Advanced Clusters > Setting up AWS > Step 7. Create IAM roles
  

Step 7. Create IAM roles

Create the cluster operator, Secure Agent, master, and worker roles, and create the appropriate policies for each role to perform cluster operations in the AWS environment.
To create the IAM roles, complete the following tasks:
  1. 1Create the cluster operator role.
  2. 2Create the cluster operator policy.
  3. 3Attach the cluster operator policy to the cluster operator role.
  4. 4Configure the maximum CLI/API session duration for the cluster operator role.
  5. 5Create or reuse the Secure Agent role.
  6. 6Add the AssumeRole permission to the Secure Agent role.
  7. 7Configure the trust relationship for the cluster operator role to include the Secure Agent role.
  8. 8Create user-defined master and worker roles.
  9. 9Optionally, encrypt staging data and log files at rest.
  10. 10Optionally, create role-based security policies for Amazon data sources.
  11. 11Create or reuse a cluster storage access policy for the Secure Agent role.
Note: To minimize the Secure Agent's permissions in your environment, avoid attaching the cluster operator role to the Secure Agent machine.

Create the cluster operator role

In AWS, create an IAM role for the cluster operator. Name the role cluster_operator_role.
The following image shows how the cluster operator role might appear in the AWS Management Console:
The AWS Management Console is signed in to the Identity and Access Management (IAM) service. Under Access management, the Roles tab is selected. The summary for the cluster operator role is open.
For instructions about creating an IAM role, refer to the AWS documentation. AWS provides several ways to create an IAM role, such as using the AWS Management Console or the AWS CLI.

