Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Difference in CLI and Console for exporting DynamoDB to S3 cross-account

0

I'm trying to export a DynamoDB table (in account A) to an S3 bucket (in account B).

I have changed the S3 policy (in account A) to accept uploads from my account B IAM role. When I try and run an export via cli using

aws dynamodb export-table-to-point-in-time \
  --profile "ACCOUNT_B_PROFILE" \
  --region "$REGION" \
  --table-arn "$TABLE_ARN" \
  --s3-bucket "$S3_BUCKET" \
  --export-format DYNAMODB_JSON \

it appears to work as I get the following status message

{
    "ExportDescription": {
        "ExportArn": "<export-arn>",
        "ExportStatus": "IN_PROGRESS",
        "StartTime": "2025-06-17T16:08:53.713000+00:00",
        "TableArn": "$TABLE_ARN",
        "TableId": "<table-id>",
        "ExportTime": "2025-06-17T16:08:53.713000+00:00",
        "ClientToken": "14a3d25e-1cc2-44f4-9884-024bf580e1af",
        "S3Bucket": "$S3_BUCKET",
        "S3SseAlgorithm": "AES256",
        "ExportFormat": "DYNAMODB_JSON"
    }
}

but when I look on the console the export failed with the following status message

Export failed
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: Q4Q6RAFKG4359BF2; S3 Extended Request ID: RiIBMPfDjcXJfNsl+YusE8WrVwq80ZCcYPuDu8A/gVk9k7ZCEVg7R2G+6aP0AeiYblsESPpfATU=; Proxy: null)

However, if I then perform this manually via the console it works and the export gets uploaded!

Why the difference between these two methods?

Topics
Management & GovernanceDatabaseStorage
Tags
AWS Command Line InterfaceAWS Management ConsoleAmazon DynamoDBAmazon Simple Storage Service
Language
English
asked a year ago201 views
2 Answers
2
Accepted Answer

The key difference between your CLI and console export attempts is that when exporting DynamoDB data to an S3 bucket in a different account, you need to specify the S3 bucket owner's account ID using the --s3-bucket-owner parameter in the CLI command.

When you export via the console, AWS automatically handles this cross-account information, but in the CLI you must explicitly provide it. This is why your console export succeeds while the CLI export fails with an "Access Denied" error.

To fix your CLI command, add the S3 bucket owner's account ID parameter:

aws dynamodb export-table-to-point-in-time \
--profile "ACCOUNT_B_PROFILE" \
--region "$REGION" \
--table-arn "$TABLE_ARN" \
--s3-bucket "$S3_BUCKET" \
--s3-bucket-owner "ACCOUNT_A_ID" \
--export-format DYNAMODB_JSON \
--s3-sse-algorithm AES256

The s3-bucket-owner parameter is required when exporting to an S3 bucket in another account. Additionally, specifying the encryption algorithm (--s3-sse-algorithm AES256) is a good practice for cross-account exports.
Sources
Resolve access issues when you export from DynamoDB to Amazon S3 | AWS re:Post
export-table-to-point-in-time — AWS CLI 2.27.36 Command Reference
Requesting a table export in DynamoDB - Amazon DynamoDB

answered a year ago
AWS
SUPPORT ENGINEER
reviewed a year ago
EXPERT
reviewed a year ago
  • Sukhraj
    a year ago

    Adding the s3-bucket-owner parameter as the account ID worked, thank you.

0

Apart from repost' answer, Are you using the same permissions while using from AWS console and CLI? Make sure these have same permissions. Also, what about bucket policy - does it allow writing from both the console user and you CLI profile?

EXPERT
answered a year ago
  • Sukhraj
    a year ago

    Hi, thanks for your help but the above worked solution seemed to work for me. I just needed to add the s3-bucket-owner parameter

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content