Giters

aws / aws-parallelcluster

AWS ParallelCluster is an AWS supported Open Source cluster management tool to deploy and manage HPC clusters in the AWS cloud.

Home Page:https://github.com/aws/aws-parallelcluster

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Maximum policy attachements on ClusterLambdaRole

alfred-stokespace opened this issue · comments

commented

Required Info:

  • AWS ParallelCluster version: 3.8.0
  • Full cluster configuration without any credentials or personal data.: mmm, nope.
  • Cluster name: REDACTED
  • Output of pcluster describe-cluster command.: Nope.
  • [Optional] Arn of the cluster CloudFormation main stack: Nope

Bug description and how to reproduce:
The ClusterLambdaRole has the 10 maximum policy attachments on a standard installation. This makes adding policies in a clean way impossible to easily extend access to say an existing S3 bucket that you want to use for Lustre/FSX. I'd prefer not vender in the entire CFT tree to change your policy layout. What I'd love is if you left even one spot open for a custom policy that I can retrieve in my own IAC stack (outside of CloudFormationTemplate) and then add attachments to that.

image

commented

As I'm seeking a solution my choices seem to be ...
after CFT is done ...

  1. by hand look up the lambda role in question
  2. add that role name to ci/cd code that will retrieve and change the inline policy
  3. -or- retrieve one of the existing policies and modify it with preformatted equivalent policy content + the stuff I want.
  4. run that code

I'd ask as a second related issue that your roles be exposed as outputs on the main CFT that way my IAC code can just know what the role is without requiring manual step... as it stands this basically means no one is going to want to do IAC around your CFTs because they require manual intervention.

commented

same issue with ParallelClusterUIUserRole

commented

my attempts to edit the existing roles' policies hasn't gotten me what I wanted...
I posted more details here https://repost.aws/questions/QUVaQ71ON6SGiR8OoQp7lm5g/how-to-bring-customer-s3-bucket-to-pcluster3-8-0-fsx-lustre

commented

Hello,
Thank you for reporting the issue. For the issue related to ParallelClusterUIUserRole and ParallelClusterLambdaRole reaching the maximum managed policies of 10. I double checked and confirmed the problem. We are tracking the issue internally.
For question posted on repost we will answer it separately

Thanks,
Wanyi

commented

Hi @alfred-stokespace we addressed this issue as part of #6129 where we reduced the number of attached policies from 10 to 8.

In future patches we'll try to reduce again incorporating some of them, anyway the merged should unblock you and other uses that need to attach custom policies.

The patch has been already released as part of ParallelCluster 3.9.0.