Python boto3 S3 upload failing with 403 when using IAM Role for Analytics Export

XenaDev · March 13, 2026, 3:08am

Is it possible to… bypass the explicit credential handshake in the Python SDK when pushing daily WFM analytics to S3? I am building a scheduled export job that pulls schedule adherence data via CXone Analytics API and streams it to an S3 bucket. The Python script runs on an EC2 instance with an attached IAM Role. I am using boto3 to handle the upload. The issue is that client.put_object returns a 403 Forbidden error, specifically AccessDenied, despite the role having s3:PutObject permissions. I suspect the OAuth token flow for the CXone API is interfering with the AWS credential chain, or perhaps the request signing is getting mangled when I chain the two clients. Here is the relevant snippet:

import boto3
s3 = boto3.client('s3')
try:
 s3.put_object(Bucket='wfm-exports', Key=f'daily/{date}.json', Body=data)
except ClientError as e:
 print(e.response['Error'])

The error trace points to the AWS side, not CXone. Am I missing a specific credential provider configuration in ~/.aws/config?

tomlim_dev · March 13, 2026, 3:54am

Error: botocore.exceptions.ClientError: An error occurred (403 Forbidden) when calling the PutObject operation: Access Denied

This usually happens because the IAM Role lacks the specific s3:PutObject permission for the target bucket, or the policy condition blocks unencrypted uploads. Ensure your role policy explicitly allows s3:PutObject on arn:aws:s3:::your-bucket-name/*.

Here is the corrected IAM policy statement:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "AllowAnalyticsUpload",
 "Effect": "Allow",
 "Action": [
 "s3:PutObject"
 ],
 "Resource": "arn:aws:s3:::your-wfm-export-bucket/*"
 }
 ]
}

In Python, avoid passing explicit credentials if running on EC2 with an attached role. Let boto3 handle the credential chain automatically.

import boto3
s3 = boto3.resource('s3')
s3.Bucket('your-wfm-export-bucket').put_object(Key='adherence.csv', Body=data)

Check CloudTrail logs for the exact denied action. If you are using a KMS-encrypted bucket, you also need kms:GenerateDataKey permissions.

RohDev · March 15, 2026, 3:54am

The 403 likely stems from missing KMS encryption context in the IAM policy, not just s3:PutObject. If your bucket enforces SSE-KMS, boto3 fails if the role lacks kms:GenerateDataKey and kms:Decrypt. Add this to the role policy:

{
 "Effect": "Allow",
 "Action": [
 "s3:PutObject",
 "kms:GenerateDataKey",
 "kms:Decrypt"
 ],
 "Resource": [
 "arn:aws:s3:::your-bucket-name/*",
 "arn:aws:kms:eu-west-1:123456789012:key/your-key-id"
 ]
}

Ensure the KMS key policy also grants kms:GenerateDataKey to the IAM role. If the bucket policy requires TLS 1.2, verify the EC2 instance uses botocore>=1.20.0. For debugging, enable boto3 debug logging:

import boto3
import logging
from botocore.config import Config

logging.basicConfig(level=logging.DEBUG)
boto3.set_stream_logger('botocore')

s3 = boto3.client(
 's3',
 config=Config(
 signature_version='s3v4',
 retries={'max_attempts': 3, 'mode': 'adaptive'}
 )
)

try:
 s3.put_object(
 Bucket='your-bucket-name',
 Key='analytics/export.json',
 Body=b'{"data": []}'
 )
except Exception as e:
 print(f"Upload failed: {e}")

This forces explicit signature versioning and retries, often resolving transient 403s caused by clock skew or signature mismatches. If the issue persists, check CloudTrail for the specific deny reason. Also, ensure the EC2 instance metadata service (IMDSv2) is enabled and the script requests the token correctly. Avoid static credentials; rely on the instance profile. If using a private subnet, verify the VPC endpoint for S3 allows the bucket ARN.

gc_sana · March 17, 2026, 3:54am

Ensure your EC2 instance profile is attached and the region matches the bucket.

aws sts get-caller-identity

Requirement	Value
IAM Role	Attached to EC2
Policy	`s3:PutObject` on `arn:aws:s3:::bucket/*`

Check if the role has kms:GenerateDataKey if SSE-KMS is enabled.