From 55bf2decf8b276dd0adb1bc8b120e4bdcc4b8377 Mon Sep 17 00:00:00 2001 From: Giacomo Marciani Date: Tue, 25 Feb 2025 14:23:53 -0500 Subject: [PATCH] [Permissions] Add new parameter 'ParallelClusterFunctionAdditionalPolicies' to the ParallelCluster API stack to add custom permissions for the API Lambda role, on top of the default ones. --- CHANGELOG.md | 1 + api/infrastructure/deploy-api.sh | 11 +++++++++-- api/infrastructure/parallelcluster-api.yaml | 9 +++++++++ .../policies/parallelcluster-policies.yaml | 13 +++++++++++++ 4 files changed, 32 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62f239e952..99c063e0b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ CHANGELOG - Add new build image configuration section `Build/Installation` to turn on/off Nvidia software and Lustre client installations. By default, Nvidia software, although included in official ParallelCluster AMIs, is not installed by `build-image`. By default, Lustre client is installed. - The CLI commands `export-cluster-logs` and `export-image-logs` can now by default export the logs to the default ParallelCluster bucket or to the CustomS3Bucket if specified in the config. - Extend Amazon DCV support to Ubuntu2204 on ARM instances. +- Add new parameter 'ParallelClusterFunctionAdditionalPolicies' to the ParallelCluster API stack to add custom permissions for the API Lambda role, on top of the default ones. **CHANGES** - Upgrade NVIDIA driver to version 550.127.08 (from 550.90.07). This addresses [a known issue from Nivdia](https://docs.nvidia.com/datacenter/tesla/tesla-release-notes-550-90-07/index.html#known-issues). diff --git a/api/infrastructure/deploy-api.sh b/api/infrastructure/deploy-api.sh index bfc4f0c9f0..c0eec60241 100755 --- a/api/infrastructure/deploy-api.sh +++ b/api/infrastructure/deploy-api.sh @@ -7,7 +7,7 @@ # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and # limitations under the License. -usage="$(basename "$0") [-h] --s3-bucket bucket-name --region aws-region [--stack-name name] [--enable-iam-admin true|false] [--create-api-user true|false] [--lambda-layer abs_path]" +usage="$(basename "$0") [-h] --s3-bucket bucket-name --region aws-region [--stack-name name] [--enable-iam-admin true|false] [--create-api-user true|false] [--lambda-layer abs_path] [--additional-iam-policies policy_arn]" SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" @@ -16,6 +16,7 @@ STACK_NAME="ParallelClusterApi" ENABLE_IAM_ADMIN="true" CREATE_API_USER="false" LAMBDA_LAYER= +PC_FUNCTION_ADDITIONAL_IAM_POLICIES= while [[ $# -gt 0 ]] do key="$1" @@ -65,6 +66,11 @@ case $key in shift # past argument shift # past value ;; + --additional-iam-policies) + export PC_FUNCTION_ADDITIONAL_IAM_POLICIES=$2 + shift # past argument + shift # past value + ;; *) # unknown option echo "$usage" >&2 exit 1 @@ -104,5 +110,6 @@ aws cloudformation deploy \ --parameter-overrides ApiDefinitionS3Uri="${S3_UPLOAD_URI}" \ PoliciesTemplateUri="${POLICIES_TEMPLATE_URI}" \ EnableIamAdminAccess="${ENABLE_IAM_ADMIN}" CreateApiUserRole="${CREATE_API_USER}" \ + ParallelClusterFunctionAdditionalPolicies="${PC_FUNCTION_ADDITIONAL_IAM_POLICIES}" \ "$([[ -n "${LAMBDA_LAYER}" ]] && echo "CustomBucket=${S3_BUCKET}" || echo " ")" \ - --capabilities CAPABILITY_NAMED_IAM + --capabilities CAPABILITY_NAMED_IAM \ No newline at end of file diff --git a/api/infrastructure/parallelcluster-api.yaml b/api/infrastructure/parallelcluster-api.yaml index bec9c41d80..58514293fc 100644 --- a/api/infrastructure/parallelcluster-api.yaml +++ b/api/infrastructure/parallelcluster-api.yaml @@ -14,6 +14,14 @@ Parameters: Type: String Default: '' + ParallelClusterFunctionAdditionalPolicies: + Description: | + (OPTIONAL) ARN of the additional IAM policy to be attached to the default execution role for the ParallelCluster Lambda function. + Only one policy can be specified. + Type: String + Default: '' + AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$" + ApiDefinitionS3Uri: Description: S3 URI of the ParallelCluster API spec Type: String @@ -186,6 +194,7 @@ Resources: PermissionsBoundaryPolicy: !Ref PermissionsBoundaryPolicy IAMRoleAndPolicyPrefix: !Ref IAMRoleAndPolicyPrefix EnableBatchAccess: true + AdditionalPolicies: !Ref ParallelClusterFunctionAdditionalPolicies PclusterLayer: Type: AWS::Lambda::LayerVersion diff --git a/cloudformation/policies/parallelcluster-policies.yaml b/cloudformation/policies/parallelcluster-policies.yaml index 1153c3b5b5..90f44fd335 100644 --- a/cloudformation/policies/parallelcluster-policies.yaml +++ b/cloudformation/policies/parallelcluster-policies.yaml @@ -62,6 +62,14 @@ Parameters: Default: '' MaxLength: 10 + AdditionalPolicies: + Description: | + (OPTIONAL) ARN of the additional IAM policy to be attached to the default execution role for the ParallelCluster Lambda function. + Only one policy can be specified. + Type: String + Default: '' + AllowedPattern: "^(arn:.*:iam::.*:policy\\/([a-zA-Z0-9_-]+))|()$" + Outputs: ParallelClusterLogRetrievalPolicy: Value: !Ref ParallelClusterLogRetrievalPolicy @@ -97,6 +105,7 @@ Conditions: EnableFSxS3AccessCondition: !Equals [!Ref EnableFSxS3Access, true] EnableBatchAccessCondition: !Equals [!Ref EnableBatchAccess, true] EnablePermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundaryPolicy, '']] + UseAdditionalPolicies: !Not [!Equals [!Ref AdditionalPolicies, '']] UseAllBucketsForFSxS3: !Equals [!Ref FsxS3Buckets, "*"] EnableIamPolicy: !Or - !Equals [!Ref EnableIamAdminAccess, true] @@ -202,6 +211,10 @@ Resources: - !Ref AWS::NoValue - !Ref ParallelClusterImageManagedPolicy - !Ref ParallelClusterLogRetrievalPolicy + - !If + - UseAdditionalPolicies + - !Ref AdditionalPolicies + - !Ref AWS::NoValue ### CLUSTER ACTIONS POLICIES