Create the cluster operator policy

Create an IAM policy for the cluster operator role. Name the policy cluster_operator_policy. The cluster operator policy contains the permissions that the cluster operator role needs to create and manage cloud resources for an advanced cluster. The cluster operator role is sometimes known as the kubeadm role.
The following image shows how the cluster operator policy might appear in the AWS Management Console:
The AWS Management Console is signed in to the Identity and Access Management (IAM) service. Under Access management, the Policies tab is selected. The summary for the cluster operator policy is open. On the Permissions tab, nine of 315 services are allowed, including EC2, EC2 Auto Scaling, ELB, ELB v2, IAM, KMS, Price List, S3, and STS.
The JSON document below is a template for the cluster operator role policy. Permissions that are not mandatory are flagged as OPTIONAL.
Tip: Be sure to remove the 'OPTIONAL' text from any lines that you are keeping.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketVersioning",
"s3:GetReplicationConfiguration",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetBucketCORS",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::discale-qa-east/*",
"arn:aws:s3:::discale-qa-west/*",
"arn:aws:s3:::discaleqa/*",
"arn:aws:s3:::disnext-dev/*",
"arn:aws:s3:::discale-qa-east",
"arn:aws:s3:::discale-qa-west",
"arn:aws:s3:::discaleqa",
"arn:aws:s3:::disnext-dev"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInternetGateways",
"ec2:AttachInternetGateway", OPTIONAL
"ec2:CreateInternetGateway", OPTIONAL
"ec2:DetachInternetGateway", OPTIONAL
"ec2:DeleteInternetGateway", OPTIONAL
"ec2:CreateKeyPair",
"ec2:ImportKeyPair",
"ec2:DescribeKeyPairs",
"ec2:DeleteKeyPair",
"ec2:CreateRoute", OPTIONAL
"ec2:DeleteRoute", OPTIONAL
"ec2:DescribeRouteTables",
"ec2:CreateRouteTable", OPTIONAL
"ec2:ReplaceRouteTableAssociation", OPTIONAL
"ec2:AssociateRouteTable", OPTIONAL
"ec2:DisassociateRouteTable", OPTIONAL
"ec2:DeleteRouteTable", OPTIONAL
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:CreateVpc", OPTIONAL
"ec2:DeleteVpc", OPTIONAL
"ec2:ModifyVpcAttribute", OPTIONAL
"ec2:DescribeSubnets",
"ec2:CreateSubnet", OPTIONAL
"ec2:DeleteSubnet", OPTIONAL
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup", OPTIONAL
"ec2:AuthorizeSecurityGroupIngress", OPTIONAL
"ec2:RevokeSecurityGroupIngress", OPTIONAL
"ec2:AuthorizeSecurityGroupEgress", OPTIONAL
"ec2:RevokeSecurityGroupEgress", OPTIONAL
"ec2:DeleteSecurityGroup", OPTIONAL
"ec2:CreateTags",
"ec2:DescribeTags",
"ec2:DeleteTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:DeleteVolume",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstanceTypes",
"ec2:TerminateInstances",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteLaunchTemplateVersions",
"autoscaling:AttachLoadBalancers",
"autoscaling:DescribeTags",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"pricing:GetProducts", OPTIONAL
"iam:GetInstanceProfile",
"iam:GetContextKeysForPrincipalPolicy",
"iam:ListInstanceProfiles",
"iam:SimulatePrincipalPolicy",
"iam:CreateInstanceProfile", OPTIONAL
"iam:DeleteInstanceProfile", OPTIONAL
"iam:CreateRole", OPTIONAL
"iam:GetRole",
"iam:ListRoles",
"iam:PassRole",
"iam:ListRolePolicies",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole", OPTIONAL
"iam:GetRolePolicy",
"iam:AddRoleToInstanceProfile", OPTIONAL
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:PutRolePolicy", OPTIONAL
"iam:AttachRolePolicy", OPTIONAL
"iam:DetachRolePolicy", OPTIONAL
"iam:DeleteRolePolicy", OPTIONAL
"iam:GetUser",
"kms:DescribeKey", OPTIONAL
"kms:Get*",
"sts:AssumeRole", OPTIONAL
"sts:DecodeAuthorizationMessage" OPTIONAL
],
"Resource": "*"
}
]
}
Add permissions to the template based on your organizational requirements. For information about each permission, see IAM policy reference.
The cluster operator role also requires the following permissions for public Informatica-managed Kubernetes clusters:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:GetLaunchTemplateData",
"ec2:ModifyLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "arn:aws:ec2:*:543463116864:launch-template/*.k8s.local"
}
The actions on Amazon S3 must be specified for all staging, log, and initialization script locations that you provide in advanced configurations.
For example, if you use staging location dev/Staging/, log location dev/Logging/, and initialization script location dev/InitScript/, the policy must list the following resources for actions on Amazon S3:
"Resource": [
"arn:aws:s3:::dev",
"arn:aws:s3:::dev/Staging/",
"arn:aws:s3:::dev/Staging/*",
"arn:aws:s3:::dev/Logging/",
"arn:aws:s3:::dev/Logging/*",
"arn:aws:s3:::dev/InitScript/",
"arn:aws:s3:::dev/InitScript/*"
]
If you use a different set of staging, log, and initialization script locations in another advanced configuration, you must add those locations as resources to the same policy.
To accommodate S3 locations that change frequently, you can use wildcards. For more information, refer to the AWS documentation.

Attach the cluster operator policy

In AWS, attach the IAM policy cluster_operator_policy to the IAM role cluster_operator_role.
The following image shows how the AWS Management Console might appear when you attach the cluster operator policy to the cluster operator role:
The Add permissions wizard is open for cluster_operator_role. The customer-managed policy cluster_operator_policy is selected and ready to be attached to the role.

Configure the maximum CLI/API session duration for the cluster operator role

In the IAM role cluster_operator_role, set the maximum CLI/API session duration to at least 30 minutes.
When you increase the duration, the Secure Agent has longer access to cloud resources within a single session, and you can run longer jobs on an advanced cluster.
For more information, refer to the AWS documentation.

Create or reuse the Secure Agent role

The Secure Agent requires an IAM role to access certain cloud resources while a job is running. This IAM role is attached to the Amazon EC2 instance where the Secure Agent is installed.
You can either create or reuse the Secure Agent role. Name this IAM role agent_role.

Create the Secure Agent role

To create the Secure Agent role, complete the following tasks in AWS:
  1. 1Create an IAM role named agent_role.
  2. 2Attach the IAM role agent_role to the Amazon EC2 instance where the Secure Agent is installed.

