python - when calling the GetObjectTagging operation: Access Denied

Question

I'm trying to add tags to objects added in S3 for a particular Prefix.

{
  "Records": [
      .......... JUNK METADATA ..........
      "s3": {
        "s3SchemaVersion": "1.0",
        "configurationId": "#####",
        "bucket": {
          "name": "testlambdatagging",
          "ownerIdentity": {
            "principalId": "#######"
          },
          "arn": "arn:aws:s3:::testlambdatagging"
        },
        "object": {
          "key": "PREFIX/starshipBlack.png",
          "size": 512822,
          "eTag": "#########",
          "sequencer": "#########"
        }
      }
    }
  ]
}

So ideally, when I add "starshipBlack.png" @ testlambdatagging/PREFIX in S3; the lambda function will be triggered and the tags for this file will be added.

But the problem is that I keep getting the following error when the lambda is triggered:
An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied

The code is failing at s3_cl.get_object_tagging

My code looks like this:

import boto3
import json


s3_cl = boto3.client('s3')

def lambda_handler(event, context):
    
    try:

        bucket_name = event["Records"][0]["s3"]["bucket"]["name"]
        bucket_object = event["Records"][0]["s3"]["object"]["key"]
        object_tags = s3_cl.get_object_tagging(
                    Bucket=bucket_name,
                     Key=bucket_object,
                 )
        new_key = "newKey2"
        new_value = "newValue2"
        new_dict = {'Key' : new_key, 'Value' : new_value}
        old_tags = object_tags['TagSet']
        new_tags = old_tags
        new_tags.append(new_dict)
        put_tags_response = s3_cl.put_object_tagging(
                    Bucket=bucket_name,
                    Key=bucket_object,    
                    Tagging={
                        'TagSet': new_tags
                    }
                )
        return
    except Exception as e:

        print(e)
        raise e
    return

My IAM Policy for the bucket is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectTagging",
                "s3:ListBucket",
                "s3:PutObjectTagging",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::testlambdatagging/PREFIX",
                "arn:aws:s3:::testlambdatagging/PREFIX/*"
            ]
        }
    ]
}

Can someone please help me understand what am I missing?
I've read multiple solutions which say that I need to add "s3:GetObjectTagging" to my IAM Policy which I have added.

question from:https://stackoverflow.com/questions/65848622/when-calling-the-getobjecttagging-operation-access-denied

Answer 1

Waitting for answers