Clever Geek Handbook

IAM Permissions Required by StarCluster

I am following the instructions for setting up StarCluster and I would like to create a new user to use StarCluster. My question is, what is the minimum set of IAM permissions that StarCluster requires to run?

Whether a policy is required AmazonEC2FullAccess

(as indicated by this ) or is there a less comprehensive policy.

+3


source to share


2 answers


I used the following policy to allow the IAM user to run t2.micro instances (only)



 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExtraActionsNeededByStarCluster",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowDescribeForAllResources",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OnlyAllowCertainInstanceTypesToBeCreated",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.micro"
                    ]
                }
            }
        },
        {
            "Sid": "AllowUserToStopStartDeleteInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:account:instance/*"
        }
    ]
}
0


source


The above policy will not allow you to mount EBS volumes in instances or use placement groups or place bids. We seem to have figured out the full set of permissions required for the IAM user running the vanillaim starcluster functionality, including spot trading and load balancing and deletion addons:



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExtraActionsNeededByStarCluster",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:TerminateInstances",
                "ec2:CreatePlacementGroup",
                "ec2:DeletePlacementGroup",
                "ec2:RequestSpotInstances",
                "ec2:CancelSpotInstanceRequests"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowDescribeForAllResources",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Sid": "AllowInstancesToBeCreated",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "*"
        },
        {
            "Sid": "AllowUserToStopStartDeleteInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:account:instance/*"
        }
    ]
}
0


source






More articles:


All Articles