cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Help
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Limitations When Using Instance Profiles to Connect to Kinesis

Takuya-Omi
Valued Contributor II

ā€Ž01-13-2025 06:16 AM

I encountered an issue where I couldnā€™t successfully connect to Kinesis Data Streams using instance profile authentication while working with Delta Live Tables (DLT) in a Unity Catalog (UC)-enabled environment.

According to the documentation, instance profiles are not supported in shared access mode. On the other hand, UC-enabled pipelines must run in shared access mode.

https://docs.databricks.com/en/connect/streaming/kinesis.html#authenticate-with-amazon-kinesis

https://docs.databricks.com/en/delta-live-tables/unity-catalog.html#requirements

If alternative authentication methods are not an option (e.g., due to organizational security policies prohibiting the issuance of AWS access keys), my understanding is that UC-enabled DLT cannot be used in this scenario.

In contrast, I have confirmed that using Hive Metastore allows a successful connection to Kinesis with instance profile authentication.

 

Iā€™m sharing this because itā€™s a recent issue that I found a bit challenging.

If anyone has ideas or workarounds for this limitation, please share them here.

--------------------------
Takuya Omi (å°¾ē¾Žę‹“哉)
0 Kudos
2 REPLIES 2

Alberto_Umana
Databricks Employee
Databricks Employee

ā€Ž01-13-2025 06:19 AM

Hi @Takuya-Omi,

Looks like this is a workaround: https://community.databricks.com/t5/data-engineering/dlt-can-t-authenticate-with-kinesis-using-insta...

0 Kudos

Takuya-Omi
Valued Contributor II

ā€Ž01-13-2025 07:43 AM

@Alberto_Umana 

Thank you for sharing. However, I have already followed the steps mentioned in the article, and Iā€™m still unable to establish a connection.

When using AWS access keys, the connection is successful, which confirms that there are no issues with access to Kinesis or the network configuration.
Additionally, the connection works with DLT pipelines that are not UC-enabled, so it seems unlikely that there are any errors in the IAM roles or policies configured for the instance profile.

--------------------------
Takuya Omi (å°¾ē¾Žę‹“哉)
0 Kudos

Join Us as a Local Community Builder!

Passionate about hosting events and connecting people? Help us grow a vibrant local communityā€”sign up today to get started!

Sign Up Now
Announcements