The lambda-promtail implementation uses s3 bucket ownership verification when copying logs from s3 buckets, but it is incorrectly using the s3 bucket ownerIdentity principal id as aws account id which produces the following error:

api error InvalidBucketOwnerAWSAccountID: The value of the expected bucket owner parameter must be an AWS Account ID...

S3 bucket ownership verification seems to be only possible by verifying the aws account id:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html
However the S3 event notification message which the current implementation uses to get the AWS S3 account id doesn't actually contain it:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/notification-content-structure.html
https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html

It seems that there is no way to get the AWS account id from the S3 event notification message as it is considered sensitive information.
Suggestion is to remove the s3 bucket ownership verification, otherwise the implementation will always produce an error.