From 6c5ad92f47568d9ad45fc9525e6c3f14cc03ce23 Mon Sep 17 00:00:00 2001 From: Changelog bot Date: Wed, 15 Oct 2025 13:28:37 +0000 Subject: [PATCH 1/3] feat(changelog): add new entry --- ...-serverless-jobs-enforced-cross-product-per.mdx | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx diff --git a/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx new file mode 100644 index 0000000000..f4fda1a358 --- /dev/null +++ b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx @@ -0,0 +1,14 @@ +--- +title: Serverless Jobs enforced cross-product permissions +status: changed +date: 2025-10-15 +category: serverless +product: jobs +--- + +When starting a Job Definition with `ServerlessJobsFullAccess` permission: +- If the Job Definition uses an image from **Container Registry**, add at least `ContainerRegistryReadOnly` permission. +- If the Job Definition consumes data from **Secret Manager**; add at least `SecretManagerSecretAccess` permission. + + + From a076222c340b863588b45a3d3073916f10de61af Mon Sep 17 00:00:00 2001 From: Benedikt Rollik Date: Wed, 15 Oct 2025 16:50:13 +0200 Subject: [PATCH 2/3] Update changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx --- ...-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx index f4fda1a358..562db4a87c 100644 --- a/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx +++ b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx @@ -10,5 +10,3 @@ When starting a Job Definition with `ServerlessJobsFullAccess` permission: - If the Job Definition uses an image from **Container Registry**, add at least `ContainerRegistryReadOnly` permission. - If the Job Definition consumes data from **Secret Manager**; add at least `SecretManagerSecretAccess` permission. - - From 2757df341c9289b696bcf9ded94507beee0b9871 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Thu, 16 Oct 2025 15:35:57 +0200 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Rowena Jones <36301604+RoRoJ@users.noreply.github.com> --- ...changed-serverless-jobs-enforced-cross-product-per.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx index 562db4a87c..164c91e88c 100644 --- a/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx +++ b/changelog/october2025/2025-10-15-jobs-changed-serverless-jobs-enforced-cross-product-per.mdx @@ -1,12 +1,12 @@ --- -title: Serverless Jobs enforced cross-product permissions +title: Serverless Jobs now enforce cross-product permissions status: changed date: 2025-10-15 category: serverless product: jobs --- -When starting a Job Definition with `ServerlessJobsFullAccess` permission: -- If the Job Definition uses an image from **Container Registry**, add at least `ContainerRegistryReadOnly` permission. -- If the Job Definition consumes data from **Secret Manager**; add at least `SecretManagerSecretAccess` permission. +When starting a Job definition with `ServerlessJobsFullAccess` permission: +- If the Job definition uses an image from **Container Registry**, you must now add, at minimum, the `ContainerRegistryReadOnly` permission. +- If the Job Definition consumes data from **Secret Manager**; you must now add, at minimum, the `SecretManagerSecretAccess` permission.