<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>
<div>
<div><br>
</div>
</div>
</div>
<div>Hi Ray</div>
<div>Questions inline…</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Rayson Ho <<a href="mailto:raysonlogin@gmail.com">raysonlogin@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Mon, 24 Mar 2014 13:40:14 -0400<br>
<span style="font-weight:bold">To: </span>David Stuebe <<a href="mailto:dstuebe@asascience.com">dstuebe@asascience.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:starcluster@mit.edu">starcluster@mit.edu</a>" <<a href="mailto:starcluster@mit.edu">starcluster@mit.edu</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [StarCluster] Administration of StarCluster with AWS IAM<br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div>
<div>
<div>On Mon, Mar 24, 2014 at 1:13 PM, David Stuebe <<a href="mailto:DStuebe@asascience.com">DStuebe@asascience.com</a>> wrote:</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div>I am planning to setup an HPC cluster for an operational forecasting</div>
<div>project. I have created a new AWS account for this purpose and setup up IAM</div>
<div>for various users on the project to have access and control over resources</div>
<div>with proper unique users, role separation and least privilege.</div>
<div><br>
</div>
<div>What are best practices for sharing administration of StarCluster resources?</div>
</blockquote>
<div><br>
</div>
<div>Note that StarCluster bootstraps an HPC cluster in EC2 for you. After</div>
<div>the cluster has been started, StarCluster exits cleanly unless you</div>
<div>need the StarCluster load balancer:</div>
<div><br>
</div>
<div><a href="http://star.mit.edu/cluster/docs/latest/manual/load_balancer.html">http://star.mit.edu/cluster/docs/latest/manual/load_balancer.html</a></div>
</div>
</div>
</blockquote>
</span>
<div><br>
</div>
<div><br>
</div>
<div>Yes – I am specifically asking about sharing a config file to allow different IAM users to manage a cluster via:</div>
<blockquote style="margin:0 0 0 40px; border:none; padding:0px;">
<div>starcluster restart mycluster</div>
<div>starcluster stop mycluster</div>
<div>starcluster terminate mycluster</div>
<div>starcluster <span class="Apple-style-span" style="color: rgb(62, 67, 73); line-height: 17px; white-space: pre; font-family: Consolas, 'andale mono', 'lucida console', monospace; ">addnode</span> mycluster</div>
</blockquote>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div>
<div>
<div><br>
</div>
<div>On the other hand, if you are talking about the administration of the</div>
<div>HPC cluster, then it is a different story. You will likely want to</div>
<div>learn Grid Engine for your job scheduling policy, and use Linux</div>
<div>commands to setup new users, and may want to add a parallel</div>
<div>filesystem, etc.</div>
<div><br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div>When I create a config file I can share it with other users as long as I get</div>
<div>my AWS credentials from my ENV variables.</div>
<div><br>
</div>
<div>What about the user id?</div>
<div>Does this have to be the root AWS account ID or can I use my User ARN (of</div>
<div>the form: arn:aws:iam::123456789012:user/username)</div>
<div>Can I set this as an environment variable as well?</div>
</blockquote>
<div><br>
</div>
<div>StarCluster does not need the power of the full AWS root account. You</div>
<div>can just create an IAM user with "EC2 full access" in the Policy</div>
<div>Template.</div>
</div>
</div>
</blockquote>
</span>
<div><br>
</div>
<div>Is this "User ARN" the correct ID to use? Should I use a group ID or a user ID?</div>
<div><br>
</div>
<div>Thanks for the quick response!</div>
<div><br>
</div>
<div>David</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div>
<div>
<div><br>
</div>
<div>If you want finer control, you can fire up the IAM Policy Generator</div>
<div>and pick which ec2 APIs the IAM user can issue. StarCluster does not</div>
<div>use the AWS ELB nor the ASG (SC has its implementations of them).</div>
<div>However, since we introduce VPC support, the list of APIs that SC</div>
<div>needs is slightly larger.</div>
<div><br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div>What about PEM files - what is ec2_cert in the config file used for?</div>
</blockquote>
<div><br>
</div>
<div>That's for the permission to create a new AMI, IIRC.</div>
<div><br>
</div>
<div>Rayson</div>
<div><br>
</div>
<div>==================================================</div>
<div>Open Grid Scheduler - The Official Open Source Grid Engine</div>
<div><a href="http://gridscheduler.sourceforge.net/">http://gridscheduler.sourceforge.net/</a></div>
<div><a href="http://gridscheduler.sourceforge.net/GridEngine/GridEngineCloud.html">http://gridscheduler.sourceforge.net/GridEngine/GridEngineCloud.html</a></div>
<div><br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
<div><br>
</div>
<div>David Stuebe</div>
<div><br>
</div>
<div>Scientist & Software Engineer</div>
<div><br>
</div>
<div>55 Village Square Drive</div>
<div>South Kingstown, RI 02879-8248</div>
<div><br>
</div>
<div>Tel: +1 (401) 789-6224</div>
<div><br>
</div>
<div>Email: <a href="mailto:David.Stuebe@rpsgroup.com">David.Stuebe@rpsgroup.com</a></div>
<div>www: asascience.com | rpsgroup.com</div>
<div><br>
</div>
<div>A member of the RPS Group plc</div>
<div><br>
</div>
<div><br>
</div>
<div>_______________________________________________</div>
<div>StarCluster mailing list</div>
<div><a href="mailto:StarCluster@mit.edu">StarCluster@mit.edu</a></div>
<div><a href="http://mailman.mit.edu/mailman/listinfo/starcluster">http://mailman.mit.edu/mailman/listinfo/starcluster</a></div>
<div><br>
</div>
</blockquote>
<div><br>
</div>
</div>
</div>
</blockquote>
</span>
</body>
</html>