Error when trying to set up export bucket

Denis_Lantsman1 · December 16, 2022, 8:01pm

I’m following the instructions to export backup snapshots to s3:

I set up and authorized the iam role, and I’m trying to run this command:

> atlas backups exports buckets create <bucketName> --cloudProvider AWS --iamRoleId <roleId>

Error: POST https://cloud.mongodb.com/api/atlas/v1.0/groups/6398ab379ab5a87ebccd2144/backup/exportBuckets: 400 (request "EXPORT_BUCKET_INVALID_BUCKET") Export Bucket with ID null does not exist or is inaccessible from the role specified.

The role has the following statement:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetBucketLocation",
                "s3:PutObject"
            ],
            "Resource": <bucketARN>,
            "Effect": "Allow"
        }
    ]
}

And the following trust relationsips:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::536727724300:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "c094be3b-5aca-49a0-838c-f30acfb95788"
                }
            }
        }
    ]
}

Through cloudwatch, I can see a successful GetBucketLocation event, and the assumed role is correct. So it seems that atlas is successfully assuming the role and finding the bucket.

So I’m wondering what’s missing? Is there another permission other than the ones listed in the documentation that is needed?

Denis_Lantsman1 · December 16, 2022, 8:52pm

Ah, after some experimentation I my own question:

The IAM permission needs to apply to all the contents of the bucket, so you need to change the statement granting s3 permissions to:

            "Resource": ["<bucketARN>", "<bucketARN>/*"]

Evin_Roesle · December 21, 2022, 1:17pm

Hi @Denis_Lantsman1 ,

Thank you for reaching out about the error you saw. You are correct that the permission needs to apply to all of the contents. I am glad that you were able to resolve that quickly and please let us know if you have any other questions in the future!

Best regards and happy holidays,
Evin

system · December 26, 2022, 1:17pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.