Skip to content

[Tag] Add Untagging Policies for adding/removing Tags#7255

Open
himani2411 wants to merge 3 commits intoaws:developfrom
himani2411:develop-tag-update
Open

[Tag] Add Untagging Policies for adding/removing Tags#7255
himani2411 wants to merge 3 commits intoaws:developfrom
himani2411:develop-tag-update

Conversation

@himani2411
Copy link
Contributor

@himani2411 himani2411 commented Mar 2, 2026

Description of changes

  • Add Untagging Policies for adding/removing Tags, without these we see below failure
Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::ACCOUNT:assumed-role/integ-tests-iam-user-role-y-ParallelClusterUserRole-xyxem88R59Z2/us-west-1_integration_tests_session is not authorized to perform: iam:UntagRole on resource: role integ-tests-6yufgzjzl3uze-CleanupResourcesFunctionE-6xj7rVpvqBLm because no identity-based policy allows the iam:UntagRole action (Service: Iam, Status Code: 403, Request ID: 50172a6b-3130-4d8a-aff4-3058b7bc727e) (SDK Attempt Count: 1)"" (RequestToken: 0112d4f7-524a-26c5-2aea-be89b02832a3, HandlerErrorCode: UnauthorizedTaggingOperation)

Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::ACCOUNT:assumed-role/integ-tests-iam-user-role-y-ParallelClusterUserRole-xyxem88R59Z2/us-west-1_integration_tests_session is not authorized to perform: dynamodb:UntagResource on resource: arn:aws:dynamodb:us-west-1:ACCOUNT:table/parallelcluster-slurm-integ-tests-6yufgzjzl3uzewdh-develop because no identity-based policy allows the dynamodb:UntagResource action (Service: DynamoDb, Status Code: 400, Request ID: BTK6LVC1QKCUQS79UVFUEG2LMJVV4KQNSO5AEMVJF66Q9ASUAAJG) (SDK Attempt Count: 1)"" (RequestToken: fbb83fd5-1bcf-f622-b99f-a5dab9d108c2, HandlerErrorCode: UnauthorizedTaggingOperation)

Tests

  • Integ Tests

References

  • Link to impacted open issues.
  • Link to related PRs in other packages (i.e. cookbook, node).
  • Link to documentation useful to understand the changes.

Checklist

  • Make sure you are pointing to the right branch.
  • If you're creating a patch for a branch other than develop add the branch name as prefix in the PR title (e.g. [release-3.6]).
  • Check all commits' messages are clear, describing what and why vs how.
  • Make sure to have added unit tests or integration tests to cover the new/modified code.
  • Check if documentation is impacted by this change.

Please review the guidelines for contributing and Pull Request Instructions.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@himani2411 himani2411 requested a review from a team as a code owner March 2, 2026 18:29
@himani2411 himani2411 added the skip-changelog-update Disables the check that enforces changelog updates in PRs label Mar 2, 2026
@himani2411 himani2411 requested a review from a team as a code owner March 2, 2026 18:29
@himani2411 himani2411 added the 3.x label Mar 2, 2026
gmarciani
gmarciani reviewed Mar 2, 2026
View reviewed changes
gmarciani
gmarciani previously approved these changes Mar 2, 2026
View reviewed changes
gmarciani
gmarciani reviewed Mar 2, 2026
View reviewed changes
cloudformation/policies/parallelcluster-policies.yaml
- iam:TagRole
- iam:UntagRole
Resource:
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/parallelcluster/*
Copy link
Contributor

@gmarciani gmarciani Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please check this works with custom iam prefix?

Copy link
Contributor Author

@himani2411 himani2411 Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean https://docs.aws.amazon.com/parallelcluster/latest/ug/Iam-v3.html#yaml-Iam-ResourcePrefix?

Copy link
Contributor

@gmarciani gmarciani Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

@himani2411 himani2411 force-pushed the develop-tag-update branch from 3652905 to 24ee3d3 Compare March 3, 2026 00:17
@himani2411 himani2411 force-pushed the develop-tag-update branch from afa9820 to 558c6fb Compare March 3, 2026 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gmarciani gmarciani gmarciani left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

3.x skip-changelog-update Disables the check that enforces changelog updates in PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@himani2411 @gmarciani