Can anyone clarify the correct IAM permissions required for S3 uploads when exporting digital channel transcripts under legal hold?
We are running a bulk export job via the Recording API (POST /api/v2/recordings/exports) for WhatsApp and SMS interactions tagged with legal_hold: true. The job initiates successfully, but the final upload step fails with a 403 Forbidden error. The S3 bucket policy allows PutObject for the general prefix, but the specific legal-hold/ sub-folder seems to trigger a denial.
The error response from the NICE CXone platform indicates that the service account lacks s3:PutObjectAcl permissions, which is unusual because standard voice recording exports do not require ACL modifications. Since these are digital transcripts (JSON), setting ACLs should not be necessary.
Environment details:
- NICE CXone Version: 2024-03-01
- SDK: Python 3.9
- Region: eu-west-2 (London)
Is there a known issue with the metadata attachment process for digital channels that forces an ACL update? The chain of custody requirements for our legal team mandate that the original metadata tags remain intact during the S3 transfer. Any insights on resolving this permission mismatch would be appreciated.