-
Notifications
You must be signed in to change notification settings - Fork 4
Cluster Policies, Users, and Roles
Policies are difficult, they important. For uploads to S3 they are necessary. Here's what I had so I could use the aws-pmix-scale-testing scripts:
Find and go to the "IAM" service through the search bar or drop down Services tab. On the left side of the page click on "Users". Then "Add user" (Look up a tutorial or defaults are fine) and create a user. If you are prompted to create a group, create an "admin" group and attach a policy: "AdministratorAccess". Then, add your user to the group.
Go to "Groups" on the left side of the page. If there is not a group already, create an "admin" group and add "AdministratorAccess" to it. Also, if not already done, add your user to the group. (Go to Users, click on your user, find the Groups tab and "Add users to groups")
Click the "Policies" tab on the left hand side of the page. Here you'll create a policy for each of the bolded code blocks below. The general process is as follows: Click "Create policy". Under the JSON tab, copy and paste the code below (Delete the default code in the JSON tab). There are certain sections (That should be obvious) that you'll have to fill in with your own information. Then, give your policy the given name and click "Create policy".
cfnClusterS3ReadWritePolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucketName>"
],
"Effect": "Allow"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::<bucketName>"
],
"Effect": "Allow"
}
]
}
AWSCloudFormationDeleteStack
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStack"
],
"Resource": "*"
}
]
}
cfnClusterPolicy (I had to tab every line but I don't believe I made a mistake)
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "EC2"
},
{
"Action": [
"dynamodb:ListTables"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBList"
},
{
"Action": [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:GetQueueUrl"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "SQSQueue"
},
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:SetDesiredCapacity"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "Autoscaling"
},
{
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "CloudWatch"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "DynamoDBTable"
},
{
"Action": [
"sqs:ListQueues"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "SQSList"
},
{
"Action": [
"logs:*"
],
"Resource": [
"arn:aws:logs:*:*:*"
],
"Effect": "Allow",
"Sid": "CloudWatchLogs"
}
]
}
Next, on the left side, click on the "Roles" option. Then "Create role". The service you'll choose for the role is "EC2". Click next and go to permissions. You'll now add six policies through the use of the search bar. They are:
AmazonSQSFullAccess
AmazonS3FullAccess
AmazonDynamoDBFullAccess
You'll also need to add the policies you just created:
cfnClusterS3ReadWritePolicy
AWSCloudFormationDeleteStack
cfnClusterPolicy
Once finished, give the Role the name: cfnClusterRole
The most important part, is that in your aws-pmix-scale-testing directory where you intend to launch the cluster from, edit the "config" file and under the "[cluster default]" section, you'll NEED to make sure "ec2_iam_role=cfnClusterRole" is included. The creation of the cluster references this roles and uses the policies attached to it. (This step will be completed later as there is a chance you haven't cloned the repo yet and there may be no config file)
When using AWS and Cfncluster, you'll need Security Credentials. In the IAM console, select "Users" on the right side and then select the user you'd like to use. Select the "Security Credentials" tab. Under the "Access Keys" paragraph, select "Create access key". It will give you the option to Download a csv file. Download it and keep it safe. You'll need it for later.
Select services and find the "EC2" console. Under "Network and Security" on the left side, you'll find the "Key Pairs" tab, go there. Under this tab, select "Create Key Pair", name it, create it, and download it and keep it safe. You'll need it for later.
Updated 6-29-2018