cancel
Showing results for 
Search instead for 
Did you mean: 
Data Governance
cancel
Showing results for 
Search instead for 
Did you mean: 

Create Metastore. Missing permissions: The associated credential does not grant permission to perform all necessary operations.

Elon
New Contributor III

Cloud: AWS

Region: eu-west-1

S3 location: s3://databricks-dev-bucket

IAM role ARN: arn:aws:iam::18XXXXXXXX29:role/databricks-s3-metastore

Guide followed: ref: https://docs.databricks.com/data-governance/unity-catalog/get-started.html#cloud-tenant-setup-aws

Skipped

- Read

Success

- List

Failed

- Write

Skipped

- Delete

Success - Path Exists

image.png

AWS Policy simulator:

Polic simulator

{
 
   "Version": "2012-10-17",
 
   "Statement": [
 
       {
 
           "Action": [
 
               "s3:GetObject",
 
               "s3:PutObject",
 
               "s3:DeleteObject",
 
               "s3:ListBucket",
 
               "s3:GetBucketLocation",
 
               "s3:GetLifecycleConfiguration",
 
               "s3:PutLifecycleConfiguration"
 
           ],
 
           "Effect": "Allow",
 
           "Resource": [
 
               "arn:aws:s3:::databricks-dev-bucket/*",
 
               "arn:aws:s3:::databricks-dev-bucket"
 
           ]
 
       },
 
       {
 
           "Action": [
 
               "kms:Decrypt",
 
               "kms:Encrypt",
 
               "kms:GenerateDataKey*"
 
           ],
 
           "Effect": "Allow",
 
           "Resource": [
 
               "arn:aws:kms:arn:aws:kms:eu-west-1:18XXXXXXXX29:key/29f77XXX-XXXX-XXXX-XXXX-XXXf63bf112e"
 
           ]
 
       },
 
       {
 
           "Action": [
 
               "sts:AssumeRole"
 
           ],
 
           "Effect": "Allow",
 
           "Resource": [
 
               "arn:aws:iam::18XXXXXXXX29:role/databricks-s3-metastore"
 
           ]
 
       }
 
   ]
 
}

iam Role:

{
 
 "Version": "2012-10-17",
 
 "Statement": [
 
 {
 
 "Effect": "Allow",
 
 "Principal": {
 
 "AWS": [
 
 "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
 
 "arn:aws:iam::${aws_account_id}:role/${role_name}"
 
 ]
 
 },
 
 "Action": "sts:AssumeRole",
 
 "Condition": {
 
 "StringEquals": {
 
 "sts:ExternalId": "${databricks_account_id}"
 
 }
 
 }
 
 }
 
 ]
 
 }

1 REPLY 1

Elon
New Contributor III

Bump. @Yeshaswini P V​ @Gokul Kumar P​

Welcome to Databricks Community: Lets learn, network and celebrate together

Join our fast-growing data practitioner and expert community of 80K+ members, ready to discover, help and collaborate together while making meaningful connections. 

Click here to register and join today! 

Engage in exciting technical discussions, join a group with your peers and meet our Featured Members.