Databricks Community

FlukeStarbucker · ‎10-01-2024

I can't get past the error below. I've read and reread the instructions several times at the URL below and for the life of me cannot figure out what I'm missing in my AWS setup. Any tips on how to track down my issue?

https://docs.databricks.com/en/connect/storage/tutorial-s3-instance-profile.html

"Verification of the instance profile failed. AWS error: You are not authorized to perform this operation. User: arn:aws:sts::5249XXXXXXXX:assumed-role/databricks-workspace-stack-XXXf3-role/databricks is not authorized to perform: iam:PassRole on resource: arn:aws:iam::5249XXXXXXXX:role/ec2-dbricks because no identity-based policy allows the iam:PassRole action."

FlukeStarbucker · ‎10-01-2024

I got it working, there was a weird typo where the role ARN was duplicated. Thanks.

View solution in original post

filipniziol · ‎10-01-2024

Hi @FlukeStarbucker ,

could you ensure that AM role databricks-workspace-stack-XXXf3-role has the necessary permissions to pass the role ec2-dbricks?

Do you see something like below in your IAM policy?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::5249XXXXXXXX:role/ec2-dbricks"
    }
  ]
}

FlukeStarbucker · ‎10-01-2024

Just to verify, do you mean under "Trust relationships" or within the policies attached to the role?

filipniziol · ‎10-01-2024

Hi @FlukeStarbucker ,
I think I have editted that part to check first things first.

Here is the article on trust policies:
Trust policy – The trust policy defines which principals can assume the role, and under which conditions. A trust policy is a specific type of resource-based policy for IAM roles. The trust policy is the focus of the rest of this blog post.

To view or update the Trust Relationships of an IAM role in AWS, follow these steps:

1. Navigate to the IAM Console
2. Find the Role:
Search for the role name (in your case, ec2-dbricks) in the search bar.
3. Open the Role:
Click on the role name (ec2-dbricks) from the list to open its details.
4. Edit the Trust Relationships:
Click on the Trust relationships tab at the top.
You will see a section called Trust policy. This policy defines which entities (principals) are allowed to assume this role.
Click on the Edit trust relationship button to modify the trust policy.
5. Add or Update the Trust Relationship:
Modify the trust policy JSON to include the desired Principal entity that should be allowed to assume the role. Based on your earlier example, it should look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::5249XXXXXXXX:role/databricks-workspace-stack-XXXf3-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}