https://community.databricks.com/t5/administration-architecture/unity-catalog-403-error-when-connecting-s3-via-iam-role-and/m-p/120417#M3406 <P>Have you follow any specific guide for the creation of the same? Are you setting up a Unity Catalog Metastore or the default storage for the workspace?<BR /><BR />For the Metastore creation have you follow steps in&nbsp;<A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/create-metastore" target="_blank">https://docs.databricks.com/aws/en/data-governance/unity-catalog/create-metastore</A>&nbsp;</P> Wed, 28 May 2025 12:32:03 GMT Walter_C 2025-05-28T12:32:03Z https://community.databricks.com/t5/administration-architecture/unity-catalog-403-error-when-connecting-s3-via-iam-role-and/m-p/120410#M3404 <P><SPAN>Hi,</SPAN></P><P><SPAN>We're currently setting up </SPAN><SPAN><STRONG>Databricks Unity Catalog</STRONG></SPAN><SPAN> on AWS. We created an S3 bucket and assigned an IAM role (</SPAN><SPAN>databricks-storage-role</SPAN><SPAN>) to give Databricks access.</SPAN></P><P><SPAN>Note: Databricks doesn't use the IAM role directly. Instead, it requires a </SPAN><SPAN><STRONG>Storage Credential</STRONG></SPAN><SPAN> explicitly linked to this IAM role.</SPAN></P><P>&nbsp;</P><H3><SPAN><span class="lia-unicode-emoji" title=":exclamation_mark:">❗</span>️ Issue</SPAN></H3><P><SPAN>While trying to </SPAN><SPAN><STRONG>create a Databricks workspace</STRONG></SPAN><SPAN> (via the UI), it prompts for Unity Catalog configuration.</SPAN></P><P><SPAN>However, upon attempting to use the already configured Storage Credential, we receive the following error (screenshot is attached to the message):</SPAN></P><PRE><SPAN>PERMISSION_DENIED: AWS IAM role does not have READ permissions on url s3://databricks-workspace-storage-eu-west-2/unity-catalog/***************. Cause: 403 Forbidden error from cloud storage provider.</SPAN></PRE><H3><SPAN><span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span> What We've Done</SPAN></H3><P><SPAN><STRONG>1. S3 Bucket Created:</STRONG></SPAN> <SPAN>databricks-workspace-storage-eu-west-2</SPAN></P><P><SPAN><STRONG>2. IAM Role (</STRONG></SPAN><SPAN><STRONG>databricks-storage-role</STRONG></SPAN><SPAN><STRONG>)</STRONG></SPAN><SPAN>:</SPAN></P><PRE><SPAN>{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::&lt;DATABRICKS_ACCOUNT&gt;:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:PrincipalTag/DatabricksAccountId": "&lt;DATABRICKS_ACCOUNT_ID&gt;" } } } ] }</SPAN></PRE><P><SPAN><STRONG>3. IAM Policy (</STRONG></SPAN><SPAN><STRONG>databricks-storage-policy</STRONG></SPAN><SPAN><STRONG>)</STRONG></SPAN><SPAN>:</SPAN></P><PRE><SPAN>{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket", "s3:GetBucketLocation"], "Resource": "arn:aws:s3:::databricks-workspace-storage-eu-west-2" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::databricks-workspace-storage-eu-west-2/*", "arn:aws:s3:::databricks-workspace-storage-eu-west-2/unity-catalog/*" ] }, { "Effect": "Allow", "Action": ["s3:PutObject", "s3:PutObjectAcl"], "Resource": [ "arn:aws:s3:::databricks-workspace-storage-eu-west-2/*", "arn:aws:s3:::databricks-workspace-storage-eu-west-2/unity-catalog/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }</SPAN></PRE><P><SPAN><STRONG>4. Bucket Policy (</STRONG></SPAN><SPAN><STRONG>databricks-workspace-storage-eu-west-2</STRONG></SPAN><SPAN><STRONG>)</STRONG></SPAN><SPAN>:</SPAN></P><PRE><SPAN>{ "Version": "2012-10-17", "Statement": [ { "Sid": "GrantDatabricksRootAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::&lt;DATABRICKS_ACCOUNT&gt;:root" }, "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::databricks-workspace-storage-eu-west-2", "arn:aws:s3:::databricks-workspace-storage-eu-west-2/*" ] }, { "Sid": "AllowUnityCatalogAccessFromRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::&lt;MY_ACCOUNT&gt;:role/databricks-storage-role" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::databricks-workspace-storage-eu-west-2", "arn:aws:s3:::databricks-workspace-storage-eu-west-2/*" ] } ] }</SPAN></PRE><DIV><HR /></DIV><H3><SPAN><span class="lia-unicode-emoji" title=":question_mark:">❓</span> Questions</SPAN></H3><UL><LI><P><SPAN>What is the correct way to allow Databricks access to an S3 bucket via Storage Credential?</SPAN></P></LI><LI><P><SPAN>What could I be missing, even if policies seem fully configured?</SPAN></P></LI><LI><P><SPAN>Should I pre-create the specific </SPAN><SPAN>unity-catalog/&lt;ID&gt;</SPAN><SPAN> prefix in the bucket?</SPAN></P></LI></UL><P><SPAN>Any advice is appreciated!</SPAN></P> Wed, 28 May 2025 10:58:49 GMT https://community.databricks.com/t5/administration-architecture/unity-catalog-403-error-when-connecting-s3-via-iam-role-and/m-p/120410#M3404 n-var 2025-05-28T10:58:49Z https://community.databricks.com/t5/administration-architecture/unity-catalog-403-error-when-connecting-s3-via-iam-role-and/m-p/120417#M3406 <P>Have you follow any specific guide for the creation of the same? Are you setting up a Unity Catalog Metastore or the default storage for the workspace?<BR /><BR />For the Metastore creation have you follow steps in&nbsp;<A href="https://docs.databricks.com/aws/en/data-governance/unity-catalog/create-metastore" target="_blank">https://docs.databricks.com/aws/en/data-governance/unity-catalog/create-metastore</A>&nbsp;</P> Wed, 28 May 2025 12:32:03 GMT https://community.databricks.com/t5/administration-architecture/unity-catalog-403-error-when-connecting-s3-via-iam-role-and/m-p/120417#M3406 Walter_C 2025-05-28T12:32:03Z