[SOLVED] Unable to copy Elasticache backup

Unable to copy Elasticache backup

I have followed those instructions step by step: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-exporting.html

However I have the following error:

An error occurred (InvalidParameterValue) when calling the CopySnapshot operation: Elasticache was unable to validate the authenticated user has access on the S3 bucket ...

The bucket is in the same region of the backup

This is my bucket configuration:

{
    "LocationConstraint": "eu-central-1"
}

{
    "Version": "2012-10-17",
    "Id": "xxxxxxxx",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "eu-central-1.elasticache-snapshot.amazonaws.com"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name/*",
                "arn:aws:s3:::my-bucket-name"
            ]
        }
    ]
}

This is the snapshot

{
    "Snapshots": [
        {
            "SnapshotName": "my-snapshot-name",
            "CacheClusterId": "xxxxxxxx-xxx",
            "SnapshotStatus": "available",
            "SnapshotSource": "manual",
            "CacheNodeType": "cache.t2.micro",
            "Engine": "redis",
            "EngineVersion": "5.0.3",
            "NumCacheNodes": 1,
            "PreferredAvailabilityZone": "eu-central-1c",
            "CacheClusterCreateTime": "xxxxxxx",
            "PreferredMaintenanceWindow": "mon:02:30-mon:03:30",
            "Port": 6379,
            "CacheParameterGroupName": "default.redis5.0",
            "CacheSubnetGroupName": "internal",
            "VpcId": "xxxxx",
            "AutoMinorVersionUpgrade": true,
            "SnapshotRetentionLimit": 7,
            "SnapshotWindow": "00:00-02:00",
            "NodeSnapshots": [
                {
                    "CacheNodeId": "0001",
                    "CacheSize": "33 MB",
                    "CacheNodeCreateTime": "xxxxxx",
                    "SnapshotCreateTime": "xxxxxx"
                }
            ],
            "ARN": "arn:aws:elasticache:eu-central-1:000000000:snapshot:my-snapshot-name",
            "DataTiering": "disabled"
        }
    ]
}

UPDATE

Apparently AWS updated their docs by adding a crucial piece of information regarding the ACL, look the accepted answer for more info.

Solution

Here very important step is to add ACL as mentioned in doc:

Add grantee Canonical Id 540804c33a284a299d2547575ce1010f2312ef3da9b3a053c8bc45bf233e4353 with the following options:

Objects: List, Write
Bucket ACL: Read, Write

I added this ACL permission and it started working like a charm.

After adding this ACL my configuration looks below.

Full Ref document link: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-exporting.html#backups-exporting-grant-access