[SREP-1313] feat: Move the inline session policy to the last hop of the assume role sequence by samanthajayasinghe · Pull Request #757 · openshift/backplane-cli
What type of PR is this?
- fix (Bug Fix)
- feat (New Feature)
- docs (Documentation)
- test (Test Coverage)
- chore (Clean Up / Maintenance Tasks)
- other (Anything that doesn't fit the above)
What this PR does / Why we need it?
This PR moves inline session policy to the last hop of the assume role sequence
Which Jira/Github issue(s) does this PR fix?
https://issues.redhat.com/browse/SREP-1313
- Related Issue #
- Closes #
Special notes for your reviewer
Unit Test Coverage
Guidelines
- If it's a new sub-command or new function to an existing sub-command, please cover at least 50% of the code
- If it's a bug fix for an existing sub-command, please cover 70% of the code
Test coverage checks
- Added unit tests
- Created jira card to add unit test
- This PR may not need unit tests
Pre-checks (if applicable)
- Ran unit tests locally
- Validated the changes in a cluster
- Included documentation changes with PR
- Backward compatible
openshift-ci
bot
added
the
approved
label
Aug 12, 2025
| }, | ||
| } | ||
| } else { | ||
| roleArnSession.Policy = &inlinePolicy |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, IIUC, the inline policy only applies to CustomerRoleArnName and for the other roles just
remains nil.
Then, it calls AssumeRoleSequence() to assume all roles in the sequence (SupportRole -> PlatformRole -> CustomerRole), but only the CustomerRole assumption includes the inline policy while the other role assumptions have no policy.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah exactly..
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is also how I understand it, the CustomerRoleArnName matches on the last role, and then the policy is applied
Thanks, Sam. The code logic looks good to me for implementing Move the inline session policy to the last hop. I just have a couple questions for clarification, but they’re not blockers for merging.
/lgtm + /hold
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: samanthajayasinghe, smarthall, xiaoyu74
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Details
Needs approval from an approver in each of these files:OWNERS[samanthajayasinghe,smarthall,xiaoyu74]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters