DefaultAdminPolicy},${EventsPolicy},${S3Policy}${AdditionalIamPolicies}
118+
- ${LambdaExecutionPolicy},${ClusterPolicy1},${ClusterPolicy2},${DefaultAdminPolicy},${EventsPolicy},${S3Policy}${AdditionalIamPolicies}
119119
- { LambdaExecutionPolicy: !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
120-
ClusterPolicy: !GetAtt [ PclusterPolicies, Outputs.ParallelClusterClusterPolicy ],
120+
ClusterPolicy1: !GetAtt [ PclusterPolicies, Outputs.ParallelClusterClusterPolicy1 ],
121+
ClusterPolicy2: !GetAtt [ PclusterPolicies, Outputs.ParallelClusterClusterPolicy2 ],
121122
DefaultAdminPolicy: !GetAtt [ PclusterPolicies, Outputs.DefaultParallelClusterIamAdminPolicy ],
122123
EventsPolicy: !Ref EventsPolicy,
123124
S3Policy: !Ref S3Policy,

cloudformation/policies/parallelcluster-policies.yaml

Lines changed: 48 additions & 89 deletions
Original file line numberDiff line numberDiff line change
@@ -66,20 +66,14 @@ Outputs:
6666
ParallelClusterLogRetrievalPolicy:
6767
Value: !Ref ParallelClusterLogRetrievalPolicy
6868

69-
ParallelClusterDescribeImageManagedPolicy:
70-
Value: !Ref ParallelClusterDescribeImageManagedPolicy
69+
ParallelClusterImageManagedPolicy:
70+
Value: !Ref ParallelClusterImageManagedPolicy
7171

72-
ParallelClusterListImagesManagedPolicy:
73-
Value: !Ref ParallelClusterListImagesManagedPolicy
72+
ParallelClusterClusterPolicy1:
73+
Value: !Ref ParallelClusterClusterPolicy1
7474

75-
ParallelClusterDeleteImageManagedPolicy:
76-
Value: !Ref ParallelClusterDeleteImageManagedPolicy
77-
78-
ParallelClusterBuildImageManagedPolicy:
79-
Value: !Ref ParallelClusterBuildImageManagedPolicy
80-
81-
ParallelClusterClusterPolicy:
82-
Value: !Ref ParallelClusterClusterPolicy
75+
ParallelClusterClusterPolicy2:
76+
Value: !Ref ParallelClusterClusterPolicy2
8377

8478
FSxS3AccessPolicy:
8579
Condition: EnableFSxS3AccessCondition
@@ -210,15 +204,13 @@ Resources:
210204
- !Sub arn:${AWS::Partition}:iam::aws:policy/AWSXRayDaemonWriteAccess
211205
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
212206
# Required to run ParallelCluster functionalities
213-
- !Ref ParallelClusterClusterPolicy
207+
- !Ref ParallelClusterClusterPolicy1
208+
- !Ref ParallelClusterClusterPolicy2
214209
- !If
215210
- EnableBatchAccessCondition
216211
- !Ref ParallelClusterClusterPolicyBatch
217212
- !Ref AWS::NoValue
218-
- !Ref ParallelClusterBuildImageManagedPolicy
219-
- !Ref ParallelClusterDeleteImageManagedPolicy
220-
- !Ref ParallelClusterListImagesManagedPolicy
221-
- !Ref ParallelClusterDescribeImageManagedPolicy
213+
- !Ref ParallelClusterImageManagedPolicy
222214
- !Ref ParallelClusterLogRetrievalPolicy
223215

224216
### CLUSTER ACTIONS POLICIES
@@ -336,11 +328,11 @@ Resources:
336328
Roles:
337329
- !Ref ParallelClusterLambdaRole
338330

