I am trying to set up Data Sync to migrate data from a S3 source bucket to a S3 destination bucket in a different account by following the video below:
https://www.youtube.com/watch?v=boqaSFilGTU
I have progressed up until the point of creating a S3 location on the destination account. For this I am trying to run the command below via CLI:
aws datasync create-location-s3 --s3-bucket-arn arn:aws:s3:::source_bucket --s3-storage-class STANDARD --s3-config BucketAccessRoleArn="arn_for_DataSync_in_destination_account" --region us-west-1
The command is giving me the error below:
User: arn:aws:sts::XXXXXX:assumed-role/AWSReservedSSO_XXXXXX/user is not authorized to perform: datasync:CreateLocationS3 on resource: arn:aws:datasync:us-west-1:XXXXXX:location/* with an explicit deny in a service control policy
I have double checked and both bucket policies (source and destination) as well as the DataSync role in the destination account seem to be ok.
Please note I am logging into the source account with IAM but using SSO on the destination account.
Anyone has any ideas?
