@Retired_mod
Thanks for your reply. I had hoped there was a way to see the original exeception to retrieve the S3 request id values so I could open an AWS support ticket, if the IAM identity and denied permission weren't already listed in the original exception. After reading this thread which mentioned looking up exceptionTraceId in Databricks logs I had hoped that's where I would find the information I needed.
I was asking after I had already investigated both the IAM resource and identity policies, compared them to existing policies that were functioning as well as to the DBR documentation, and also used the AWS IAM Policy Simulator.
As it so happens, I'm pretty sure I did find the problem after posting this. I'm just waiting for a response to confirm.
That said, I'd be interested in the relevant thread you mentioned but the link provided just points to the same resource url as the previous link you provided. If you'd be willing to update the post or share the link in a reply I'd love to read more.
If the API team ends up reading this, I'd like to provide the following feedback. Providing the means to access the AWS request and extended request id values would be useful for resolving issues. Especially one like this where the likely cause is a context key that a policy condition relies on. Having the ids required to open up an AWS support case would have allowed me to work with AWS support who are likely to have the context values sent in the request which would have reduced the time to resolution significantly. The only reason I even have an idea why this isn't working is because I happened to notice the External ID value displayed in the list of credentials and that it was different than every other instance.
