in cli/src/pcluster/templates/cdk_builder_utils.py [0:0]
def _build_policy(self) -> List[iam.PolicyStatement]:
policy = [
iam.PolicyStatement(
sid="Ec2",
actions=[
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:CreateTags",
"ec2:DescribeVolumes",
"ec2:AttachVolume",
],
effect=iam.Effect.ALLOW,
resources=["*"],
),
iam.PolicyStatement(
sid="S3GetObj",
actions=["s3:GetObject"],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(
service="s3",
resource="{0}-aws-parallelcluster/*".format(Stack.of(self).region),
region="",
account="",
)
],
),
iam.PolicyStatement(
sid="ResourcesS3Bucket",
effect=iam.Effect.ALLOW,
actions=["s3:*"],
resources=[
self._format_arn(service="s3", resource=self._cluster_bucket.name, region="", account=""),
self._format_arn(
service="s3",
resource=f"{self._cluster_bucket.name}/{self._cluster_bucket.artifact_directory}/*",
region="",
account="",
),
],
),
iam.PolicyStatement(
sid="CloudFormation",
actions=[
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource",
"cloudformation:SignalResource",
],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(service="cloudformation", resource=f"stack/{Stack.of(self).stack_name}/*"),
self._format_arn(service="cloudformation", resource=f"stack/{Stack.of(self).stack_name}-*/*"),
],
),
iam.PolicyStatement(
sid="DcvLicense",
actions=[
"s3:GetObject",
],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(
service="s3",
resource="dcv-license.{0}/*".format(Stack.of(self).region),
region="",
account="",
)
],
),
]
if self._config.scheduling.scheduler != "awsbatch":
policy.extend(
[
iam.PolicyStatement(
sid="EC2Terminate",
actions=["ec2:TerminateInstances"],
effect=iam.Effect.ALLOW,
resources=["*"],
conditions={
"StringEquals": {f"ec2:ResourceTag/{PCLUSTER_CLUSTER_NAME_TAG}": Stack.of(self).stack_name}
},
),
iam.PolicyStatement(
sid="EC2RunInstances",
actions=["ec2:RunInstances"],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(service="ec2", resource=f"subnet/{subnet_id}")
for subnet_id in self._config.compute_subnet_ids
]
+ [
self._format_arn(service="ec2", resource="network-interface/*"),
self._format_arn(service="ec2", resource="instance/*"),
self._format_arn(service="ec2", resource="volume/*"),
self._format_arn(service="ec2", resource=f"key-pair/{self._config.head_node.ssh.key_name}"),
self._format_arn(service="ec2", resource="security-group/*"),
self._format_arn(service="ec2", resource="launch-template/*"),
self._format_arn(service="ec2", resource="placement-group/*"),
]
+ [
self._format_arn(service="ec2", resource=f"image/{queue_ami}", account="")
for _, queue_ami in self._config.image_dict.items()
],
),
iam.PolicyStatement(
sid="PassRole",
actions=["iam:PassRole"],
effect=iam.Effect.ALLOW,
resources=self._generate_head_node_pass_role_resources(),
),
]
)
if self._config.scheduling.scheduler == "plugin":
cluster_shared_artifacts = get_attr(
self._config, "scheduling.settings.scheduler_definition.plugin_resources.cluster_shared_artifacts"
)
if cluster_shared_artifacts:
for artifacts in cluster_shared_artifacts:
if get_url_scheme(artifacts.source) == "s3":
bucket_info = parse_bucket_url(artifacts.source)
bucket_name = bucket_info.get("bucket_name")
object_key = bucket_info.get("object_key")
policy.extend(
[
iam.PolicyStatement(
actions=["s3:GetObject"],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(
region="",
service="s3",
account="",
resource=bucket_name,
resource_name=object_key,
)
],
),
]
)
if self._config.directory_service:
policy.append(
iam.PolicyStatement(
actions=["secretsmanager:GetSecretValue"],
effect=iam.Effect.ALLOW,
resources=[self._config.directory_service.password_secret_arn],
)
)
return policy