Merge pull request #31 from alliance-genome/nextflow_aws_execution_pe…

…rmissions Additional NF AWS execution permissions
alliance-genome · May 9, 2024 · 3f8f343 · 3f8f343
2 parents cd32513 + 4b411e0
commit 3f8f343
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/pipeline/aws_infra/cdk_classes/aws_batch.py b/pipeline/aws_infra/cdk_classes/aws_batch.py
@@ -124,17 +124,25 @@ def __init__(self, scope: Stack, env_suffix: str, shared_work_dir_bucket: Option
             iam.PolicyStatement(
                 sid="AllowBatchJobMgmt",
                 effect=iam.Effect.ALLOW,
-                actions=['batch:CancelJob', 'batch:SubmitJob', 'batch:TerminateJob',
-                         'batch:ListJobs', 'batch:DescribeJobs',
-                         'batch:RegisterJobDefinition', 'batch:DescribeJobDefinitions'],
+                actions=['batch:CancelJob', 'batch:SubmitJob', 'batch:TerminateJob', 'batch:ListJobs',
+                         'batch:RegisterJobDefinition', 'batch:DeregisterJobDefinition'],
                 resources=['*']
             )
         )
         nf_aws_execution_statements.append(
             iam.PolicyStatement(
-                sid="AllowQueueAndComputeEnvDescribe",
+                sid="AllowDescribeAllBatchResources",
                 effect=iam.Effect.ALLOW,
-                actions=['batch:DescribeJobQueues', 'batch:DescribeComputeEnvironments'],
+                actions=['batch:DescribeJobQueues', 'batch:DescribeComputeEnvironments',
+                         'batch:DescribeJobDefinitions', 'batch:DescribeJobs'],
+                resources=['*']
+            )
+        )
+        nf_aws_execution_statements.append(
+            iam.PolicyStatement(
+                sid="AllowBatchResourceTagMgmt",
+                effect=iam.Effect.ALLOW,
+                actions=['batch:TagResource', 'batch:UntagResource', 'batch:ListTagsForResource'],
                 resources=['*']
             )
         )