@@ -128,6 +128,8 @@ ParallelClusterInstancePolicy
128128ParallelClusterUserPolicy
129129-------------------------
130130
131+ In case you are using sge, slurm or torque as a scheduler:
132+
131133::
132134
133135 {
@@ -335,3 +337,217 @@ ParallelClusterUserPolicy
335337 }
336338 ]
337339 }
340+
341+ In case you are using awsbatch as a scheduler:
342+
343+ ::
344+
345+ {
346+ "Version": "2012-10-17",
347+ "Statement": [
348+ {
349+ "Sid": "EC2Describe",
350+ "Action": [
351+ "ec2:DescribeKeyPairs",
352+ "ec2:DescribeVpcs",
353+ "ec2:DescribeSubnets",
354+ "ec2:DescribeSecurityGroups",
355+ "ec2:DescribePlacementGroups",
356+ "ec2:DescribeImages",
357+ "ec2:DescribeInstances",
358+ "ec2:DescribeInstanceStatus",
359+ "ec2:DescribeSnapshots",
360+ "ec2:DescribeVolumes",
361+ "ec2:DescribeVpcAttribute",
362+ "ec2:DescribeAddresses",
363+ "ec2:CreateTags",
364+ "ec2:DescribeNetworkInterfaces",
365+ "ec2:DescribeAvailabilityZones"
366+ ],
367+ "Effect": "Allow",
368+ "Resource": "*"
369+ },
370+ {
371+ "Sid": "EC2Modify",
372+ "Action": [
373+ "ec2:CreateVolume",
374+ "ec2:RunInstances",
375+ "ec2:AllocateAddress",
376+ "ec2:AssociateAddress",
377+ "ec2:AttachNetworkInterface",
378+ "ec2:AuthorizeSecurityGroupEgress",
379+ "ec2:AuthorizeSecurityGroupIngress",
380+ "ec2:CreateNetworkInterface",
381+ "ec2:CreateSecurityGroup",
382+ "ec2:ModifyVolumeAttribute",
383+ "ec2:ModifyNetworkInterfaceAttribute",
384+ "ec2:DeleteNetworkInterface",
385+ "ec2:DeleteVolume",
386+ "ec2:TerminateInstances",
387+ "ec2:DeleteSecurityGroup",
388+ "ec2:DisassociateAddress",
389+ "ec2:RevokeSecurityGroupIngress",
390+ "ec2:ReleaseAddress",
391+ "ec2:CreatePlacementGroup",
392+ "ec2:DeletePlacementGroup"
393+ ],
394+ "Effect": "Allow",
395+ "Resource": "*"
396+ },
397+ {
398+ "Sid": "DynamoDB",
399+ "Action": [
400+ "dynamodb:DescribeTable",
401+ "dynamodb:CreateTable",
402+ "dynamodb:DeleteTable"
403+ ],
404+ "Effect": "Allow",
405+ "Resource": "arn:aws:dynamodb:<REGION>:<AWS ACCOUNT ID>:table/parallelcluster-*"
406+ },
407+ {
408+ "Sid": "CloudFormation",
409+ "Action": [
410+ "cloudformation:DescribeStackEvents",
411+ "cloudformation:DescribeStackResource",
412+ "cloudformation:DescribeStackResources",
413+ "cloudformation:DescribeStacks",
414+ "cloudformation:ListStacks",
415+ "cloudformation:GetTemplate",
416+ "cloudformation:CreateStack",
417+ "cloudformation:DeleteStack",
418+ "cloudformation:UpdateStack"
419+ ],
420+ "Effect": "Allow",
421+ "Resource": "arn:aws:cloudformation:<REGION>:<AWS ACCOUNT ID>:stack/parallelcluster-*"
422+ },
423+ {
424+ "Sid": "SQS",
425+ "Action": [
426+ "sqs:GetQueueAttributes",
427+ "sqs:CreateQueue",
428+ "sqs:SetQueueAttributes",
429+ "sqs:DeleteQueue"
430+ ],
431+ "Effect": "Allow",
432+ "Resource": "*"
433+ },
434+ {
435+ "Sid": "SQSQueue",
