Giters

aws / aws-parallelcluster

AWS ParallelCluster is an AWS supported Open Source cluster management tool to deploy and manage HPC clusters in the AWS cloud.

Home Page:https://github.com/aws/aws-parallelcluster

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FSX and HeadNode:Iam:AdditionalIamPolicies result in failed cluster creation due to policy name restrictions

alfred-stokespace opened this issue · comments

commented

Required Info:

  • AWS ParallelCluster version: 3.8.0
  • Full cluster configuration without any credentials or personal data.: mmm, nope.
  • Cluster name: REDACTED
  • Output of pcluster describe-cluster command.: Nope.
  • [Optional] Arn of the cluster CloudFormation main stack: Nope

Bug description and how to reproduce:
Try creating a cluster with both FSX/Lustre and an additional head node policy named NOT with a prefix of :policy/parallelcluster/

you will get something like this error message

User: arn:aws:sts::REDACTED:assumed-role/REDACTEDPREFIXParallelClusterLambdaRole-94770a90/pcluster3-ui-cft-stack-3e3-ParallelClusterFunction-REDACTEDSUFFIX is not authorized to perform: iam:AttachRolePolicy on resource: role fsxaddtlperm-RoleHeadNode-REDACTED because no identity-based policy allows the iam:AttachRolePolicy action

How I hacked around this
Since the role mentioned has no additional spots for customer generated policies (see #6114) and no parameters in the initial cloud formation template to express what additional policy name patters the lambda roles should allow activities on. I hijacked one of the existing policies DefaultParallelClusterIamAdminPolicy-xxxx and added a line to an ArnLike block

"Condition": {
                "ArnLike": {
                    "iam:PolicyARN": [
... HERE!!! ...
            },
            "Action": [
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy"
            ],
            "Resource": "arn:aws-us-gov:iam::REDACTED:role/parallelcluster/*",
            "Effect": "Allow",
            "Sid": "IamPolicy"

My Ask
I'd very much like to know ahead of time what the expectation are for success when I add a policy to the cluster head node config. The unspoken (perhaps?) rule is that the policy needs to start with parallelcluster/.

commented

Hi @alfred-stokespace you found one of the known limitations.

The workaround you are using is the same that is documented in official documentation.

This limitation has been added for security reasons, if you want to add another policy you can modify the template or create a new one with parallelcluster as prefix, as you already found.

Enrico