S3FullAccess Policy doesn't grant access to tags

[andreineacsu]

Hello,

I am currently working on a SAM application that requires full access on an S3 bucket.
I'm setting the S3FullAccess policy on the Lambda function that requires full access but it doesn't work because this policy doesn't have access to file tags. Can this policy be modified so that it includes access to file tags and metadata?

Also, is there any way to define custom SAM policies?

Thanks,
Andrei

[keetonian]

@andreineacsu yes, it is possible to define custom policies on a Serverless::Function resource. You can put a policy document into the Policies property. Here is an example; please scope it down to the permissions and resources you need.

      Policies:
        - Statement:
          - Action: [ 's3:*' ]
            Effect: Allow
            Resource: '*'

As for updates to S3FullAccess policy, there are several actions that deal with tagging. I think all of these are necessary to support tagging on both objects and object versions, can you confirm this?

• DeleteObjectTagging
• DeleteObjectVersionTagging
• GetObjectTagging
• GetObjectVersionTagging
• PutObjectTagging
• PutObjectVersionTagging

(Taken from the S3 permissions documentation)

[andreineacsu]

@keetonian Thank you for your reply! Everything looks good now.
The tag related permissions you listed and all needed - at least in my case.

[keetonian]

To add these extra permissions, we need to update the S3FullAccess Policy Template with the permissions I listed above in my comment, and update any failing tests.

[ShreyaGangishetty]

Closing this issue as v1.15.0 is released