AccessDenied: The AWS Access Key Id you provided does not exist in our records. Bucket policy denies PutObject for prefix legal-hold/2024-10/.
We are attempting to offload digital channel transcripts tagged with legal_hold=true to our external S3 bucket for chain of custody preservation. The bulk export job initiates correctly in Genesys Cloud (version 2024-Q3), but the transfer to S3 fails immediately with the above error.
The IAM role attached to the Genesys Cloud S3 integration has s3:PutObject and s3:ListBucket permissions. The bucket policy explicitly allows the Genesys Cloud principal ARN. However, when the export triggers, the logs show the access key used is not the one configured in the integration, or it is being rejected by a newer SCP (Service Control Policy) applied to the account root.
- Verified the IAM role policy and attached SCPs. Both appear correct and allow the specific Genesys Cloud principal. The error suggests the key itself is invalid or rotated.
- Checked the Genesys Cloud S3 integration settings. The access key ID matches the role assumed by the integration, but the secret key was rotated two weeks ago. Unsure if the integration cached the old credentials.
The legal hold deadline is tight. Does the bulk export API require a manual refresh of S3 credentials after a rotation, or is there a caching issue with the external storage connector?