You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Full cluster configuration without any credentials or personal data.: mmm, nope.
Cluster name: REDACTED
Output of pcluster describe-cluster command.: Nope.
[Optional] Arn of the cluster CloudFormation main stack: Nope
Bug description and how to reproduce:
Try creating a cluster with both FSX/Lustre and an additional head node policy named NOT with a prefix of :policy/parallelcluster/
you will get something like this error message
User: arn:aws:sts::REDACTED:assumed-role/REDACTEDPREFIXParallelClusterLambdaRole-94770a90/pcluster3-ui-cft-stack-3e3-ParallelClusterFunction-REDACTEDSUFFIX is not authorized to perform: iam:AttachRolePolicy on resource: role fsxaddtlperm-RoleHeadNode-REDACTED because no identity-based policy allows the iam:AttachRolePolicy action
How I hacked around this
Since the role mentioned has no additional spots for customer generated policies (see #6114) and no parameters in the initial cloud formation template to express what additional policy name patters the lambda roles should allow activities on. I hijacked one of the existing policies DefaultParallelClusterIamAdminPolicy-xxxx and added a line to an ArnLike block
My Ask
I'd very much like to know ahead of time what the expectation are for success when I add a policy to the cluster head node config. The unspoken (perhaps?) rule is that the policy needs to start with parallelcluster/.
The text was updated successfully, but these errors were encountered:
This limitation has been added for security reasons, if you want to add another policy you can modify the template or create a new one with parallelcluster as prefix, as you already found.
Required Info:
pcluster describe-cluster
command.: Nope.Bug description and how to reproduce:
Try creating a cluster with both FSX/Lustre and an additional head node policy named NOT with a prefix of
:policy/parallelcluster/
you will get something like this error message
How I hacked around this
Since the role mentioned has no additional spots for customer generated policies (see #6114) and no parameters in the initial cloud formation template to express what additional policy name patters the lambda roles should allow activities on. I hijacked one of the existing policies
DefaultParallelClusterIamAdminPolicy-xxxx
and added a line to an ArnLike blockMy Ask
I'd very much like to know ahead of time what the expectation are for success when I add a policy to the cluster head node config. The unspoken (perhaps?) rule is that the policy needs to start with
parallelcluster/
.The text was updated successfully, but these errors were encountered: