我正在按照StarCluster的配置说明进行操作,我想创建一个新用户供StarCluster使用。我的问题是,StarCluster运行所需的最小IAM权限集是多少?
是否需要AmazonEC2FullAccess策略(如本文所示)或是否有不太全面的策略。
我使用以下策略来允许 IAM 用户启动 t2.micro 实例(仅限)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExtraActionsNeededByStarCluster",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:TerminateInstances"
],
"Resource": "*"
},
{
"Sid": "AllowDescribeForAllResources",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "OnlyAllowCertainInstanceTypesToBeCreated",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": [
"t2.micro"
]
}
}
},
{
"Sid": "AllowUserToStopStartDeleteInstances",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:*:account:instance/*"
}
]
}
上述政策不允许您在实例上挂载 EBS 卷、使用置放群组或进行竞价。 我们似乎已经弄清楚了运行星际集群原版改进的 IAM 用户所需的全套权限,包括竞价和负载均衡器添加节点和删除节点:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExtraActionsNeededByStarCluster",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:TerminateInstances",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"ec2:RequestSpotInstances",
"ec2:CancelSpotInstanceRequests"
],
"Resource": "*"
},
{
"Sid": "AllowDescribeForAllResources",
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Sid": "AllowInstancesToBeCreated",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
},
{
"Sid": "AllowUserToStopStartDeleteInstances",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:*:account:instance/*"
}
]
}