Reuse the Secure Agent role

If you already created an IAM role that is attached to the Amazon EC2 instance where the Secure Agent is installed, you can designate the IAM role to be the Secure Agent role.

Add the AssumeRole permission to the Secure Agent role

The Secure Agent needs to assume the cluster operator role to gain elevated permissions to manage an advanced cluster. For the Secure Agent to assume the cluster operator role, the Secure Agent role needs to have the AssumeRole permission.
To configure the AssumeRole permission, complete the following tasks in AWS:
  1. 1Create the following IAM policy called assume_role_agent_policy:
    2. {
    "Version": "2012-10-17",
    "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::{{account-id}}:role/cluster_operator_role"
    }
    }
    Note: The value in the Resource element is the ARN of the cluster operator role.
  2. 2Attach the IAM policy assume_role_agent_policy to the IAM role agent_role.

Configure the trust relationship for the cluster operator role to include the Secure Agent role

Because the Secure Agent needs to assume the cluster operator role, the cluster operator role needs to trust the Secure Agent.
Edit the trust relationship of the IAM role cluster_operator_role and specify the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{account-id}}:role/agent_role"
},
"Action": "sts:AssumeRole",
}
]
}
Note: The value in the Principal element is the ARN of the Secure Agent role.
Optionally, you can configure an external ID to limit the entities that can assume the cluster operator role. Every time that the Secure Agent attempts to assume the cluster operator role, it must specify the external ID.
For example, you can configure the external ID "123" using the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{account-id}}:role/agent_role"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "123"
}
}
}
]
}

Create user-defined master and worker roles

Create user-defined master and worker roles to fine-tune permissions for the master and worker nodes in an advanced cluster. The nodes use the permissions to run the Spark applications in an advanced job. After you complete these tasks, you can specify the master and worker instance profiles in an advanced configuration.
If you're looking for a quick setup, you can use default master and worker roles. For more information, see Use default master and worker roles (alternative) and Master and worker role types reference.
To create user-defined roles, complete the following tasks:
  1. 1Create the master and worker roles.
  2. 2Create master policies.
  3. 3Create worker policies.
  4. 4Attach the policies to the master and worker roles.
  5. 5Allow the cluster operator role to assume the worker role.
  6. 6Allow the cluster operator role to assume the master role.
The master and worker roles, the instance profiles, and the cluster operator role must be defined under the same AWS account.
When the Secure Agent starts the advanced cluster, the agent uses the cluster operator role to validate whether the instance profiles exist and whether the master and worker roles have access to required cluster directories, such as staging, log, and initialization script locations. If validation fails, the cluster fails to be created.

Create the master and worker roles

In AWS, create IAM roles for the master and worker nodes. Name the roles master_role and worker_role, respectively.
When you create the master and worker roles, AWS automatically generates an instance profile for each role.
If the policy content provides access to staging, log, and initialization script locations for multiple advanced clusters, you can reuse the same instance profiles across different advanced configurations.

Create master policies

Create IAM policies for the master role. You can define each policy as an inline policy or a managed policy.
The following table describes each IAM policy:
Policy
Description
minimal_master_policy
Required. Provides the minimal access permissions for the master role.
staging_log_access_master_policy
Required. Provides access to the staging and log locations.
init_script_master_policy
Required only if you use an initialization script. Provides access to the initialization script path and the location that stores init script and cloud-init logs.
For information about each permission and why it's required, see IAM policy reference. For information about editing the policies, see Master and worker policy restriction reference.
Note: You can also generate the policy content by running the generate-policies-for-userdefined-roles.sh command. For more information about the command, see generate-policies-for-userdefined-roles.sh. The command creates the output file my-userdefined-master-worker-role-policies.json.

