- Build an IAM Policy with Cloudformation

Now you will create your custom IAM policy. To facilitate its creation, a CloudFormation template has been prepared for download and you will examine the different permissions that will be granted to your HPC cluster.

  1. Download the CloudFormation template containing the custom IAM policy from the S3 bucket aws-hpc-workshops using the command aws s3 as follows:

    aws s3 cp s3://aws-hpc-workshops/serverless-template.yaml .

    For reference, the serverless-template.yaml file content is provided below. It contains the CloudFormation template that will create the IAM policy which allows cluster instances to connect to the SSM endpoints and access to the S3 bucket created in the previous steps.

    See the content of serverless-template.yaml (click to expand)
  2. Deploy the CloudFormation template and create the IAM policy

    The command below creates a CloudFormation stack as based on the template serverless-template.yaml. The policy name is specified in the template file. The --stack-name argument takes a unique name that will be associated with the stack on your account. The --parameters option specify the input parameters for the stack (here we pass S3Bucket as the key and name of the S3 Bucket as the Value). Furthermore, since you are creating IAM resources you must explicitly acknowledge that your stack template contains --capabilities. You could use the AWS Console to create this stack too.

    aws cloudformation create-stack --stack-name pc-serverless-policy --parameters ParameterKey=S3Bucket,ParameterValue=serverless-${BUCKET_POSTFIX} --template-body file://serverless-template.yaml --capabilities CAPABILITY_NAMED_IAM --region us-east-1

    The IAM policy enables access to the S3 bucket created to store the job data and SSM commands. This is provided as ParameterValue. Make sure to provide the correct S3 bucket name.

  3. Once the AWS CloudFormation stack creation completes, you can confirm the IAM Policy is created by running the command below in your Cloud9 Terminal to query the policy pclusterSSM you just created

    aws iam list-policies --query 'Policies[?PolicyName==`pclusterSSM`]'

The expected command line output should look like: Lambda Basic Settings

In the next section, you will change your AWS ParallelCluster configuration file to add the pclusterSSM IAM policy and will apply the modified configuration to your cluster.