Setup AWS IAM instace role policy to GetObject based only on bucket policy

Question

I'm not able to change IAM role policy in our corporate environment. So I want to be able to change role's permissions to S3 based on bucket policy. I want to setup AWS IAM instance role to have Allow on "s3:GetObject" based on this bucket policy.

I have this in my bucket policy:

{
        "Sid": "tag-based",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::XY:role/testing"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucket1/path1/*",
            "arn:aws:s3:::bucket1/path1"
        ]
    },

And I want something like this in my IAM role inline policy -> To have allow only for resources which have TagKey equal to 'SG':

{
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:PutObjectAcl"
        ],
        "Resource": "<HOW TO SETUP IT ONLY FOR RESORUCES WHICH HAVE TAG KEY 'SG?'>",
        "Condition": {
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "SG"
                ]
            }
        }
    }


Is this right way to achieve it?

Answer 1

S3 support for Authorization based on tags is partial that means not all the operations supports tag based conditions. Which is further mentioned here as well .

As far as the calls you mentioned in your policy how they work with tags are described here

GetObject and PutObect revolves around x-amz-tag-count header . Which further requires another permission named GetObjectTagging

"<HOW TO SETUP IT ONLY FOR RESORUCES WHICH HAVE TAG KEY 'SG?'>"

There is no such clause for resources specifically, you can find the same in the above linked page under the section named Resource types defined by Amazon S3

In summary what you are trying to achieve simply in terms of tag based authorization might not fully work as you expect.