Can't register snapshot repository to S3

Hi all!
I'm trying to register an S3 bucket as my snapshot repository.
I'm using ElasticSearch Service, from AWS (which uses version 5.5 of ElasticSearch)
When I run this script

import boto3
import requests
from requests_aws4auth import AWS4Auth

host = '' # include https:// and trailing /
region = '' # e.g. us-west-1
service = 'es'
credentials = boto3.Session().get_credentials()
awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token)

# Register repository

path = '_snapshot/my-snapshot-repo' # the Elasticsearch API endpoint
url = host + path

payload = {
  "type": "s3",
  "settings": {
    "bucket": "s3-bucket-name",
    "region": "us-west-1",
    "role_arn": "arn:aws:iam::123456789012:role/TheSnapshotRole"
  }
}

headers = {"Content-Type": "application/json"}

r = requests.put(url, auth=awsauth, json=payload, headers=headers)

print(r.status_code)
print(r.text)

I get this error:

{"error":{"root_cause":[{"type":"a_w_s_security_token_service_exception","reason":"a_w_s_security_token_service_exception: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 8df9ffae-be16-11e9-a6c9-5561e849f8ed)"}],"type":"blob_store_exception","reason":"failed to check if blob exists","caused_by":{"type":"a_w_s_security_token_service_exception","reason":"a_w_s_security_token_service_exception: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 8df9ffae-be16-11e9-a6c9-5561e849f8ed)"}},"status":500}

I've seen posts with similar errors but none of them have any response.