I’m following the instructions to export backup snapshots to s3:
I set up and authorized the iam role, and I’m trying to run this command:
> atlas backups exports buckets create <bucketName> --cloudProvider AWS --iamRoleId <roleId>
Error: POST https://cloud.mongodb.com/api/atlas/v1.0/groups/6398ab379ab5a87ebccd2144/backup/exportBuckets: 400 (request "EXPORT_BUCKET_INVALID_BUCKET") Export Bucket with ID null does not exist or is inaccessible from the role specified.
The role has the following statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": <bucketARN>,
"Effect": "Allow"
}
]
}
And the following trust relationsips:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::536727724300:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "c094be3b-5aca-49a0-838c-f30acfb95788"
}
}
}
]
}
Through cloudwatch, I can see a successful GetBucketLocation
event, and the assumed role is correct. So it seems that atlas is successfully assuming the role and finding the bucket.
So I’m wondering what’s missing? Is there another permission other than the ones listed in the documentation that is needed?