Add GetFunction and GetPolicy permissions to the build image cleanup role

hgreebe · hgreebe · commit 195c605f80bb · 2025-11-07T11:18:53.000-05:00
diff --git a/cli/src/pcluster/imagebuilder_utils.py b/cli/src/pcluster/imagebuilder_utils.py
@@ -140,7 +140,7 @@ def _expected_inline_policy(account_id: str, partition: str):
                 {"Action": "ec2:CreateTags", "Resource": f"arn:{partition}:ec2:*::image/*", "Effect": "Allow"},
                 {"Action": "tag:TagResources", "Resource": "*", "Effect": "Allow"},
                 {
-                    "Action": ["lambda:DeleteFunction", "lambda:RemovePermission"],
+                    "Action": ["lambda:DeleteFunction", "lambda:RemovePermission", "lambda:GetFunction", "lambda:GetPolicy"],
                     "Resource": f"arn:{partition}:lambda:*:{account_id}:function:ParallelClusterImage-*",
                     "Effect": "Allow",
                 },

Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ def _expected_inline_policy(account_id: str, partition: str):`
`140`	`140`	`{"Action": "ec2:CreateTags", "Resource": f"arn:{partition}:ec2:::image/", "Effect": "Allow"},`
`141`	`141`	`{"Action": "tag:TagResources", "Resource": "*", "Effect": "Allow"},`
`142`	`142`	`{`
`143`		`- "Action": ["lambda:DeleteFunction", "lambda:RemovePermission"],`
	`143`	`+ "Action": ["lambda:DeleteFunction", "lambda:RemovePermission", "lambda:GetFunction", "lambda:GetPolicy"],`
`144`	`144`	`"Resource": f"arn:{partition}:lambda::{account_id}:function:ParallelClusterImage-",`
`145`	`145`	`"Effect": "Allow",`
`146`	`146`	`},`