Cannot create S3 bulk export destination - KMS GenerateDataKey error

OrDan · December 4, 2025, 7:35am

Hi all,

When trying to create a new S3 bulk export destination using the API, I’m getting a KMS permission error even though my S3 bucket doesn’t use KMS encryption.

400 Bad Request - POST https://api.smith.langchain.com/api/v1/bulk-exports/destinations

{
“detail”: “Failed to validate S3 destination: User: arn:aws:sts::XXXX:assumed-role/AWSReservedSSO_AdministratorAccess_XXX/user@example.com is not authorized to perform: kms:GenerateDataKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access”
}

I verified the following about my bucket that it exists in right region, the encryption is SSE-S3 (AES256), NOT KMS, no bucket policy exists, and AWS managed KMS key (alias/aws/s3) exists in my account.

ramon · December 4, 2025, 6:40pm

Can you share your invocation (With redacted creds)?

And can you also try invoking with the new parameter "include_bucket_in_prefix": true?

OrDan · December 7, 2025, 4:05pm

Tried it with the new parameter and it worked, thank you!

Topic		Replies	Views
Error when trying to create a destination for bulk export LangSmith Product Help	3	53	December 9, 2025
Logs Bulk-export is not supported with S3 Object Lock with a default retention policy Observability & Evals	1	230	July 1, 2025
Running into basic access problem with new key created Observability & Evals	3	1283	December 16, 2025
Data export to S3 to redshift query Observability & Evals cloud	0	54	October 14, 2025
@langchain/aws v1.0 ChatBedrockConverse: ‘Maximum tokens exceeds model limit’ LangChain js-help	1	178	October 27, 2025

Cannot create S3 bulk export destination - KMS GenerateDataKey error

Related topics