Change log of AWS IAM permissions

2024-08-29

19 new actions, 3 new resources, 3 new conditions

Additions

Actions

AllowVendedLogDeliveryForResource
- Description: Grants permission to configure vended log delivery for Skybridge cluster logs
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
CreateCluster
- Description: Grants permission to create clusters
- Access: Write
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  ec2:CreateNetworkInterface
  
  ec2:CreateNetworkInterfacePermission
  
  ec2:DescribeNetworkInterfaces
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcs
  
  ec2:GetSecurityGroupsForVpc
  
  iam:CreateServiceLinkedRole
  
  secretsmanager:CreateSecret
  
  secretsmanager:TagResource
CreateComputeNodeGroup
- Description: Grants permission to create compute node groups
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  ec2:CreateFleet
  
  ec2:CreateLaunchTemplate
  
  ec2:CreateLaunchTemplateVersion
  
  ec2:CreateTags
  
  ec2:DescribeImages
  
  ec2:DescribeInstanceStatus
  
  ec2:DescribeInstanceTypes
  
  ec2:DescribeInstances
  
  ec2:DescribeLaunchTemplateVersions
  
  ec2:DescribeLaunchTemplates
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcs
  
  ec2:RunInstances
  
  iam:GetInstanceProfile
  
  iam:PassRole
CreateQueue
- Description: Grants permission to create queues
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
DeleteCluster
- Description: Grants permission to delete clusters
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
- Dependents:
  ec2:DeleteNetworkInterface
  
  secretsmanager:DeleteSecret
DeleteComputeNodeGroup
- Description: Grants permission to delete compute node groups
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
  
  Name: computenodegroup
  
  Required: Yes
- Dependents:
  ec2:DeleteLaunchTemplate
  
  ec2:TerminateInstances
DeleteQueue
- Description: Grants permission to delete queues
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
  
  Name: queue
  
  Required: Yes
GetCluster
- Description: Grants permission to get cluster properties
- Access: Read
- Resources:
  Name: cluster
  
  Required: Yes
GetComputeNodeGroup
- Description: Grants permission to get compute node group properties
- Access: Read
- Resources:
  Name: cluster
  
  Required: Yes
  
  Name: computenodegroup
  
  Required: Yes
GetQueue
- Description: Grants permission to get queue properties
- Access: Read
- Resources:
  Name: cluster
  
  Required: Yes
  
  Name: queue
  
  Required: Yes
ListClusters
- Description: Grants permission to list clusters
- Access: List
ListComputeNodeGroups
- Description: Grants permission to list compute node groups
- Access: List
- Resources:
  Name: cluster
  
  Required: Yes
ListQueues
- Description: Grants permission to list queues
- Access: List
- Resources:
  Name: cluster
  
  Required: Yes
ListTagsForResource
- Description: Grants permission to list the tags for a resource
- Access: Read
RegisterComputeNodeGroupInstance
- Description: Grants permission to register a compute instance in a compute node group
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
- Dependents:
  secretsmanager:GetSecretValue
TagResource
- Description: Grants permission to tag a resource
- Access: Tagging
- Resources:
  Name: cluster
  
  Required: No
  
  Name: computenodegroup
  
  Required: No
  
  Name: queue
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
UntagResource
- Description: Grants permission to untag a resource
- Access: Tagging
- Resources:
  Name: cluster
  
  Required: No
  
  Name: computenodegroup
  
  Required: No
  
  Name: queue
  
  Required: No
- Conditions:
  aws:ResourceTag/${TagKey}
  
  aws:TagKeys
UpdateComputeNodeGroup
- Description: Grants permission to update compute node group properties
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
  
  Name: computenodegroup
  
  Required: Yes
- Dependents:
  ec2:CreateFleet
  
  ec2:CreateLaunchTemplate
  
  ec2:CreateLaunchTemplateVersion
  
  ec2:CreateTags
  
  ec2:DescribeImages
  
  ec2:DescribeInstanceStatus
  
  ec2:DescribeInstanceTypes
  
  ec2:DescribeInstances
  
  ec2:DescribeLaunchTemplateVersions
  
  ec2:DescribeLaunchTemplates
  
  ec2:DescribeSecurityGroups
  
  ec2:DescribeSubnets
  
  ec2:DescribeVpcs
  
  ec2:RunInstances
  
  iam:GetInstanceProfile
  
  iam:PassRole
UpdateQueue
- Description: Grants permission to update queue properties
- Access: Write
- Resources:
  Name: cluster
  
  Required: Yes
  
  Name: queue
  
  Required: Yes

Resources

cluster
- Arn: arn:${Partition}:pcs:${Region}:${Account}:cluster/${ClusterIdentifier}
- Conditions:
  aws:ResourceTag/${TagKey}
computenodegroup
- Arn: arn:${Partition}:pcs:${Region}:${Account}:cluster/${ClusterIdentifier}/computenodegroup/${ComputeNodeGroupIdentifier}
- Conditions:
  aws:ResourceTag/${TagKey}
queue
- Arn: arn:${Partition}:pcs:${Region}:${Account}:cluster/${ClusterIdentifier}/queue/${QueueIdentifier}
- Conditions:
  aws:ResourceTag/${TagKey}

Conditions

aws:RequestTag/${TagKey}
- Description: Filters access by the tags that are passed in the request
- Type: String
aws:ResourceTag/${TagKey}
- Description: Filters access by the tags associated with the resource
- Type: String
aws:TagKeys
- Description: Filters access by the tag keys that are passed in the request
- Type: ArrayOfString

AWS Parallel Computing Service (pcs)

Additions