The Recording API v2 returns a 403 Forbidden when attempting to download the presigned S3 URL for a completed bulk export job containing WhatsApp transcripts with active legal holds.
We are migrating legacy recording archives to a new BYOC S3 bucket in eu-west-2. The bulk export job completes successfully, and the status shows ‘Completed’ in the UI. However, when the downstream legal discovery script attempts to fetch the file using the presigned URL provided in the job response, the request fails with a 403. This only happens when the export filter includes conversations tagged with ‘legal_hold’. Standard voice recordings export without issue. The S3 bucket policy grants full access to the assumed role used by Genesys Cloud for the export, and cross-account trust is verified. The error suggests a permissions mismatch specific to the metadata attached to digital channel transcripts under hold. I have checked the audit trails, and the export job itself logs no errors. Is there a specific IAM policy requirement for digital transcript objects that differ from voice media? The SDK version is 2.3.1, and we are using the /v2/recording/export/jobs endpoint. Any insights into why the presigned URL might be invalid for these specific objects would be appreciated.