AWS ParallelCluster supports the configuration options ebs_kms_key_id
and fsx_kms_key_id
, which allow you to
provide a custom KMS key for EBS Disk encryption or FSx Lustre. To use them you’ll need to specify a ec2_iam_role
.
In order for the cluster to create, the KMS key needs to know the name of the cluster’s role. This prevents you from
using the role created on cluster create, requiring a custom ec2_iam_role
.
First you’ll need to create a policy:
<AWS ACCOUNT ID>
and <REGION>
ParallelClusterInstancePolicy
and click “Create Policy”Next create a role:
EC2
as the trusted entityParallelClusterInstancePolicy
role you just created and attach it.ParallelClusterRole
and click “Create Role”In the IAM Console > Encryption Keys > click on your key.
Click “Add User” and search for the ParallelClusterInstanceRole` you just created. Attach it.
Now create a cluster, here’s an example of a cluster with encrypted Raid 0
drives:
[cluster default]
...
raid_settings = rs
ec2_iam_role = ParallelClusterInstanceRole
[raid rs]
shared_dir = raid
raid_type = 0
num_of_raid_volumes = 2
volume_size = 100
encrypted = true
ebs_kms_key_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Here’s an example with FSx Lustre file system:
[cluster default]
...
fsx_settings = fs
ec2_iam_role = ParallelClusterInstanceRole
[fsx fs]
shared_dir = /fsx
storage_capacity = 3600
imported_file_chunk_size = 1024
export_path = s3://bucket/folder
import_path = s3://bucket
weekly_maintenance_start_time = 1:00:00
fsx_kms_key_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Similar configuration applies for EBS and FSx based file systems.