Add GetFunction and GetPolicy permissions to the build image cleanup role#7087
Merged
hgreebe merged 6 commits intoaws:developfrom Nov 10, 2025
Merged
Add GetFunction and GetPolicy permissions to the build image cleanup role#7087hgreebe merged 6 commits intoaws:developfrom
hgreebe merged 6 commits intoaws:developfrom
Conversation
gmarciani
reviewed
Nov 6, 2025
| PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_PREFIX = "PClusterBuildImageCleanupRole" | ||
| # Tag key & expected revision (increment when policy widens) | ||
| PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_REVISION = 1 | ||
| PCLUSTER_BUILD_IMAGE_CLEANUP_ROLE_REVISION = 2 |
Contributor
There was a problem hiding this comment.
IIRC we need to increment only when we introduce breaking changes to the policy. This is an additive fix, not a breaking change. So I think we can keep the version to 1.
Can you please double check?
If this is the case, then please also fix the comment, as it could be misleading.
Contributor
There was a problem hiding this comment.
Nope, I was wrong. We need to increase the version at every change, because we do not modify the exisitng role
See code
aws-parallelcluster/cli/src/pcluster/imagebuilder_utils.py
Lines 223 to 224 in e2d21fc
gmarciani
reviewed
Nov 6, 2025
| {"Action": "tag:TagResources", "Resource": "*", "Effect": "Allow"}, | ||
| { | ||
| "Action": ["lambda:DeleteFunction", "lambda:RemovePermission"], | ||
| "Action": ["lambda:DeleteFunction", "lambda:RemovePermission", "lambda:GetFunction", "lambda:GetPolicy"], |
Contributor
There was a problem hiding this comment.
[Test] I would expect a unit test to be adapted accordingly. If there is no unit test covering this part, can we add it to cover this change?
gmarciani
previously approved these changes
Nov 7, 2025
gmarciani
approved these changes
Nov 10, 2025
himani2411
pushed a commit
to himani2411/aws-parallelcluster
that referenced
this pull request
Nov 12, 2025
…role (aws#7087) * Add GetFunction and GetPolicy permissions to the build image cleanup role * Increase pcluster build image cleanup role revision number * Update CHANGELOG * Add unit test for actions in CleanupRole policy * Fix linter errors
himani2411
pushed a commit
that referenced
this pull request
Nov 17, 2025
…role (#7087) * Add GetFunction and GetPolicy permissions to the build image cleanup role * Increase pcluster build image cleanup role revision number * Update CHANGELOG * Add unit test for actions in CleanupRole policy * Fix linter errors
hanwen-cluster
pushed a commit
to hanwen-cluster/aws-parallelcluster
that referenced
this pull request
Dec 9, 2025
…role (aws#7087) * Add GetFunction and GetPolicy permissions to the build image cleanup role * Increase pcluster build image cleanup role revision number * Update CHANGELOG * Add unit test for actions in CleanupRole policy * Fix linter errors
hehe7318
pushed a commit
to hehe7318/aws-parallelcluster
that referenced
this pull request
Dec 24, 2025
…role (aws#7087) * Add GetFunction and GetPolicy permissions to the build image cleanup role * Increase pcluster build image cleanup role revision number * Update CHANGELOG * Add unit test for actions in CleanupRole policy * Fix linter errors
hehe7318
pushed a commit
to hehe7318/aws-parallelcluster
that referenced
this pull request
Dec 24, 2025
…role (aws#7087) * Add GetFunction and GetPolicy permissions to the build image cleanup role * Increase pcluster build image cleanup role revision number * Update CHANGELOG * Add unit test for actions in CleanupRole policy * Fix linter errors
hehe7318
pushed a commit
that referenced
this pull request
Dec 25, 2025
…role (#7087) * Add GetFunction and GetPolicy permissions to the build image cleanup role * Increase pcluster build image cleanup role revision number * Update CHANGELOG * Add unit test for actions in CleanupRole policy * Fix linter errors
himani2411
pushed a commit
to himani2411/aws-parallelcluster
that referenced
this pull request
Feb 11, 2026
…role (aws#7087) * Add GetFunction and GetPolicy permissions to the build image cleanup role * Increase pcluster build image cleanup role revision number * Update CHANGELOG * Add unit test for actions in CleanupRole policy * Fix linter errors
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes
Tests
GetFunctionandGetPolicyactions no longer had AccessDenied errors.Please review the guidelines for contributing and Pull Request Instructions.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.