Lambda Role doesn't have policies defined in SAM template

Question

After deploying a Lambda through SAM, I was getting a 403 inside the Lambda when attempting to download from S3. I checked the Lambda's Role in IAM Management Console, and I saw that the Role only had AWSLambdaBasicExecutionRole. However, it should also have the policies from the SAM template for S3 read/write.

Here is a snippet from my SAM template (with some things renamed):

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
    Metadata:
      DockerTag: my-tag
      DockerContext: ./src/stuff
      Dockerfile: Dockerfile
    Policies:
      - Version: '2012-10-17'
      - S3ReadPolicy:
          BucketName: !Ref MyBucket
      - S3WritePolicy:
          BucketName: !Ref MyBucket

Shouldn't the S3ReadPolicy and S3WritePolicy be a part of the Lambda's Role?

Is there something I'm missing?

I know I could manually add the policies needed, but obviously I want as much as possible to be happening automatically via SAM.

Other details: I'm not sure if it matters, but for the sake of additional context, the Lambda is part of a Step Function state machine. I'm using the boto3 library for making the request to download from S3. I get a {'Code': '403', 'Message': 'Forbidden'} error from boto3.

Answer 1

(answering my own question). The issue was the Policies section needed to be under Properties.

MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
      Policies:
        - Version: '2012-10-17'
        - S3ReadPolicy:
            BucketName: !Ref MyBucket
        - S3WritePolicy:
            BucketName: !Ref MyBucket
    Metadata:
      DockerTag: my-tag
      DockerContext: ./src/stuff
      Dockerfile: Dockerfile