CloudWatch Metric Streams with Amazon Data Firehose stack creation fails

[jdfreefly]

Expected Behavior

CloudWatch Metric Streams with Amazon Data Firehose should create the firehose metric stream integration

Actual Behavior

Stack creation fails due to two missing permissions on the DatadogStreamCfnStackAssumeRole policy:

s3:PutBucketTagging
cloudwatch:TagResource

Steps to Reproduce the Problem

Follow the steps to enable Metric Streams listed here:
https://docs.datadoghq.com/integrations/guide/aws-cloudwatch-metric-streams-with-kinesis-data-firehose/?tab=cloudformation

Specifications

• Datadog CloudFormation template version: Not sure where to get this from but the issue exists on master.

Stacktrace

            "ResourceStatus": "CREATE_FAILED",
             "ResourceStatusReason": "Resource handler returned message: \"Resource of type 'Stack set operation [71249168-c71e-4d09-8cfb-b66506e6eb23] was unexpectedly stopped or failed. status reason(s):      [ResourceLogicalId:DatadogStreamBackupBucket, ResourceType:AWS::S3::Bucket, ResourceStatusReason:Resource handler returned message: \"Encountered a permissions error performing a tagging operation, please add  required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: \"Access Denied (Service: S3, Status Code: 403,  Request ID: Y57ASDZ188EXDBFT, Extended Request ID: CeAVUbDQ/Qcg/LhU2vwtMve/r3DEgDM/KfaJmYzLmav7Yf7C56Q+hon+v8Tk1BvmdMX9xVlY4crawtnv8cPUj2PKSVeeDnD4)\"\" (RequestToken: <REDACTED>, HandlerErrorCode:             UnauthorizedTaggingOperation).]' with identifier 'DatadogStreams:270c6e99-16e4-4270-885d-b5ecb772f40d' did not stabilize.\" (RequestToken: <REDACTED>, HandlerErrorCode: NotStabilized)"

[jdfreefly]

Adding the s3:PutBucketTagging and cloudwatch:TagResource permissions to the template fixed the issue.