-
Notifications
You must be signed in to change notification settings - Fork 312
(3.0.0 3.1.3) Unable to create cluster or custom image when using API or CLI with documented user policies
Cluster creation or custom image creation using the ParallelCluster API or CLI fails with the cluster stack in CREATE_FAILED status and reason
User: arn:aws:sts::xxx:assumed-role/yyy is not authorized to perform: lambda:TagResource on resource: zzz
This happens when creating a cluster or a custom image using the ParallelCluster API from version 3.0.0 to 3.1.3 or any CLI version when the user has an IAM role with the user policies documented in the official doc (published before May 17, 2022).
- ParallelCluster API from 3.0.0 to 3.1.3 included.
- Any version of ParallelCluster CLI, when using IAM role with attached user policies previously documented in the official doc before May 17, 2022.
When using any version of the ParallelCluster CLI, if you are using an IAM role with user policies described in the official doc, be sure that it contains the lambda:TagResource policy.
When using the ParallelCluster API from version 3.0.0 to 3.1.3, please follow one of the mitigation paths listed below depending on if you have already an API stack deployed or you want to create a new API stack from scratch.
(Recommended) Create new API Stack using latest version
Follow official doc to know how to create a new API Stack using latest version. Please notice that version 3.1.4 is affected by an issue in the cluster update process, for more info see here.
Update Existing API Stack for versions from 3.0.0 to 3.1.3
Update the existing IAM user role deployed through the API stack with the following manual steps to be performed through the AWS console:
- Identify the IAM role resource with Logical ID
ParallelClusterUserRoledeployed by the API stack - Add the action
lambda:TagResourceto the policy whose name starts withpcluster-api-ParallelClusterClusterPolicy-and save the changes