IAM Permissions Required by StarCluster

Question

I am following the StarCluster configuration instructions and I would like to create a new user for StarCluster to use. My question is what are the minimal set of IAM permissions that StarCluster requires to operate?

Is the AmazonEC2FullAccess policy required (as indicated by this) or is there a less comprehensive policy.

score 0 · Answer 1 · answered Apr 12 '17 at 09:15

I have used the following policy to allow an IAM user to start t2.micro instances (only)

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExtraActionsNeededByStarCluster",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowDescribeForAllResources",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "OnlyAllowCertainInstanceTypesToBeCreated",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceType": [
                        "t2.micro"
                    ]
                }
            }
        },
        {
            "Sid": "AllowUserToStopStartDeleteInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:account:instance/*"
        }
    ]
}

score 0 · Answer 2 · answered Jun 30 '17 at 16:38

The policy above won't let you mount EBS volumes on instances, or use placement groups, or make spot bids. We seem to have figured out the full set of permissions needed for an IAM user running starcluster vanillaimprovements, including spot bidding and load balancer addnodes and removenodes:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExtraActionsNeededByStarCluster",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:TerminateInstances",
                "ec2:CreatePlacementGroup",
                "ec2:DeletePlacementGroup",
                "ec2:RequestSpotInstances",
                "ec2:CancelSpotInstanceRequests"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowDescribeForAllResources",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Sid": "AllowInstancesToBeCreated",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "*"
        },
        {
            "Sid": "AllowUserToStopStartDeleteInstances",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:*:account:instance/*"
        }
    ]
}

IAM Permissions Required by StarCluster

2 Answers2