# RepositoryVerificationException: [my_repo] verification failed: could not write to repository at path [s3://bucket/backups/]

- **ID:** `elasticsearch/snapshot-repository-verification-failure`
- **Domain:** elasticsearch
- **Category:** network_error
- **Verification:** ai_generated
- **Fix Rate:** 82%

## Root Cause

The snapshot repository (S3, GCS, or filesystem) is unreachable due to incorrect credentials, network issues, or insufficient permissions, preventing Elasticsearch from writing verification blobs.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| 7.14.0 | active | — | — |
| 8.8.0 | active | — | — |
| 8.14.0 | active | — | — |

## Workarounds

1. **Verify S3 credentials by running: aws s3 ls s3://bucket/backups/ --profile elasticsearch-snapshot from the Elasticsearch node. If it fails, update the repository with correct credentials: PUT /_snapshot/my_repo { 'type': 's3', 'settings': { 'bucket': 'bucket', 'region': 'us-east-1', 'access_key': 'CORRECT_KEY', 'secret_key': 'CORRECT_SECRET' } }** (85% success)
   ```
   Verify S3 credentials by running: aws s3 ls s3://bucket/backups/ --profile elasticsearch-snapshot from the Elasticsearch node. If it fails, update the repository with correct credentials: PUT /_snapshot/my_repo { 'type': 's3', 'settings': { 'bucket': 'bucket', 'region': 'us-east-1', 'access_key': 'CORRECT_KEY', 'secret_key': 'CORRECT_SECRET' } }
   ```
2. **Check the Elasticsearch logs for detailed error messages (e.g., AccessDenied, 403) and fix the bucket policy to allow s3:PutObject for the Elasticsearch role. Example policy: { 'Effect': 'Allow', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::bucket/backups/*' }** (80% success)
   ```
   Check the Elasticsearch logs for detailed error messages (e.g., AccessDenied, 403) and fix the bucket policy to allow s3:PutObject for the Elasticsearch role. Example policy: { 'Effect': 'Allow', 'Action': 's3:PutObject', 'Resource': 'arn:aws:s3:::bucket/backups/*' }
   ```

## Dead Ends

- **** — Increasing the timeout setting (e.g., repository.s3.socket_timeout) may mask the issue but does not fix underlying credential or permission problems. (60% fail)
- **** — Recreating the repository with the same settings will fail again because the root cause (e.g., IAM role or bucket policy) is unchanged. (90% fail)