339-
ParallelClusterClusterPolicy:
331+
ParallelClusterClusterPolicy1:
340332
Type: AWS::IAM::ManagedPolicy
341333
Properties:
342334
ManagedPolicyName: !Sub
343-
- ${IAMRoleAndPolicyPrefix}ParallelClusterClusterPolicy-${StackIdSuffix}
335+
- ${IAMRoleAndPolicyPrefix}ParallelClusterClusterPolicy1-${StackIdSuffix}
344336
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
345337
PolicyDocument:
346338
Version: '2012-10-17'
@@ -470,6 +462,16 @@ Resources:
470462
aws:RequestedRegion:
471463
- !Ref Region
472464
Sid: CloudWatch
465+
466+
ParallelClusterClusterPolicy2:
467+
Type: AWS::IAM::ManagedPolicy
468+
Properties:
469+
ManagedPolicyName: !Sub
470+
- ${IAMRoleAndPolicyPrefix}ParallelClusterClusterPolicy2-${StackIdSuffix}
471+
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
472+
PolicyDocument:
473+
Version: '2012-10-17'
474+
Statement:
473475
- Action:
474476
- iam:GetRole
475477
- iam:GetRolePolicy
@@ -624,24 +626,24 @@ Resources:
624626

625627
# ### IMAGE ACTIONS POLICIES
626628

627-
ParallelClusterBuildImageManagedPolicy:
629+
ParallelClusterImageManagedPolicy:
628630
Type: AWS::IAM::ManagedPolicy
629631
Properties:
630632
ManagedPolicyName: !Sub
631-
- ${IAMRoleAndPolicyPrefix}ParallelClusterBuildImageManagedPolicy-${StackIdSuffix}
633+
- ${IAMRoleAndPolicyPrefix}ParallelClusterImageManagedPolicy-${StackIdSuffix}
632634
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
633-
Description: Managed policy to execute pcluster build-image command without IAM permission
635+
Description: Managed policy to execute pcluster build-image, delete-image, list-images and describe-image commands
634636
PolicyDocument:
635637
Version: '2012-10-17'
636638
Statement:
637-
- Sid: EC2
639+
- Sid: EC2BuildImage
638640
Effect: Allow
639641
Action:
640642
- ec2:DescribeImages
641643
- ec2:DescribeInstanceTypeOfferings
642644
- ec2:DescribeInstanceTypes
643645
Resource: '*'
644-
- Sid: IAM
646+
- Sid: IAMBuildImage
645647
Effect: Allow
646648
Action:
647649
- iam:CreateInstanceProfile
@@ -653,7 +655,7 @@ Resources:
653655
- !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/parallelcluster/*'
654656
- !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/ParallelClusterImage*'
655657
- !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/parallelcluster/*'
656-
- Sid: IAMPassRole
658+
- Sid: IAMPassRoleBuildImage
657659
Effect: Allow
658660
Action:
659661
- iam:PassRole
@@ -666,22 +668,22 @@ Resources:
666668
- lambda.amazonaws.com
667669
- ec2.amazonaws.com
668670
- ec2.amazonaws.com.cn
669-
- Sid: CloudWatch
671+
- Sid: CloudWatchBuildImage
670672
Effect: Allow
671673
Action:
672674
- logs:CreateLogGroup
673675
- logs:TagResource
674676
- logs:UntagResource
675677
Resource:
676678
- !Sub 'arn:${AWS::Partition}:logs:${Region}:${AWS::AccountId}:log-group:/aws/lambda/ParallelClusterImage-*'
677-
- Sid: CloudFormation
679+
- Sid: CloudFormationBuildImage
678680
Effect: Allow
679681
Action:
680682
- cloudformation:DescribeStacks
681683
- cloudformation:CreateStack
682684
Resource:
683685
- !Sub 'arn:${AWS::Partition}:cloudformation:${Region}:${AWS::AccountId}:stack/*'
684-
- Sid: Lambda
686+
- Sid: LambdaBuildImage
685687
Effect: Allow
686688
Action:
687689
- lambda:CreateFunction
@@ -690,12 +692,12 @@ Resources:
690692
- lambda:AddPermission
691693
Resource:
692694
- !Sub 'arn:${AWS::Partition}:lambda:${Region}:${AWS::AccountId}:function:ParallelClusterImage-*'
693-
- Sid: ImageBuilderGet
695+
- Sid: ImageBuilderGetBuildImage
694696
Effect: Allow
695697
Action:
696698
- imagebuilder:Get*
697699
Resource: '*'
698-
- Sid: ImageBuilder
700+
- Sid: ImageBuilderBuildImage
699701
Effect: Allow
700702
Action:
701703
- imagebuilder:CreateImage
@@ -710,14 +712,14 @@ Resources:
710712
- !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:component/parallelclusterimage-*'
711713
- !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:distribution-configuration/parallelclusterimage-*'
712714
- !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:infrastructure-configuration/parallelclusterimage-*'
713-
- Sid: S3Bucket
715+
- Sid: S3BucketBuildImage
714716
Effect: Allow
715717
Action:
716718
- s3:CreateBucket
717719
- s3:ListBucket
718720
Resource:
719721
- !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*'
720-
- Sid: SNS
722+
- Sid: SNSBuildImage
721723
Effect: Allow
722724
Action:
723725
- sns:GetTopicAttributes
@@ -727,14 +729,15 @@ Resources:
727729
- sns:Publish
728730
Resource:
729731
