cancel
Showing results for 
Search instead for 
Did you mean: 
Data Governance
Join discussions on data governance practices, compliance, and security within the Databricks Community. Exchange strategies and insights to ensure data integrity and regulatory compliance.
cancel
Showing results for 
Search instead for 
Did you mean: 

Create Metastore. Missing permissions: The associated credential does not grant permission to perform all necessary operations.

Elon
New Contributor III

Cloud: AWS

Region: eu-west-1

S3 location: s3://databricks-dev-bucket

IAM role ARN: arn:aws:iam::18XXXXXXXX29:role/databricks-s3-metastore

Guide followed: ref: https://docs.databricks.com/data-governance/unity-catalog/get-started.html#cloud-tenant-setup-aws

Skipped

- Read

Success

- List

Failed

- Write

Skipped

- Delete

Success - Path Exists

image.png

AWS Policy simulator:

Polic simulator

{
 
   "Version": "2012-10-17",
 
   "Statement": [
 
       {
 
           "Action": [
 
               "s3:GetObject",
 
               "s3:PutObject",
 
               "s3:DeleteObject",
 
               "s3:ListBucket",
 
               "s3:GetBucketLocation",
 
               "s3:GetLifecycleConfiguration",
 
               "s3:PutLifecycleConfiguration"
 
           ],
 
           "Effect": "Allow",
 
           "Resource": [
 
               "arn:aws:s3:::databricks-dev-bucket/*",
 
               "arn:aws:s3:::databricks-dev-bucket"
 
           ]
 
       },
 
       {
 
           "Action": [
 
               "kms:Decrypt",
 
               "kms:Encrypt",
 
               "kms:GenerateDataKey*"
 
           ],
 
           "Effect": "Allow",
 
           "Resource": [
 
               "arn:aws:kms:arn:aws:kms:eu-west-1:18XXXXXXXX29:key/29f77XXX-XXXX-XXXX-XXXX-XXXf63bf112e"
 
           ]
 
       },
 
       {
 
           "Action": [
 
               "sts:AssumeRole"
 
           ],
 
           "Effect": "Allow",
 
           "Resource": [
 
               "arn:aws:iam::18XXXXXXXX29:role/databricks-s3-metastore"
 
           ]
 
       }
 
   ]
 
}

iam Role:

{
 
 "Version": "2012-10-17",
 
 "Statement": [
 
 {
 
 "Effect": "Allow",
 
 "Principal": {
 
 "AWS": [
 
 "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
 
 "arn:aws:iam::${aws_account_id}:role/${role_name}"
 
 ]
 
 },
 
 "Action": "sts:AssumeRole",
 
 "Condition": {
 
 "StringEquals": {
 
 "sts:ExternalId": "${databricks_account_id}"
 
 }
 
 }
 
 }
 
 ]
 
 }

1 REPLY 1

Elon
New Contributor III

Bump. @Yeshaswini P V​ @Gokul Kumar P​

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!