# Troubleshooting AWS-S3 Connectivity ## Common Issues The following are common issues encountered when connecting an AWS S3 bucket through a storage configuration | Error Type | Error Message | Description/Fix | | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Access Forbidden | Access forbidden: {message} | Mostly occurs because of lack of permission. Fix: Review IAM policy, Bucket policy, ACLs for required permissions | | Unsupported principal | Unsupported principal: The policy type ${policy\_type} does not support the Principal element. Remove the Principal element. | This can indicate that the [S3 bucket policy](https://help.connected.illumina.com/connected-analytics/home/h-storage/iam-role-method#id-6-s3-bucket-policy) settings have been added to the [IAM policy](https://help.connected.illumina.com/connected-analytics/home/h-storage/iam-user-method#id-2-create-data-access-permission-aws-iam-policy) by mistake. | | Conflict | System topic is not in a valid state | | | Conflict | Found conflicting storage container notifications with overlapping prefixes | See [Conflicting bucket notifications](#conflicting-bucket-notifications) | | Conflict | Found conflicting storage container notifications for {prefix}{eventTypeMsg} | See [Conflicting bucket notifications](#conflicting-bucket-notifications) | | Conflict | Found conflicting storage container notifications with overlapping prefixes{prefixMsg}{eventTypeMsg} | See [Conflicting bucket notifications](#conflicting-bucket-notifications) | | Customer Container Notification Exists | Volume Configuration cannot be provisioned: storage container is already set up for customer's own notification | See [Conflicting bucket notifications](#conflicting-bucket-notifications) | | Invalid Access Key ID | Failed to update bucket policy: The AWS Access Key Id you provided does not exist in our records. | Check the status of the AWS Access Key ID in the console. If not active, activate it. If missing, create it. | | Invalid Paramater | Missing credentials for storage container | Check the storage credential. AccessKeyId and/or SecretAccessKey is not set. | | Invalid Parameter | Missing bucket name for storage container | Bucket name has not been set for the storage configuration. | | Invalid Parameter | The storage container name has invalid characters | Storage container name can only contain lowercase letters, numbers, hyphens, and periods. | | Invalid Parameter | Storage Container '{storageContainer}' does not exist | Update storage configuration container to a valid s3 bucket. | | Invalid Parameter | Invalid parameters for volume configuration: {message} | | | Invalid Storage Container Location | Storage container must be located in the {region} region | Update storage configuration region to match storage container region. | | Invalid Storage Container Location | Storage container must be located in one of the following regions: {regions} | Update storage configuration region to match storage container region. | | Missing Configuration | Missing queue name for storage container notification | | | Missing Configuration | Missing system topic name for storage container notification | | | Missing Configuration | Missing lambda ARN for storage container notification | | | Missing Configuration | Missing subscription name for storage container notification | | | Missing Storage Account Settings | The storage account '{storageAccountName}' needs HNS (Hierarchical Namespace) enabled. | | | Missing Storage Container Settings | Missing settings for storage container | | ## Specific Errors ### Conflicting bucket notifications This error occurs when an existing bucket notification's event information overlaps with the notifications ICA is trying to add. [Amazon S3 event notification](https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-how-to-event-types-and-destinations.html) only allows overlapping events with non-overlapping prefix. Depending on the conflicts on the notifications, the error can be presented in any of the following: * *Volume Configuration cannot be provisioned: storage container is already set up for customer's own notification.* * *Invalid parameters for volume configuration: found conflicting storage container notifications with overlapping prefixes.* * *Failed to update bucket policy: Configurations overlap. Configurations on the same bucket cannot share a common event type.* *Solution:* 1. In the Amazon S3 Console, review your current S3 bucket's notification configuration and look for prefixes that overlap with your Storage Configuration's key prefix. 2. Delete the existing notification that overlaps with your Storage Configuration's key prefix. 3. ICA will perform a series of steps in the background to re-verify the connection to your bucket. ### GetTemporaryUploadCredentialsAsync failure This error can occur when recreating a recently deleted storage configuration.\ To fix the issue, you have to delete the bucket notifications: 1. In the [Amazon S3 Console](https://console.aws.amazon.com/s3/) **select the bucket** for which you need to delete the notifications from the list. 2. Choose **properties**. 3. Navigate to the **Event Notifications** section and choose the check box for the event notifications with name *gds:objectcreated*, *gds:objectremoved* and *gds:objectrestore* and click Delete. 4. revalidate the current storage configuration for an immediate update on the **System Settings > Storage > Manage > Validate.** {% hint style="info" %} If you do not want to wait revalidate, you can wait 15 minutes, for the storage to become available in ICA. {% endhint %}