alt Hacker NewsI would never have these privileges granted directly to my account.
Indeed it’s a good practice to use roles where supported (AWS has them) and explicitly switch when needed
I would never have these privileges granted directly to my account.
Indeed it’s a good practice to use roles where supported (AWS has them) and explicitly switch when needed
The problem with agents is they regularly sidestep the guardrails and do what they want with a script anyway. The number of times I’ve seen Claude try to escape the folder it’s working in, and then for it to write a python script that does exactly what I told it it’s not allowed do supports that.
If you use SSO and have an AWS config that Claude is allowed to see to get the correct role in the first place, it will just pick the role and plough on anyway.