Permission prompt groups by service prefix instead of per-command
Description
The permission prompt now groups actions by AWS service prefix (e.g., aws ec2:*) instead of showing the specific command (e.g., aws ec2 describe-instances). This makes it impossible to grant read-only/listing permissions while denying write operations.
Previous behavior
Permission prompt showed the exact command:
Allow: aws ec2 describe-instances --profile unitybill ...
Users could allow read-only commands and deny mutating ones.
Current behavior
Permission prompt groups by service:
Allow: aws ec2:*
Users must either allow all EC2 operations or deny all — no way to selectively grant read-only access.
Impact
Users who rely on fine-grained permission control (e.g., allowing describe-* / list-* but denying create-* / delete-*) can no longer do so. This is a usability regression for security-conscious workflows.
Expected behavior
Either restore per-command prompts, or provide a way to specify read-only patterns (e.g., aws ec2:describe-*, aws ec2:list-*).
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