3

我正在遵循 StarCluster配置说明,我想创建一个新用户供 StarCluster 使用。我的问题是 StarCluster 运行所需的最小 IAM 权限集是什么?

是否需要该AmazonEC2FullAccess政策(如此所示)或是否存在较不全面的政策。

4

2 回答 2

0

I have used the following policy to allow an IAM user to start t2.micro instances (only)

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExtraActionsNeededByStarCluster",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowDescribeForAllResources",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OnlyAllowCertainInstanceTypesToBeCreated",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.micro"
                    ]
                }
            }
        },
        {
            "Sid": "AllowUserToStopStartDeleteInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:account:instance/*"
        }
    ]
}
于 2017-04-12T09:15:11.533 回答
0

上述策略不允许您在实例上挂载 EBS 卷、使用置放群组或进行现场投标。我们似乎已经弄清楚了运行 starcluster vanillaimprovements 的 IAM 用户所需的全部权限,包括现场竞价和负载均衡器 addnodes 和 removenodes:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExtraActionsNeededByStarCluster",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:TerminateInstances",
                "ec2:CreatePlacementGroup",
                "ec2:DeletePlacementGroup",
                "ec2:RequestSpotInstances",
                "ec2:CancelSpotInstanceRequests"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowDescribeForAllResources",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Sid": "AllowInstancesToBeCreated",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "*"
        },
        {
            "Sid": "AllowUserToStopStartDeleteInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:account:instance/*"
        }
    ]
}
于 2017-06-30T16:38:26.060 回答