minimal_master_policy

The IAM policy minimal_master_policy lists the minimal requirements for the user-defined master role.
You can use the following JSON document as a template for the minimal_master_policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeVolumesModifications",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume", // If enabling CLAIRE, move AttachVolume to the same section as CreateVolume.
"ec2:DeleteVolume",
"ec2:DetachVolume"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/KubernetesCluster": "*.k8s.local"
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeTags",
"autoscaling:DescribeScalingActivities"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"autoscaling:ResourceTag/KubernetesCluster": "*.k8s.local"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"elasticloadbalancing:ResourceTag/KubernetesCluster": "*.k8s.local"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"elasticloadbalancing:ResourceTag/KubernetesCluster": "*.k8s.local"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:GetServerCertificate"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::<cluster-staging-dir1>/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"*"
]
}
]
}

staging_log_access_master_policy

The IAM policy staging_log_access_master_policy provides access to the staging and log locations.
You can use the following JSON document as a template for the staging_log_access_master_policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetEncryptionConfiguration",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<cluster-staging-bucket-name1>",
"arn:aws:s3:::<cluster-logging-bucket-name1>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<cluster-staging-dir1>/*",
"arn:aws:s3:::<cluster-logging-dir1>/*"
]
}
]
}

init_script_master_policy

The IAM policy init_script_master_policy is required by the Cluster Computing System to allow the master node to access the initialization script and init script logging directories for the cluster.
You can use the following JSON document as a template for the init_script_master_policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<cluster-init-script-bucket-name1>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<cluster-init-script-dir1>/*"

]
}
]
}

Create worker policies

Create IAM policies for the worker role. You can define each policy as an inline policy or a managed policy.
The following table describes each IAM policy:
Policy
Description
minimal_worker_policy
Required. Provides the minimal access permissions for the worker role.
ebs_autoscaling_worker_policy
Required only if EBS volumes auto-scale.
staging_log_access_worker_policy
Required. Provides access to the staging and log locations.
init_script_worker_policy
Required only if you use an initialization script. Provides access to the initialization script path and the location that stores init script and cloud-init logs.
For information about each permission and why it's required, see IAM policy reference. For information about editing the policies, see Master and worker policy restriction reference.
Note: You can also generate the policy content by running the generate-policies-for-userdefined-roles.sh command. For more information about the command, see generate-policies-for-userdefined-roles.sh. The command creates the output file my-userdefined-master-worker-role-policies.json.

minimal_worker_policy

The IAM policy minimal_worker_policy lists the minimal requirements for the user-defined worker role.
You can use the following JSON document as a template for the minimal_worker_policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeRegions"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeTags"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::<cluster-staging-dir1>/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"*"
]
}
]
}

ebs_autoscaling_worker_policy

The IAM policy ebs_autoscaling_worker_policy is required by the worker nodes to auto-scale EBS volumes.
You can use the following JSON document as a template for the ebs_autoscaling_worker_policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeVolumes",
"ec2:CreateVolume",
"ec2:ModifyInstanceAttribute"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/KubernetesCluster": "*.k8s.local"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/CREATED_BY": "infa-storage-scalerd-*"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*"
]
}
]
}

staging_log_access_worker_policy

The IAM policy staging_log_access_worker_policy is required by the Cluster Computing System to permit worker nodes to access staging and logging directories.
You can use the following JSON document as a template for the staging_log_access_worker_policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetEncryptionConfiguration",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<cluster-staging-bucket-name1>",
"arn:aws:s3:::<cluster-logging-bucket-name1>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<cluster-staging-dir1>/*",
"arn:aws:s3:::<cluster-logging-dir1>/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"*"
]
}
]
}

init_script_worker_policy

The IAM policy staging_log_access_worker_policy is required by the Cluster Computing System to allow worker nodes to access the initialization script and init script logging directories.
You can use the following JSON document as a template for the init_script_worker_policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<cluster-init-script-bucket-name1>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<cluster-init-script-dir1>/*"

]
}
]
}

Attach the policies to the master and worker roles

Attach each IAM policy to the appropriate IAM role: either master_role or worker_role.
The following table lists the policies to attach to each role:
Role
Policies
master_role
  • - minimal_master_policy
  • - staging_log_access_master_policy
  • - init_script_master_policy
worker_role
  • - minimal_worker_policy
  • - ebs_autoscaling_worker_policy
  • - staging_log_access_worker_policy
  • - init_script_worker_policy

Allow the cluster operator role to assume the worker role

The cluster operator role must be able to assume the worker role to validate an advanced configuration.
Edit the trust relationship of the IAM role worker_role and specify the following policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::<AWS account>:role/<cluster_operator_role>"
],
"Service":"ec2.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}

