Skip to content
This repository has been archived by the owner on Mar 13, 2023. It is now read-only.

Create new cluster fails due to missing iam:AttachRolePolicy permission #384

Open
verdimrc opened this issue Dec 2, 2022 · 3 comments
Open

Create new cluster fails due to missing iam:AttachRolePolicy permission #384

verdimrc opened this issue Dec 2, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@verdimrc
Copy link

verdimrc commented Dec 2, 2022

The us-west-2 quick-launch fails to create a new cluster because of missing iam:AttachRolePolicy permission.

The quick fix is to add that permission to the ParallelClusterUserRole from the pcluster-manager-ParallelClusterApi stack.
@mtfranchetto
Copy link
Contributor

Hello @verdimrc, can you explain a bit more what you were trying to do? Also, a sample of the YAML config file would help, since a cluster with the "default" configuration should be created without issues.

@sean-smith
Copy link
Contributor

sean-smith commented Dec 5, 2022
edited
Loading

To elaborate - this is caused by the ParallelCluster API, it limits the IAM policies you can attach to the instances to the following list:

{
    "Condition": {
        "ArnLike": {
            "iam:PolicyARN": [
                "arn:aws:iam::822857487308:policy/parallelcluster*",
                "arn:aws:iam::822857487308:policy/parallelcluster/*",
                "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
                "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
                "arn:aws:iam::aws:policy/AWSBatchFullAccess",
                "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
                "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole",
                "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
                "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
                "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole",
                "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder",
                "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
            ]
        }
    },
    "Action": [
        "iam:AttachRolePolicy",
        "iam:DetachRolePolicy"
    ],
    "Resource": "arn:aws:iam::822857487308:role/parallelcluster/*",
    "Effect": "Allow",
    "Sid": "IamPolicy"
}

There is a workaround, documented here: https://ml.hpcworkshops.com/01-getting-started/06-iam-permissions.html
Also a Github issue here: aws/aws-parallelcluster#4031 & #268

I'll leave this issue open for tracking until this is resolved.

@sean-smith sean-smith added the bug Something isn't working label Dec 5, 2022
@sean-smith sean-smith mentioned this issue Dec 7, 2022
Merged
8 tasks
@sean-smith
Copy link
Contributor

sean-smith commented Dec 16, 2022
edited
Loading

I should add, if you want to scope this down to just iam:AttachRolePolicy and iam:DetachRolePolicy you can add a policy like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
               "iam:AttachRolePolicy",
               "iam:DetachRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<account-id>:role/parallelcluster/*"
        }
    ]
}

See https://pcluster.cloud/02-tutorials/07-setup-iam.html for detailed setup instructions.

@sean-smith sean-smith mentioned this issue Dec 17, 2022
Merged
8 tasks
@mtfranchetto mtfranchetto mentioned this issue Jul 25, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@verdimrc @mtfranchetto @sean-smith