Maximum policy attachements on ClusterLambdaRole
alfred-stokespace opened this issue · comments
Required Info:
- AWS ParallelCluster version: 3.8.0
- Full cluster configuration without any credentials or personal data.: mmm, nope.
- Cluster name: REDACTED
- Output of
pcluster describe-cluster
command.: Nope. - [Optional] Arn of the cluster CloudFormation main stack: Nope
Bug description and how to reproduce:
The ClusterLambdaRole has the 10 maximum policy attachments on a standard installation. This makes adding policies in a clean way impossible to easily extend access to say an existing S3 bucket that you want to use for Lustre/FSX. I'd prefer not vender in the entire CFT tree to change your policy layout. What I'd love is if you left even one spot open for a custom policy that I can retrieve in my own IAC stack (outside of CloudFormationTemplate) and then add attachments to that.
As I'm seeking a solution my choices seem to be ...
after CFT is done ...
- by hand look up the lambda role in question
- add that role name to ci/cd code that will retrieve and change the inline policy
- -or- retrieve one of the existing policies and modify it with preformatted equivalent policy content + the stuff I want.
- run that code
I'd ask as a second related issue that your roles be exposed as outputs on the main CFT that way my IAC code can just know what the role is without requiring manual step... as it stands this basically means no one is going to want to do IAC around your CFTs because they require manual intervention.
same issue with ParallelClusterUIUserRole
my attempts to edit the existing roles' policies hasn't gotten me what I wanted...
I posted more details here https://repost.aws/questions/QUVaQ71ON6SGiR8OoQp7lm5g/how-to-bring-customer-s3-bucket-to-pcluster3-8-0-fsx-lustre
Hello,
Thank you for reporting the issue. For the issue related to ParallelClusterUIUserRole
and ParallelClusterLambdaRole
reaching the maximum managed policies of 10. I double checked and confirmed the problem. We are tracking the issue internally.
For question posted on repost we will answer it separately
Thanks,
Wanyi
Hi @alfred-stokespace we addressed this issue as part of #6129 where we reduced the number of attached policies from 10 to 8.
In future patches we'll try to reduce again incorporating some of them, anyway the merged should unblock you and other uses that need to attach custom policies.
The patch has been already released as part of ParallelCluster 3.9.0.