AWS SAM Connector Write needs PutObjectTagging

[kitsunde]

If you make a PutObject call and have Write permission to an S3::Bucket it will fail with 403 because it's missing PutObjectTagging see https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html

Currently read+write permissions generate:

Allow: s3:GetObjectLegalHold
Allow: s3:GetObjectTorrent
Allow: s3:AbortMultipartUpload
Allow: s3:DeleteObject
Allow: s3:ListMultipartUploadParts
Allow: s3:RestoreObject
Allow: s3:GetObjectVersionTorrent
Allow: s3:GetObject
Allow: s3:ListBucketMultipartUploads
Allow: s3:PutObjectLegalHold
Allow: s3:DeleteObjectVersion
Allow: s3:PutObject
Allow: s3:GetObjectVersion
Allow: s3:GetObjectVersionForReplication
Allow: s3:GetObjectVersionAcl
Allow: s3:ListBucket
Allow: s3:GetObjectAcl
Allow: s3:GetObjectRetention
Allow: s3:PutObjectRetention
Allow: s3:ListBucketVersions

Tags on upload can be used with lifecycle rules to make it easy to expire object.

[kitsunde]

This is very similar to this issue from 2019, but now on the connector. #1072 #1063

[xazhao]

Thanks for bringing the issue @kitsunde . I will discuss with my team about adding the permission and let you know the result. For now, I will move the issue to discussion so it can get more votes.