AWS IAM Conditional Policies

Question

I am trying to provide access to an IAM policy on the condition that that specific resource has some tag key/value pair. It does not seem to be working, despite following the AWS documentation.

The IAM policy is as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/environment": "dev"
                }
            }
        }
    ]
}

And I have a S3 bucket (named my-bucket-name) with the tag: environment = dev. Can anyone explain to me why the following command fails?

$ aws s3 ls s3://my-bucket-name
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

$ aws s3 cp s3://my-bucket-name/file.json .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

---

UPDATE: based off of @Dennis Traub and @jarmod responses, I edited this slightly to add the tag to the object in the S3 bucket, and I'm still unable to read the object. I also tried changing the condition to "s3:RequestObjectTag/environment": "dev" and still no-go.

Answer 1

Building off of @Dennis Traub's answer, to get this to work with a specific object in the bucket, the IAM policy must leverage the "s3:ExistingObjectTag/environment": "dev" condition. The following policy worked for me:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/environment": "dev"
                }
            }
        }
    ]
}

Answer 2

If I remember correctly, Amazon S3 does not support condition keys based on bucket tags, only on object tags. That’s why it doesn’t work.