AWS IAM restricted roles and policies for compute and CML

AWS IAM write permissions are used by the CML compute infrastructure to create and delete roles and instance profiles.

Some customers may not be willing to provide IAM write permissions in the role’s policy. Instead, customers can set up static pre-created roles and instance profiles defined and used by the CML compute infrastructure to provision clusters.

The two main tasks are:

  1. Create roles and an instance profile.
  2. Create restricted IAM policies for use by the compute infrastructure.

After these two tasks are completed, you can create the cross-account credential, if needed.

See the following topics for the procedures for creating the roles and policies.