AWS SSM Parameter Store IAM Policy for restricting by Path and Tag

I wanted to restrict access to some parameters based on the path and tag.

Say, I have a key:
/production/Param1=Value1
with a tag:
Application1=One

I was expecting a policy like this:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:GetParameterHistory",
"ssm:ListTagsForResource",
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:::parameter/production/*", "Condition": { "StringEquals": { "ssm:resourceTag/Application1": "One" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "tag:GetResources", "ssm:DescribeParameters" ], "Resource": ""
}
]
}

I had to do

# aws ssm describe-parameters --parameter-filters "Key=tag:Application1,Values=One" --output json | \ #filter by the tag
jq ".Parameters[].Name" | \ # get parameter name
xargs -I {} aws ssm get-parameter --name {} --with-decryption # get the parameter

{
"Parameter": {
"Name": "/production/Param1",
"Type": "String",
"Value": "Value1",
"Version": 1,
"LastModifiedDate": "2020-08-09T18:29:51.197000+10:00",
"ARN": "arn:aws:ssm:ap-southeast-2:378624334311:parameter/production/Param1",
"DataType": "text"
}
}

If you know the parameter name, get-parameters is simpler:

aws ssm get-parameters --name "/production/Param1" --profile k7-test
{
"Parameters": [
{
"Name": "/production/Param1",
"Type": "String",
"Value": "Value1",
"Version": 1,
"LastModifiedDate": "2020-08-09T18:29:51.197000+10:00",
"ARN": "arn:aws:ssm:ap-southeast-2:******:parameter/production/Param1",
"DataType": "text"
}
],
"InvalidParameters": []
}

It would have been simpler to filter by tags when using get-parameters-by-path, but a known issue with AWS:
https://github.com/aws/aws-cli/issues/2850
prevents us from doing that.