Just noticed that our scheduled bulk export jobs for voice recordings are consistently failing when targeting our dedicated S3 bucket for legal discovery archives. The jobs initiate correctly in the Genesys Cloud admin console, showing a status of STARTED, but they transition to FAILED within seconds. The specific error payload returned in the job details is HTTP 403 Forbidden: Access Denied.
We are operating in the EU1 region (genesyscloud.com) and the S3 bucket is located in eu-west-2 (London) to maintain data residency compliance. The IAM user attached to the S3 bucket policy has been granted s3:PutObject and s3:ListBucket permissions. We have verified the bucket policy allows access from the Genesys Cloud IP ranges published in the trust center. The S3 integration profile in Genesys Cloud is configured with the correct Access Key ID and Secret Access Key.
The issue appears isolated to recordings tagged with legal_hold: true in the metadata filter. When we run a test export with a date range excluding these held recordings, the job completes successfully and files appear in the S3 bucket. However, any query including the legal hold flag triggers the 403 error. We are using the v2 Bulk Export API endpoint /api/v2/bulkexport/jobs to trigger these jobs programmatically via our internal discovery tool, which uses the Python SDK genesys-cloud-python-sdk version 3.2.1.
Audit logs show the job creation is successful, but the subsequent media retrieval step fails. There are no obvious changes in the S3 bucket policy or the IAM roles during this period. Could there be a specific permission requirement or a different IP range restriction for data classified under legal hold that is not documented in the standard S3 integration guide? We need to resolve this urgently as we have pending discovery requests for Q3 interactions.