Customer is using S3 buckets managed by CSB AWS 1.14.0 and found out that the IAM user created to access this bucket do not have the following permission:

• s3:GetObjectTagging
• s3:PutObjectTagging
• s3:DeleteObjectTagging

These permissions would allow using tags added to objects, which can be useful in some scenarios.  

Tanzu Cloud Service Broker for AWS 1.14

Tagging objects inside a bucket (s3:PutObjectTagging, etc...) and tagging the bucket itself (s3:PutBucketTagging, etc...) are different.

The IAM users currently have access to change the bucket tagging, but not the object tagging. This is identified as a known issue.

The issue has been fixed in CSB AWS 1.14.1:

Resolved Issues

• For the csb-aws-s3-bucket service, the IAM user created for a binding now has permissions to manage tags on objects created in the S3 bucket. This fix only applies to newly created bindings.

For existing bindings to get the fix, customers should delete existing bindings and re-create them if they want the feature.