FSX and HeadNode:Iam:AdditionalIamPolicies result in failed cluster creation due to policy name restrictions
alfred-stokespace opened this issue · comments
Required Info:
- AWS ParallelCluster version: 3.8.0
- Full cluster configuration without any credentials or personal data.: mmm, nope.
- Cluster name: REDACTED
- Output of
pcluster describe-cluster
command.: Nope. - [Optional] Arn of the cluster CloudFormation main stack: Nope
Bug description and how to reproduce:
Try creating a cluster with both FSX/Lustre and an additional head node policy named NOT with a prefix of :policy/parallelcluster/
you will get something like this error message
User: arn:aws:sts::REDACTED:assumed-role/REDACTEDPREFIXParallelClusterLambdaRole-94770a90/pcluster3-ui-cft-stack-3e3-ParallelClusterFunction-REDACTEDSUFFIX is not authorized to perform: iam:AttachRolePolicy on resource: role fsxaddtlperm-RoleHeadNode-REDACTED because no identity-based policy allows the iam:AttachRolePolicy action
How I hacked around this
Since the role mentioned has no additional spots for customer generated policies (see #6114) and no parameters in the initial cloud formation template to express what additional policy name patters the lambda roles should allow activities on. I hijacked one of the existing policies DefaultParallelClusterIamAdminPolicy-xxxx
and added a line to an ArnLike block
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
... HERE!!! ...
},
"Action": [
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws-us-gov:iam::REDACTED:role/parallelcluster/*",
"Effect": "Allow",
"Sid": "IamPolicy"
My Ask
I'd very much like to know ahead of time what the expectation are for success when I add a policy to the cluster head node config. The unspoken (perhaps?) rule is that the policy needs to start with parallelcluster/
.
Hi @alfred-stokespace you found one of the known limitations.
The workaround you are using is the same that is documented in official documentation.
This limitation has been added for security reasons, if you want to add another policy you can modify the template or create a new one with parallelcluster
as prefix, as you already found.
Enrico