436+ "Action": [
437+ "sqs:SendMessage",
438+ "sqs:ReceiveMessage",
439+ "sqs:ChangeMessageVisibility",
440+ "sqs:DeleteMessage",
441+ "sqs:GetQueueUrl"
442+ ],
443+ "Effect": "Allow",
444+ "Resource": "arn:aws:sqs:<REGION>:<AWS ACCOUNT ID>:parallelcluster-*"
445+ },
446+ {
447+ "Sid": "SNS",
448+ "Action": [
449+ "sns:ListTopics",
450+ "sns:GetTopicAttributes",
451+ "sns:CreateTopic",
452+ "sns:Subscribe",
453+ "sns:DeleteTopic"],
454+ "Effect": "Allow",
455+ "Resource": "*"
456+ },
457+ {
458+ "Sid": "IAMRole",
459+ "Action": [
460+ "iam:PassRole",
461+ "iam:CreateRole",
462+ "iam:DeleteRole",
463+ "iam:GetRole",
464+ "iam:SimulatePrincipalPolicy"
465+ ],
466+ "Effect": "Allow",
467+ "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:role/parallelcluster-*"
468+ },
469+ {
470+ "Sid": "IAMInstanceProfile",
471+ "Action": [
472+ "iam:CreateInstanceProfile",
473+ "iam:DeleteInstanceProfile",
474+ "iam:GetInstanceProfile",
475+ "iam:PassRole"
476+ ],
477+ "Effect": "Allow",
478+ "Resource": "arn:aws:iam::<AWS ACCOUNT ID>:instance-profile/*"
479+ },
480+ {
481+ "Sid": "IAM",
482+ "Action": [
483+ "iam:AddRoleToInstanceProfile",
484+ "iam:RemoveRoleFromInstanceProfile",
485+ "iam:PutRolePolicy",
486+ "iam:DeleteRolePolicy",
487+ "iam:AttachRolePolicy",
488+ "iam:DetachRolePolicy"
489+ ],
490+ "Effect": "Allow",
491+ "Resource": "*"
492+ },
493+ {
494+ "Sid": "S3ResourcesBucket",
495+ "Action": ["s3:*"],
496+ "Effect": "Allow",
497+ "Resource": ["arn:aws:s3:::parallelcluster-*"]
498+ },
499+ {
500+ "Sid": "S3ParallelClusterReadOnly",
501+ "Action": [
502+ "s3:Get*",
503+ "s3:List*"
504+ ],
505+ "Effect": "Allow",
506+ "Resource": ["arn:aws:s3:::<REGION>-aws-parallelcluster/*"]
507+ },
508+ {
509+ "Sid": "Lambda",
510+ "Action": [
511+ "lambda:CreateFunction",
512+ "lambda:DeleteFunction",
513+ "lambda:GetFunctionConfiguration",
514+ "lambda:InvokeFunction",
515+ "lambda:AddPermission",
516+ "lambda:RemovePermission"
517+ ],
518+ "Effect": "Allow",
519+ "Resource": "arn:aws:lambda:<REGION>:<AWS ACCOUNT ID>:function:parallelcluster-*"
520+ },
521+ {
522+ "Sid": "Logs",
523+ "Effect": "Allow",
524+ "Action": ["logs:*"],
525+ "Resource": "arn:aws:logs:<REGION>:<AWS ACCOUNT ID>:*"
526+ },
527+ {
528+ "Sid": "CodeBuild",
529+ "Effect": "Allow",
530+ "Action": ["codebuild:*"],
531+ "Resource": "arn:aws:codebuild:<REGION>:<AWS ACCOUNT ID>:project/parallelcluster-*"
532+ },
533+ {
534+ "Sid": "ECR",
535+ "Effect": "Allow",
536+ "Action": ["ecr:*"],
537+ "Resource": "*"
538+ },
539+ {
540+ "Sid": "Batch",
541+ "Effect": "Allow",
542+ "Action": ["batch:*"],
543+ "Resource": "*"
544+ },
545+ {
546+ "Sid": "AmazonCloudWatchEvents",
547+ "Effect": "Allow",
548+ "Action": ["events:*"],
549+ "Resource": "*"
550+ }
551+ ]
552+ }
553+
0 commit comments