[3.11] elasticloadbalancing:DescribeTags permission is missing when run a cluster with login nodes

[kondakovm]

My 3.11.0 ParallelCluster deployment failed due to insufficient AWS permissions for a Lambda role created by the API stack. The Lambda function requires the permission 'elasticloadbalancing:DescribeTags', but this permission is not included in the policy configuration.

Most likely, this issue was caused by changes to the permissions in the 'cloudformation/policies/parallelcluster-policies.yaml' file since ParallelCluster version 3.10.1 where the elasticloadbalancing:Describe* permission was included.

The deployment succeeds when there are no login nodes in the cluster configuration, but fails when the login nodes section is included.

The cluster configuration:

  Region: eu-central-1
  CustomS3Bucket: parallelcluster-custom-bucket-name
  Image:
    Os: alinux2
  SharedStorage:
    - MountDir: /home
      Name: parallelcluster_shared
      StorageType: Ebs
      EbsSettings:
        VolumeType: gp3
        Size: 1000
        DeletionPolicy: Delete
  HeadNode:
    InstanceType: c5.large
    LocalStorage:
      RootVolume:
        Size: 100
        VolumeType: gp3
        DeleteOnTermination: true
    Networking:
      SubnetId: subnet-123456789123
    Iam:
      AdditionalIamPolicies:
        - Policy: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
    Ssh:
      KeyName: parallelcluster_ssh_key
  LoginNodes:
    Pools:
      - Name: login
        Count: 1
        InstanceType: t3.small
        Ssh:
          KeyName: parallelcluster_ssh_key
        Networking:
          SubnetIds:
            - subnet-123456789123
        Iam:
          AdditionalIamPolicies:
            - Policy: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
  Scheduling:
    Scheduler: slurm
    SlurmQueues:
      - Name: queue1
        CapacityType: SPOT
        Networking:
          SubnetIds:
            - subnet-123456789123
        Iam:
          AdditionalIamPolicies:
            - Policy: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
        ComputeResources:
          - InstanceType: c5.xlarge
            MinCount: 0
            MaxCount: 10
            Name: c5xlarge
    SlurmSettings:
      QueueUpdateStrategy: TERMINATE
      Dns:
        DisableManagedDns: true
        UseEc2Hostnames: true

Lambda logs for evidence:

    "level": "ERROR",
    "location": "common.py:107:wrapper()",
    "message": "Encountered error when performing boto3 call in describe_tags: User: arn:aws:sts::123456789123:assumed-role/ParallelClusterLambdaRole-1d812250/ParallelClusterAPI-ParallelClusterFunction-MxG8NLI7N3Nq is not authorized to perform: elasticloadbalancing:DescribeTags because no identity-based policy allows the elasticloadbalancing:DescribeTags action",
    "timestamp": "2024-10-20 14:49:14,667+0000",
    "service": "pcluster",
    "cold_start": false,
    "function_name": "ParallelClusterAPI-ParallelClusterFunction-MxG8NLI7N3Nq",
    "function_memory_size": "2048",
    "function_arn": "arn:aws:lambda:eu-central-1:123456789123:function:ParallelClusterAPI-ParallelClusterFunction-MxG8NLI7N3Nq",
    "function_request_id": "3948efa8-700f-4b83-b396-fc593f04033e",
    "xray_trace_id": "1-67151869-23d459f976b54e012b1dd398"