AWS Unity Catalog S3 Bucket Security

viSual — Wed, 28 Dec 2022 17:58:22 GMT

Hi,

I've got Unity Catalog working but i cant create an external Table.

We have several Workspaces (with customer managed VPCs), all with Private Link connected to the Control Plane. Our Data S3 Buckets are secured via Bucket Policy (in addition to KMS) so only connections from the Control Plane and our own VPC Endpoints can do something as described here:

https://docs.databricks.com/administration-guide/cloud-configurations/aws/customer-managed-vpc.html#example-bucket-policy-vpce

we need the Control Plane in there because of Commit Service https://docs.databricks.com/administration-guide/cloud-configurations/aws/s3-commit-service.html

its working without unity catalog (writing into the hive_metastore catalog), but as soon as we try to write through unity catalog we get a s3 permission denied. we can get it working by disabling the commit-service related restrictions but then our buckets are completely open to the control plane.

So my Question, why does the control plane need to write directly to our buckets with unity catalog and why isnt our own cluster writing the data with the associated iam_role?

or does unity catalog with commit-service need some more exception than:

"arn:aws:s3:::<bucket-name>/*_delta_log/*",

"arn:aws:s3:::<bucket-name>/*_spark_metadata/*",

"arn:aws:s3:::<bucket-name>/*offsets/*",

"arn:aws:s3:::<bucket-name>/*sources/*",

"arn:aws:s3:::<bucket-name>/*sinks/*",

"arn:aws:s3:::<bucket-name>/*_schemas/*"

thank you in advance 😉

Re: AWS Unity Catalog S3 Bucket Security

Debayan — Mon, 02 Jan 2023 18:08:04 GMT

Hi, Could you please confirm if you have followed this: https://docs.databricks.com/data-governance/unity-catalog/get-started.html , also, please confirm the exact error received?

topic Re: AWS Unity Catalog S3 Bucket Security in Data Governance

AWS Unity Catalog S3 Bucket Security

Re: AWS Unity Catalog S3 Bucket Security