cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Administration & Architecture
Explore discussions on Databricks administration, deployment strategies, and architectural best practices. Connect with administrators and architects to optimize your Databricks environment for performance, scalability, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to get S3 connection working

FlukeStarbucker
New Contributor II

2 hours ago - last edited 2 hours ago

I can't get past the error below. I've read and reread the instructions several times at the URL below and for the life of me cannot figure out what I'm missing in my AWS setup. Any tips on how to track down my issue? 

https://docs.databricks.com/en/connect/storage/tutorial-s3-instance-profile.html

"Verification of the instance profile failed. AWS error: You are not authorized to perform this operation. User: arn:aws:sts::5249XXXXXXXX:assumed-role/databricks-workspace-stack-XXXf3-role/databricks is not authorized to perform: iam:PassRole on resource: arn:aws:iam::5249XXXXXXXX:role/ec2-dbricks because no identity-based policy allows the iam:PassRole action."

0 Kudos
4 REPLIES 4

filipniziol
New Contributor III

an hour ago

Hi @FlukeStarbucker ,

could you ensure that AM role databricks-workspace-stack-XXXf3-role has the necessary permissions to pass the role ec2-dbricks?

Do you see something like below in your IAM policy?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::5249XXXXXXXX:role/ec2-dbricks"
    }
  ]
}

 

0 Kudos

FlukeStarbucker
New Contributor II
In response to filipniziol

41m ago

Just to verify, do you mean under "Trust relationships" or within the policies attached to the role?

0 Kudos

filipniziol
New Contributor III
In response to FlukeStarbucker

24m ago

Hi @FlukeStarbucker ,
I think I have editted that part to check first things first.

Here is the article on trust policies: 
Trust policy – The trust policy defines which principals can assume the role, and under which conditions. A trust policy is a specific type of resource-based policy for IAM roles. The trust policy is the focus of the rest of this blog post.

filipniziol_0-1727808637302.png

To view or update the Trust Relationships of an IAM role in AWS, follow these steps:

1. Navigate to the IAM Console
2. Find the Role:
Search for the role name (in your case, ec2-dbricks) in the search bar.
3. Open the Role:
Click on the role name (ec2-dbricks) from the list to open its details.
4. Edit the Trust Relationships:
Click on the Trust relationships tab at the top.
You will see a section called Trust policy. This policy defines which entities (principals) are allowed to assume this role.
Click on the Edit trust relationship button to modify the trust policy.
5. Add or Update the Trust Relationship:
Modify the trust policy JSON to include the desired Principal entity that should be allowed to assume the role. Based on your earlier example, it should look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::5249XXXXXXXX:role/databricks-workspace-stack-XXXf3-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
0 Kudos

FlukeStarbucker
New Contributor II

24m ago

I got it working, there was a weird typo where the role ARN was duplicated. Thanks.

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements