diff --git a/.copier-answers.yml b/.copier-answers.yml
index ea7eafe..e66d283 100644
--- a/.copier-answers.yml
+++ b/.copier-answers.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.92-5-gefbf643
+_commit: v0.0.92-7-g7c21006
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Managing Central Infrastructure of an AWS Organization
 install_claude_cli: false
diff --git a/.github/actions/update-devcontainer-hash/action.yml b/.github/actions/update-devcontainer-hash/action.yml
index 4e6d434..148062b 100644
--- a/.github/actions/update-devcontainer-hash/action.yml
+++ b/.github/actions/update-devcontainer-hash/action.yml
@@ -5,9 +5,6 @@ inputs:
     description: 'Branch to checkout and update'
     required: true
 
-permissions:
-  contents: write
-
 outputs:
   new-sha:
     description: 'The SHA of the branch tip after update'
diff --git a/template/.github/actions/check-skip-duplicates/action.yml b/template/.github/actions/check-skip-duplicates/action.yml
index 1eb255d..5638f11 100644
--- a/template/.github/actions/check-skip-duplicates/action.yml
+++ b/template/.github/actions/check-skip-duplicates/action.yml
@@ -13,19 +13,22 @@ runs:
       id: check
       env:
         GH_TOKEN: ${{ github.token }}
+        REF_NAME: ${{ github.ref_name }}
+        REPO_NAME: ${{ github.repository }}
+        EVENT_NAME: ${{ github.event_name }}
       shell: bash
       run: |
         # For non-push events, always run
-        if [ "${{ github.event_name }}" != "push" ]; then
+        if [ "$EVENT_NAME" != "push" ]; then
           echo "should_run=true" >> $GITHUB_OUTPUT
-          echo "Event is ${{ github.event_name }}, will run CI"
+          echo "Event is $EVENT_NAME, will run CI"
           exit 0
         fi
 
         # For push events, check if there's an open PR for this branch
         pr_json=$(gh pr list \
-          --repo "${{ github.repository }}" \
-          --head "${{ github.ref_name }}" \
+          --repo "$REPO_NAME" \
+          --head "$REF_NAME" \
           --state open \
           --json number \
           --limit 1)
diff --git a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py
index e285160..c3b8748 100644
--- a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py	
+++ b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/__init__.py	
@@ -1,4 +1,4 @@
-from .lib import create_read_state_inline_policy
+from .lib import create_inline_view_only_policy
 from .permissions import EC2_SSO_PER_SET_CONTAINER
 from .permissions import LOW_RISK_ADMIN_PERM_SET_CONTAINER
 from .permissions import MANUAL_ARTIFACTS_UPLOAD_PERM_SET_CONTAINER
diff --git a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py
index c34d80e..faab269 100644
--- a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py	
+++ b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/lib.py	
@@ -4,10 +4,15 @@
 from pulumi_aws.iam import get_policy_document
 
 
-def create_read_state_inline_policy() -> str:
+def create_inline_view_only_policy() -> str:
     state_bucket_name = get_config_str("proj:backend_bucket_name")
     return get_policy_document(
         statements=[
+            GetPolicyDocumentStatementArgs(
+                effect="Allow",
+                actions=["eks:DescribeCluster", "eks:ListClusters"],
+                resources=["*"],
+            ),
             GetPolicyDocumentStatementArgs(
                 effect="Allow",
                 actions=["s3:GetObject", "s3:GetObjectVersion"],
diff --git a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py
index 5aae234..7f01a92 100644
--- a/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py	
+++ b/template/src/aws_central_infrastructure/{% if initial_iac_management_deploy_occurred %}identity_center{% endif %}/lib/permissions.py	
@@ -14,7 +14,7 @@
 from pydantic import BaseModel
 from pydantic import Field
 
-from .lib import create_read_state_inline_policy
+from .lib import create_inline_view_only_policy
 
 logger = logging.getLogger(__name__)
 
@@ -168,7 +168,7 @@ def create_manual_secrets_entry_inline_policy() -> str:
         # TODO: figure out how to add back in "AmazonAppStreamReadOnlyAccess",  # look at the details of stack/fleet information to troubleshoot any issues
         # TODO: "CloudWatchEventsReadOnlyAccess",  # see information about event rules and patterns
     ],
-    inline_policy_callable=create_read_state_inline_policy,
+    inline_policy_callable=create_inline_view_only_policy,
 )
 
 EC2_SSO_PER_SET_CONTAINER = AwsSsoPermissionSetContainer(  # based on https://aws.amazon.com/blogs/security/how-to-enable-secure-seamless-single-sign-on-to-amazon-ec2-windows-instances-with-aws-sso/