- !Sub 'arn:${AWS::Partition}:sns:${Region}:${AWS::AccountId}:ParallelClusterImage-*'
730-
- Sid: S3Objects
732+
- Sid: S3ObjectsBuildImage
731733
Effect: Allow
732734
Action:
733735
- s3:PutObject
734736
- s3:GetObject
735737
Resource:
736738
- !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*/*'
737-
- Action:
739+
- Sid: IAMSLRBuildImage
740+
Action:
738741
- iam:CreateServiceLinkedRole
739742
Resource:
740743
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder
@@ -743,32 +746,21 @@ Resources:
743746
StringLike:
744747
iam:AWSServiceName:
745748
- imagebuilder.amazonaws.com
746-
747-
ParallelClusterDeleteImageManagedPolicy:
748-
Type: AWS::IAM::ManagedPolicy
749-
Properties:
750-
ManagedPolicyName: !Sub
751-
- ${IAMRoleAndPolicyPrefix}ParallelClusterDeleteImageManagedPolicy-${StackIdSuffix}
752-
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
753-
Description: Managed policy to execute pcluster delete-image command without IAM permission
754-
PolicyDocument:
755-
Version: '2012-10-17'
756-
Statement:
757-
- Sid: EC2
749+
- Sid: EC2DeleteImage
758750
Effect: Allow
759751
Action:
760752
- ec2:DeregisterImage
761753
- ec2:DescribeImages
762754
- ec2:DeleteSnapshot
763755
Resource: '*'
764-
- Sid: IAM
756+
- Sid: IAMDeleteImage
765757
Effect: Allow
766758
Action:
767759
- iam:RemoveRoleFromInstanceProfile
768760
Resource:
769761
- !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/parallelcluster/*'
770762
- !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/parallelcluster/*'
771-
- Sid: ImageBuilder
763+
- Sid: ImageBuilderDeleteImage
772764
Effect: Allow
773765
Action:
774766
- imagebuilder:DeleteImage
@@ -784,37 +776,37 @@ Resources:
784776
- !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:component/parallelclusterimage-*'
785777
- !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:distribution-configuration/parallelclusterimage-*'
786778
- !Sub 'arn:${AWS::Partition}:imagebuilder:${Region}:${AWS::AccountId}:infrastructure-configuration/parallelclusterimage-*'
787-
- Sid: CloudFormation
779+
- Sid: CloudFormationDeleteImage
788780
Effect: Allow
789781
Action:
790782
- cloudformation:DescribeStacks
791783
- cloudformation:DeleteStack
792784
Resource:
793785
- !Sub 'arn:${AWS::Partition}:cloudformation:${Region}:${AWS::AccountId}:stack/*'
794-
- Sid: Lambda
786+
- Sid: LambdaDeleteImage
795787
Effect: Allow
796788
Action:
797789
- lambda:RemovePermission
798790
- lambda:DeleteFunction
799791
- lambda:AddPermission
800792
Resource:
801793
- !Sub 'arn:${AWS::Partition}:lambda:${Region}:${AWS::AccountId}:function:ParallelClusterImage-*'
802-
- Sid: SNS
794+
- Sid: SNSDeleteImage
803795
Effect: Allow
804796
Action:
805797
- SNS:DeleteTopic
806798
- SNS:Unsubscribe
807799
- SNS:GetTopicAttributes
808800
Resource:
809801
- !Sub 'arn:${AWS::Partition}:sns:${Region}:${AWS::AccountId}:ParallelClusterImage-*'
810-
- Sid: S3Bucket
802+
- Sid: S3BucketDeleteImage
811803
Effect: Allow
812804
Action:
813805
- s3:ListBucket
814806
- s3:ListBucketVersions
815807
Resource:
816808
- !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*'
817-
- Sid: S3Objects
809+
- Sid: S3ObjectsDeleteImage
818810
Effect: Allow
819811
Action:
820812
- s3:PutObject
@@ -824,58 +816,25 @@ Resources:
824816
- s3:DeleteObjectVersion
825817
Resource:
826818
- !Sub 'arn:${AWS::Partition}:s3:::parallelcluster-*/*'
827-
- Sid: CloudWatch
819+
- Sid: CloudWatchDeleteImage
828820
Effect: Allow
829821
Action:
830822
- logs:DeleteLogGroup
831823
Resource:
832824
- !Sub 'arn:${AWS::Partition}:logs:${Region}:${AWS::AccountId}:log-group:/aws/imagebuilder/ParallelClusterImage-*'
833825
- !Sub 'arn:${AWS::Partition}:logs:${Region}:${AWS::AccountId}:log-group:/aws/lambda/ParallelClusterImage-*'
834-
835-
ParallelClusterListImagesManagedPolicy:
836-
Type: AWS::IAM::ManagedPolicy
837-
Properties:
838-
ManagedPolicyName: !Sub
839-
- ${IAMRoleAndPolicyPrefix}ParallelClusterListImagesManagedPolicy-${StackIdSuffix}
840-
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
841-
Description: Managed policy to execute pcluster list-images command
842-
PolicyDocument:
843-
Version: '2012-10-17'
844-
Statement:
845-
- Sid: EC2
826+
- Sid: EC2ListImages
846827
Effect: Allow
847828
Action:
848829
- ec2:DescribeImages
849830
Resource: '*'
850-
- Sid: CloudFormation
831+
- Sid: CloudFormationListImages
851832
Effect: Allow
852833
Action:
853834
- cloudformation:DescribeStacks
854835
Resource:
855836
- '*'
856837