Allow the cluster operator role to assume the master role

The cluster operator role must be able to assume the master role to validate an advanced configuration.
Edit the trust relationship of the IAM role master_role and specify the following policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":[
"arn:aws:iam::<AWS account>:role/<cluster_operator_role>"
],
"Service":"ec2.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}

Use default master and worker roles (alternative)

For a quick setup, you can use default master and worker roles. In this case, the Secure Agent automatically creates the roles when the agent starts an advanced cluster.
The agent attaches policies to the roles based on the permissions that are required by Kubernetes services. If you use role-based security and jobs have direct access to Amazon data sources, the agent also identifies the policies that are attached to the Secure Agent role and passes the policies to the worker role.
To use default roles, add the following policy to the IAM role cluster_operator_role:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:CreateServiceLinkedRole"
],
"Resource":[
"*"
]
}
]
}

Encrypt staging data and log files at rest (optional)

Optionally, set up Amazon S3 default encryption for S3 buckets to automatically encrypt staging data and log files that are stored on Amazon S3.
You can set up Amazon S3 default encryption for S3 buckets using one of the following encryption options:
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Use SSE-S3 to encrypt individual staging and log files or to encrypt the S3 buckets that contain the staging and log locations.
Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
Use SSE-KMS to encrypt individual staging and log files. If you create user-defined master and worker roles, you can also encrypt the S3 buckets that contain the staging and log locations.
For more information about the encryption options, refer to the AWS documentation.
If you use SSE-KMS and create user-defined master and worker roles, you can restrict the customer master key (CMK) IDs that the master and worker roles can access to encrypt and decrypt data.
Specify the key IDs in the policies that are attached to the master and worker roles. In each policy, edit the Resource element in the following statement that determines actions on AWS Key Management Service (KMS):
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": [
"*"
]
}
Note: If you use SSE-KMS, you must use the default AWS-managed CMK on your Amazon account. You cannot create a custom CMK.

Create role-based security policies for Amazon data sources (optional)

Role-based security uses IAM roles to access data sources. If a connector directly accesses AWS, such as Amazon S3 V2 Connector or Amazon Redshift V2 Connector, create policies to allow the Secure Agent and worker roles to have access to data sources and fine-tune their permissions in your AWS environment.
You can skip this step if you use connectors that don't have direct access to AWS. For example, JDBC V2 Connector uses a driver to query data on Amazon Aurora and does not directly access the underlying data.
If you're looking for a quick setup, you can use credential-based security. For more information, see Use credential-based security (alternative).
Complete the following tasks:
  1. 1Create policies for the Secure Agent and worker roles.
  2. 2Optionally, configure cross-account access.
By default, the agent and worker roles access data sources, but you can specify an IAM role at the connection level to access the data sources instead of using the agent and worker roles.
If you use default master and worker roles, consider the following guidelines:

Step 10.1. Create policies for the Secure Agent and worker roles

Create policies to allow the Secure Agent and worker roles to access Amazon data sources in an advanced job. Create and distribute the policies based on the worker role type.

User-defined worker role

If you create a user-defined worker role, you can provide access to the data sources in one of the following ways:
Create a new managed policy
To create a new managed policy, complete the following tasks:
  1. 1Create the policy that the connector requires. Name the policy data_source_access_policy. For information about connector requirements, see the help for the appropriate connector.
  2. 2Attach the policy data_source_access_policy to both the Secure Agent role and worker role.
Reuse the IAM policy staging_log_access_worker_policy
To reuse the IAM policy staging_log_access_worker_policy that is attached to the worker role, complete the following tasks:
  1. 1Specify the data sources in the Resource elements.
    2. For example, the Resource element in the following statement specifies the staging and log locations:
    {
    "Effect": "Allow",
    "Action": [
    "s3:PutObject",
    "s3:GetObjectAcl",
    "s3:GetObject",
    "s3:DeleteObject",
    "s3:PutObjectAcl"
    ],
    "Resource": [
    "arn:aws:s3:::<cluster-staging-dir1>/*",
    "arn:aws:s3:::<cluster-logging-dir1>/*"
    ]
    }
    Below "arn:aws:s3:::<cluster-logging-dir1>/*", add the data sources.
  2. 2Add the Secure Agent role to the trust relationship of the worker role.
  3. 3Add the worker role to the trust relationship of the Secure Agent role.

