ClearML/clearml-docs
1
0
Fork 0
mirror of https://github.com/clearml/clearml-docs synced 2025-06-26 18:17:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add AWS Autoscaler app configuration example (#372)

Browse Source
This commit is contained in:
pollfly 2022-11-20 10:22:27 +02:00 committed by GitHub
parent 621b6f957a
commit 22960fb7d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 104 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
docs/webapp/applications/apps_aws_autoscaler.md
View File

@ -119,30 +119,112 @@ to an IAM user, and create credentials keys for that user to configure in the au
1. Insert the following policy into the text box:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:TerminateInstances",
"ec2:RequestSpotInstances",
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:DescribeSpotInstanceRequests",
"ec2:GetConsoleOutput"
],
"Resource": "*"
}
]
}
```
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:TerminateInstances",
"ec2:RequestSpotInstances",
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:DescribeSpotInstanceRequests",
"ec2:GetConsoleOutput"
],
"Resource": "*"
}
]
}
```
This is a basic policy which gives the autoscaler access to your account. See example policy with finer security
configuration [here](#aws-iam-restricted-access-policy).
1. Complete creating the policy
1. Attach the created policy to an IAM user/group whose credentials will be used in the autoscaler app (you can create a
new IAM user/group for this purpose)
1. Obtain a set of AWS IAM credentials for the user/group to which you have attached the created policy in the previous step
### AWS IAM Restricted Access Policy
The template policy below demonstrates how to restrict the autoscaler to launch EC2.
The policy includes the following permissions:
* Enables performing certain EC2 actions on all resources in specified regions
* Enables performing certain EC2 actions on specified resources (in selected subnet and security group, and any network-interface, volume, key-pair, instance)
* Enables performing an EC2 action to use on a specified AMI on condition that the `ec2:Owner` is a specified owner
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GeneralEC2",
"Effect": "Allow",
"Action": [
"ec2:AttachClassicLinkVpc",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateFleet",
"ec2:Describe*",
"ec2:GetConsoleOutput",
"ec2:DetachClassicLinkVpc",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "<region>"
}
}
},
{
"Sid": "RunEC2",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:DescribeVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:<region>:<account id>:subnet/<subnet id>",
"arn:aws:ec2:<region>:<account id>:network-interface/*",
"arn:aws:ec2:<region>:<account id>:volume/*",
"arn:aws:ec2:<region>:<account id>:key-pair/*",
"arn:aws:ec2:<region>:<account id>:security-group/<security group id>",
"arn:aws:ec2:<region>:<account id>:instance/*"
]
},
{
"Sid": "RunEC2AMI",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:<region>::image/<ami id>"
],
"Condition": {
"StringEquals": {
"ec2:Owner": "<owner>"
}
}
}
]
}
```