Update Tags across entire account

I presume you mean being able to do add tags across ANY AWS resource on the account right? In that case, you can do that as the root user because by default it has unrestricted access to everything. In this case, for any other IAM entity, you'd have to look up the permissions for each service that pertains to tags. Such as ec2:CreateTags, iam:TagUser, iam:TagRole, rds:AddTagsToResource, etc. As you can see this will unfortunately be a cumbersome approach as the tagging APIs are not consistent across various services so sadly there isn't a quick policy you can have that will work across all services which is I believe what you're looking for. I recommend focusing on just the services your customer needs, looking up the APIs that relate to tag create, modify, delete, and non-mutable activities and create an IAM policy based off of that. If it's only for a handful of services then it shouldn't be too difficult, otherwise the task will be much more complex.

Couple other useful resources you should keep in mind are checking whether the service supports ABAC and if you can use resource groups on supported services to tag multiple resources at once.