Default worker role

If you use the default worker role, complete the following tasks:
  1. 1Create the policy that the connector requires. Name the policy data_source_access_policy. For information about connector requirements, see the help for the appropriate connector.
  2. 2Attach the policy data_source_access_policy to the Secure Agent role. The Secure Agent will automatically pass the policy to the worker role.

Step 10.2. Configure cross-account access (optional)

If you require cross-account access to S3 buckets in multiple Amazon accounts and you use user-defined master and worker roles, set up cross-account IAM roles in AWS.
When you set up cross-account IAM roles in AWS, complete the following tasks:
Note: You cannot combine cross-account access with default master and worker roles and role-based security. If your organization requires cross-account access, consider one of the following options:
For information about how to set up cross-account IAM roles, refer to the AWS documentation.

Use credential-based security (alternative)

For a quick setup, you can reuse the AWS credentials that you configure in a data source's connection properties instead of configuring IAM roles. Cluster nodes use the connection-level credentials to access the staging and log locations only when the same S3 bucket stores the data sources, staging files, and log files.
For example, if a job uses a JDBC V2 source and an Amazon S3 V2 target, cluster nodes use the Amazon S3 V2 credentials to access the staging location for the job.
Note: The AWS credentials in the connection must be able to access the Amazon S3 staging location that the job uses, and credentials override IAM roles. If you configure AWS credentials for a connector and the same credentials cannot access both the data sources and the staging location in an advanced job, the job fails.
If you require cross-account access to S3 buckets in multiple Amazon accounts, provide credentials for each Amazon account at the connection level.

Create or reuse a log access policy for the Secure Agent role

The Secure Agent needs permissions to access the log location to upload the agent job log at the end of an advanced job.
You can either create or reuse an IAM policy for log access.

Create a log access policy

To create an IAM policy for log access, complete the following tasks in AWS:
  1. 1Create the following IAM policy named log_access_agent_policy:
    2. {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:GetBucketLocation",
    "s3:GetEncryptionConfiguration",
    "s3:ListBucket"
    ],
    "Resource": [
    "arn:aws:s3:::<cluster-logging-bucket-name1>"
    ]
    },
    {
    "Effect": "Allow",
    "Action": [
    "s3:PutObject",
    "s3:GetObjectAcl",
    "s3:GetObject",
    "s3:DeleteObject",
    "s3:PutObjectAcl"
    ],
    "Resource": [
    "arn:aws:s3:::<cluster-logging-dir1>/*"
    ]
    }
    ]
    }
    Specify the log location in the Resource elements.
  2. 2Attach the IAM policy log_access_agent_policy to the IAM role agent_role.

Reuse a log access policy

If you create user-defined master and worker roles, you can reuse the policy content that is generated for the CCS and required for the worker role.
The policy content includes access to the log location that the Secure Agent needs. For more information about user-defined master and worker roles, see Create user-defined master and worker roles.
To reuse the policy, complete the following tasks:
  1. 1Edit the trust relationship of the worker role and specify the following policy to trust the IAM role agent_role:
    2. {
    "Version":"2012-10-17",
    "Statement":[
    {
    "Effect":"Allow",
    "Principal":{
    "AWS":[
    "arn:aws:iam::{{account-id}}:role/<agent_role>"
    ],
    "Service":"ec2.amazonaws.com"
    },
    "Action":"sts:AssumeRole"
    }
    ]
    }
  2. 2Edit the trust relationship of the IAM role agent_role and specify the following policy to trust the worker role:
    3. {
    "Version":"2012-10-17",
    "Statement":[
    {
    "Effect":"Allow",
    "Principal":{
    "AWS":[
    "arn:aws:iam::{{account-id}}:role/<worker role>"
    ],
    "Service":"ec2.amazonaws.com"
    },
    "Action":"sts:AssumeRole"
    }
    ]
    }