g. Setup IAM Permissions 🔑

Be default AWS ParallelCluster API limits the policies you’re allowed to attach with AdditionalIAMPolicies to the following managed policies:

  • arn:aws:iam::1234567890:policy/parallelcluster*
  • arn:aws:iam::1234567890:policy/parallelcluster/*
  • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
  • arn:aws:iam::aws:policy/AWSBatchFullAccess
  • arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
  • arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole
  • arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
  • arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
  • arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole
  • arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder
  • arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

If you try and attach a policy outside of this list, you’ll get an error like:

API: iam:AttachRolePolicy User: ... is not authorized to perform: iam:AttachRolePolicy on resource: role api-cluster-2022-05-09-17-46-53-RoleHeadNode-EXNM6B7GER1S because no identity-based policy allows the iam:AttachRolePolicy action

To fix this, you can add additional IAM permissions to PCM like so:

  1. Go to the Lambda Console (deeplink) and search for ParallelClusterFunction
  2. Select the function then Configuration > Permissions > Click on the role under Role name.

Attach Policies

  1. Select the AWSXRayDaemonWriteAccess policy and remove it
  2. Select Add permissions > Create inline Policy

Attach Policies

  1. Click on the JSON tab and paste in the following policy. Make sure to change <account-id> to your aws account id.
    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<account-id>:role/parallelcluster/*"
  1. Click Review Policy, give it a name like pcluster-attach-detach-policies and click Save.