857-
ParallelClusterDescribeImageManagedPolicy:
858-
Type: AWS::IAM::ManagedPolicy
859-
Properties:
860-
ManagedPolicyName: !Sub
861-
- ${IAMRoleAndPolicyPrefix}ParallelClusterDescribeImageManagedPolicy-${StackIdSuffix}
862-
- { StackIdSuffix: !Select [ 0, !Split [ '-', !Select [ 2, !Split [ '/', !Ref 'AWS::StackId' ] ] ] ] }
863-
Description: Managed policy to execute pcluster describe-image command
864-
PolicyDocument:
865-
Version: '2012-10-17'
866-
Statement:
867-
- Sid: EC2
868-
Effect: Allow
869-
Action:
870-
- ec2:DescribeImages
871-
Resource: '*'
872-
- Sid: CloudFormation
873-
Effect: Allow
874-
Action:
875-
- cloudformation:DescribeStacks
876-
Resource:
877-
- !Sub 'arn:${AWS::Partition}:cloudformation:${Region}:${AWS::AccountId}:stack/*'
878-
879838
### LOG COMMANDS
880839

881840
ParallelClusterLogRetrievalPolicy:

tests/integration-tests/tests/pcluster_api/test_api.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -145,7 +145,7 @@ def policies_template_with_custom_actions_bucket_access_fixture(policies_templat
145145
with open(policies_template_path, "r", encoding="utf-8") as f:
146146
policies_template = TemplateGenerator(cfn_tools.load_yaml(f.read()))
147147

148-
policy_document = policies_template.resources.get("ParallelClusterClusterPolicy").properties["PolicyDocument"]
148+
policy_document = policies_template.resources.get("ParallelClusterClusterPolicy2").properties["PolicyDocument"]
149149
statement = policy_document.get("Statement")
150150
statement.append(
151151
{

0 commit comments

Comments
 (0)