Cross-account credential validation failing (MALFORMED_REQUEST) with correctly-configured IAM role

Sonian
New Contributor

Unable to create a credential configuration via the Account Console (and originally via the AWS Quick Start CloudFormation template). Both the automated CloudFormation createCredentials custom resource and manual credential configuration attempts fail with the same generic error, despite thorough verification of all standard prerequisites.

Error received: MALFORMED_REQUEST: Failed credential validation checks: please use a valid cross account IAM role with permissions setup correctly.

Troubleshooting performed (full verification checklist):

  • Role ARN format verified correct (no typos, correct account ID, no trailing whitespace) — tested with two independently created roles
  • External ID verified to exactly match Databricks account ID, confirmed directly from Account Console
  • Trust policy principal verified
  • Region availability confirmed: us-west-2 is enabled by default, STS endpoint active
  • Permissions policy verified against documented cross-account policy for Databricks-managed VPC (EC2 actions + Spot service-linked role statement)
  • SCP review completed at AWS Organization level — only FullAWSAccess applied, no restrictions
  • IAM propagation delay ruled out (several minutes elapsed between role creation and retry)
  • Confirmed credential validation fails identically on both a pre-existing IAM role and a freshly created, dedicated role — ruling out role-specific history/corruption as a cause
  • Storage configuration step succeeded independently (storage_configuration_id: XXXXXXXX), confirming Account API connectivity/auth is otherwise functional