Here are some helpful tips/guidance to help you troubleshoot:
To resolve the errors you're encountering when validating the Databricks storage credential connected to AWS S3, consider the following potential causes and steps based on existing documentation:
Potential Causes of Validation Errors
-
IAM Role Configuration Issues:
- Ensure that the IAM role is correctly set up in AWS for self-assuming capabilities. If your IAM role does not trust itself, the validation will fail. Databricks requires that the IAM role be self-assuming, which means it must include its own ARN in its trust policy.
-
External ID Mismatches:
- Verify that the external ID in the IAM role's trust policy matches the external ID you collected from the storage credential settings in Databricks. Any discrepancy here will cause the validation to fail.
-
Missing Permissions:
- Check that the IAM policies attached to the IAM role include all necessary actions. The policies must allow the role to perform the required S3 actions (e.g.,
s3:GetObject
, s3:PutObject
, etc.) as well as sts:AssumeRole
. In your provided policy, ensure there are no syntax issues preventing proper authorization.
Recommended Steps to Troubleshoot
-
Inspect Trust Policy:
- Go to your IAM role in AWS and confirm that the trust policy is correctly configured for self-assumption. It should look similar to this:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
"arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/<THIS-ROLE-NAME>"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<STORAGE-CREDENTIAL-EXTERNAL-ID>"
}
}
}
]
}
- Ensure the
ExternalId
is correct.
-
Verify IAM Policies:
- Ensure the policies attached to your IAM role grant sufficient permissions not just for the S3 bucket but also for assuming the role itself. Double-check the syntax and completeness of your policy.
-
Review IAM Role and External ID Matches:
- Reconfirm that the external ID used in the trust policy matches the one specified in Databricks. This is crucial for successful role assumption.
-
Consult Documentation:
- Consider reviewing additional details in the Databricks documentation on creating storage credentials, particularly details regarding self-assuming roles and permissions needed for integration.
Cheers, Lou.