Cloud: AWS
Region: eu-west-1
S3 location: s3://databricks-dev-bucket
IAM role ARN: arn:aws:iam::18XXXXXXXX29:role/databricks-s3-metastore
Guide followed: ref: https://docs.databricks.com/data-governance/unity-catalog/get-started.html#cloud-tenant-setup-aws
โ
Skipped
- Read
โ
Success
- List
โ
Failed
- Write
โ
Skipped
- Delete
โ
Success - Path Exists
AWS Policy simulator:
โ
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::databricks-dev-bucket/*",
"arn:aws:s3:::databricks-dev-bucket"
]
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kms:arn:aws:kms:eu-west-1:18XXXXXXXX29:key/29f77XXX-XXXX-XXXX-XXXX-XXXf63bf112e"
]
},
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::18XXXXXXXX29:role/databricks-s3-metastore"
]
}
]
}iam Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
"arn:aws:iam::${aws_account_id}:role/${role_name}"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "${databricks_account_id}"
}
}
}
]
}
