Skip to content

AWS SAM Connector Write needs PutObjectTagging #3451

New issue
New issue
Closed
Closed
AWS SAM Connector Write needs PutObjectTagging#3451
Labels
stage/needs-triageAutomatically applied to new issues and PRs, indicating they haven't been looked at.
@kitsunde

Description

@kitsunde
kitsunde
opened on Nov 30, 2023

If you make a PutObject call and have Write permission to an S3::Bucket it will fail with 403 because it's missing PutObjectTagging see https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html

Currently read+write permissions generate:

Allow: s3:GetObjectLegalHold
Allow: s3:GetObjectTorrent
Allow: s3:AbortMultipartUpload
Allow: s3:DeleteObject
Allow: s3:ListMultipartUploadParts
Allow: s3:RestoreObject
Allow: s3:GetObjectVersionTorrent
Allow: s3:GetObject
Allow: s3:ListBucketMultipartUploads
Allow: s3:PutObjectLegalHold
Allow: s3:DeleteObjectVersion
Allow: s3:PutObject
Allow: s3:GetObjectVersion
Allow: s3:GetObjectVersionForReplication
Allow: s3:GetObjectVersionAcl
Allow: s3:ListBucket
Allow: s3:GetObjectAcl
Allow: s3:GetObjectRetention
Allow: s3:PutObjectRetention
Allow: s3:ListBucketVersions

Tags on upload can be used with lifecycle rules to make it easy to expire object.

Metadata

Metadata

Assignees

No one assigned

    Labels

    stage/needs-triageAutomatically applied to new issues and PRs, indicating they haven't been looked at.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions