Permission prompt groups by service prefix instead of per-command

Resolved 💬 3 comments Opened Feb 25, 2026 by kimseungbin Closed Feb 28, 2026

Description

The permission prompt now groups actions by AWS service prefix (e.g., aws ec2:*) instead of showing the specific command (e.g., aws ec2 describe-instances). This makes it impossible to grant read-only/listing permissions while denying write operations.

Previous behavior

Permission prompt showed the exact command:

Allow: aws ec2 describe-instances --profile unitybill ...

Users could allow read-only commands and deny mutating ones.

Current behavior

Permission prompt groups by service:

Allow: aws ec2:*

Users must either allow all EC2 operations or deny all — no way to selectively grant read-only access.

Impact

Users who rely on fine-grained permission control (e.g., allowing describe-* / list-* but denying create-* / delete-*) can no longer do so. This is a usability regression for security-conscious workflows.

Expected behavior

Either restore per-command prompts, or provide a way to specify read-only patterns (e.g., aws ec2:describe-*, aws ec2:list-*).

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