Merge pull request #59 from moj-analytical-services/add-s3-object-tag…

…ging-permissions Updating S3 readwrite permissions
moj-analytical-services · May 16, 2024 · 6b4d6b4 · 6b4d6b4
2 parents a3e4b69 + 3fcf2bc
commit 6b4d6b4
Show file tree

Hide file tree

Showing 9 changed files with 23 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## v4.5.0
+
+- added Get/Put Object Tagging permissions for S3 readwrite access
+
+## v4.4.0
+
+- added GetTableMetadata to Athena read policy
+
 ## v4.3.0
 
 - added kms permissions

diff --git a/examples/iam_policy.json b/examples/iam_policy.json
@@ -205,10 +205,12 @@
                 "s3:GetObject",
                 "s3:GetObjectAcl",
                 "s3:GetObjectVersion",
+                "s3:GetObjectTagging",
                 "s3:DeleteObject",
                 "s3:DeleteObjectVersion",
                 "s3:PutObject",
                 "s3:PutObjectAcl",
+                "s3:PutObjectTagging",
                 "s3:RestoreObject"
             ],
             "Effect": "Allow",

diff --git a/iam_builder/templates.py b/iam_builder/templates.py
@@ -286,10 +286,12 @@ def get_read_write_policy(list_of_s3_paths: list) -> dict:
             "s3:GetObject",
             "s3:GetObjectAcl",
             "s3:GetObjectVersion",
+            "s3:GetObjectTagging",
             "s3:DeleteObject",
             "s3:DeleteObjectVersion",
             "s3:PutObject",
             "s3:PutObjectAcl",
+            "s3:PutObjectTagging",
             "s3:RestoreObject",
         ],
         "Effect": "Allow",

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "iam_builder"
-version = "4.4.0"
+version = "4.5.0"
 description = "A lil python package to generate iam policies"
 authors = ["Karik Isichei <karik.isichei@digital.justice.gov.uk>"]
 license = "MIT"

diff --git a/tests/expected_policy/all_config.json b/tests/expected_policy/all_config.json
@@ -230,10 +230,12 @@
                 "s3:GetObject",
                 "s3:GetObjectAcl",
                 "s3:GetObjectVersion",
+                "s3:GetObjectTagging",
                 "s3:DeleteObject",
                 "s3:DeleteObjectVersion",
                 "s3:PutObject",
                 "s3:PutObjectAcl",
+                "s3:PutObjectTagging",
                 "s3:RestoreObject"
             ],
             "Effect": "Allow",

diff --git a/tests/expected_policy/deny.json b/tests/expected_policy/deny.json
@@ -7,10 +7,12 @@
                 "s3:GetObject",
                 "s3:GetObjectAcl",
                 "s3:GetObjectVersion",
+                "s3:GetObjectTagging",
                 "s3:DeleteObject",
                 "s3:DeleteObjectVersion",
                 "s3:PutObject",
                 "s3:PutObjectAcl",
+                "s3:PutObjectTagging",
                 "s3:RestoreObject"
             ],
             "Effect": "Allow",

diff --git a/tests/expected_policy/glue_job.json b/tests/expected_policy/glue_job.json
@@ -82,10 +82,12 @@
                 "s3:GetObject",
                 "s3:GetObjectAcl",
                 "s3:GetObjectVersion",
+                "s3:GetObjectTagging",
                 "s3:DeleteObject",
                 "s3:DeleteObjectVersion",
                 "s3:PutObject",
                 "s3:PutObjectAcl",
+                "s3:PutObjectTagging",
                 "s3:RestoreObject"
             ],
             "Effect": "Allow",

diff --git a/tests/expected_policy/read_write.json b/tests/expected_policy/read_write.json
@@ -7,10 +7,12 @@
                 "s3:GetObject",
                 "s3:GetObjectAcl",
                 "s3:GetObjectVersion",
+                "s3:GetObjectTagging",
                 "s3:DeleteObject",
                 "s3:DeleteObjectVersion",
                 "s3:PutObject",
                 "s3:PutObjectAcl",
+                "s3:PutObjectTagging",
                 "s3:RestoreObject"
             ],
             "Effect": "Allow",

diff --git a/tests/expected_policy/sub_folder_multi_access.json b/tests/expected_policy/sub_folder_multi_access.json
@@ -33,10 +33,12 @@
                 "s3:GetObject",
                 "s3:GetObjectAcl",
                 "s3:GetObjectVersion",
+                "s3:GetObjectTagging",
                 "s3:DeleteObject",
                 "s3:DeleteObjectVersion",
                 "s3:PutObject",
                 "s3:PutObjectAcl",
+                "s3:PutObjectTagging",
                 "s3:RestoreObject"
             ],
             "Effect": "Allow",