in cli/src/pcluster/templates/awsbatch_builder.py [0:0]
def _add_job_role(self):
return iam.CfnRole(
self.stack_scope,
"PclusterJobRole",
path=self._cluster_scoped_iam_path(),
managed_policy_arns=[
self._format_arn(
service="iam",
account="aws",
region="",
resource="policy/service-role/AmazonECSTaskExecutionRolePolicy",
),
],
assume_role_policy_document=get_assume_role_policy_document("ecs-tasks.amazonaws.com"),
policies=[
iam.CfnRole.PolicyProperty(
policy_name="s3Read",
policy_document=iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=["s3:GetObject", "s3:ListBucket"],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(
service="s3", resource=f"{self.bucket.name}", region="", account=""
),
self._format_arn(
service="s3",
resource=f"{self.bucket.name}/{self.bucket.artifact_directory}/batch/*",
region="",
account="",
),
],
sid="S3ReadPolicy",
),
],
),
),
iam.CfnRole.PolicyProperty(
policy_name="cfnDescribeStacks",
policy_document=iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=["cloudformation:DescribeStacks"],
effect=iam.Effect.ALLOW,
resources=[
self._format_arn(service="cloudformation", resource=f"stack/{self.stack_name}/*"),
],
sid="CfnDescribeStacksPolicy",
),
],
),
),
],
)