You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"ec2:CreatePlacementGroup" and "ec2:DeletePlacementGroup" used
when setting the placement group config to be DYNAMIC
"iam:GetRole" and "iam:SimulatePrincipalPolicy" used when setting
a custom instance role
Signed-off-by: Luca Carrogu <[email protected]>
Copy file name to clipboardExpand all lines: docs/source/iam.rst
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ IAM in CfnCluster
8
8
9
9
10
10
CfnCluster utilizes multiple AWS services to deploy and operate a cluster. The services used are listed in the :ref:`AWS Services used in CfnCluster <aws_services>` section of the documentation.
11
-
11
+
12
12
CfnCluster uses EC2 IAM roles to enable instances access to AWS services for the deployment and operation of the cluster. By default the EC2 IAM role is created as part of the cluster creation by CloudFormation. This means that the user creating the cluster must have the appropriate level of permissions
13
13
14
14
Defaults
@@ -176,7 +176,9 @@ CfnClusterUserPolicy
176
176
"ec2:DeleteSecurityGroup",
177
177
"ec2:DisassociateAddress",
178
178
"ec2:RevokeSecurityGroupIngress",
179
-
"ec2:ReleaseAddress"
179
+
"ec2:ReleaseAddress",
180
+
"ec2:CreatePlacementGroup",
181
+
"ec2:DeletePlacementGroup"
180
182
],
181
183
"Effect": "Allow",
182
184
"Resource": "*"
@@ -308,7 +310,9 @@ CfnClusterUserPolicy
308
310
"Action": [
309
311
"iam:PassRole",
310
312
"iam:CreateRole",
311
-
"iam:DeleteRole"
313
+
"iam:DeleteRole",
314
+
"iam:GetRole",
315
+
"iam:SimulatePrincipalPolicy"
312
316
],
313
317
"Effect": "Allow",
314
318
"Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/<CFNCLUSTER EC2 ROLE NAME>"
0 commit comments