cancel
Showing results for 
Search instead for 
Did you mean: 
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Showing results for 
Search instead for 
Did you mean: 

Cant create cluster: "Aws Authorization Failure:" .. not authorized to perform: sts:AssumeRole

jvk
New Contributor III

Full error here:

Aws Authorization Failure:
Failure happened when talking to AWS, AWS API error code: AccessDenied AWS error message: User: arn:aws:iam::414351767826:user/ConsolidatedManagerIAMUser-ConsolidatedManagerUser-VX02FYW0SSCY is not authorized to perform: sts:AssumeRole on resource:

Would you know why this could occur?

1 ACCEPTED SOLUTION

Accepted Solutions

Kaniz
Community Manager
Community Manager

Hi @jvkThe “AccessDenied” error message you’re encountering in AWS indicates that the user “arn:aws:iam::414351767826:user/ConsolidatedManagerIAMUser-ConsolidatedManagerUser-VX02FYW0SSCY” does not have the necessary permissions to perform the “sts:AssumeRole” action on a specific resource.

  • Verify that the user has the correct permissions to assume the specified role. You can do this by examining the user’s IAM policies.
  • Ensure that there is an explicit “Allow” statement for the “sts:AssumeRole” action in the user’s policy. If there is no applicable “Allow” statement, the policy implicitly denies access.
  • Remember that IAM policies deny access by default, so you must explicitly allow the principal (user) to perform the desired action.
  • Access-denied errors can occur due to explicit or implicit denials:
    • Explicit Denial: When a policy contains a “Deny” statement for the specific AWS action.
    • Implicit Denial: When there is neither an applicable “Deny” nor an “Allow” statement.
  • Make sure to understand the policy type responsible for the denial.
  • Look for additional details in the error message. It might mention the type of policy responsible for the denial (e.g., Service Control Policy).
  • If not, follow the guidelines mentioned above to troubleshoot further.

View solution in original post

4 REPLIES 4

daniel_sahal
Esteemed Contributor

@jvk 
This is definitely a permission issues.

Kaniz
Community Manager
Community Manager

Hi @jvkThe “AccessDenied” error message you’re encountering in AWS indicates that the user “arn:aws:iam::414351767826:user/ConsolidatedManagerIAMUser-ConsolidatedManagerUser-VX02FYW0SSCY” does not have the necessary permissions to perform the “sts:AssumeRole” action on a specific resource.

  • Verify that the user has the correct permissions to assume the specified role. You can do this by examining the user’s IAM policies.
  • Ensure that there is an explicit “Allow” statement for the “sts:AssumeRole” action in the user’s policy. If there is no applicable “Allow” statement, the policy implicitly denies access.
  • Remember that IAM policies deny access by default, so you must explicitly allow the principal (user) to perform the desired action.
  • Access-denied errors can occur due to explicit or implicit denials:
    • Explicit Denial: When a policy contains a “Deny” statement for the specific AWS action.
    • Implicit Denial: When there is neither an applicable “Deny” nor an “Allow” statement.
  • Make sure to understand the policy type responsible for the denial.
  • Look for additional details in the error message. It might mention the type of policy responsible for the denial (e.g., Service Control Policy).
  • If not, follow the guidelines mentioned above to troubleshoot further.

jvk
New Contributor III

Where would I go to adjust the IAM policies for databricks? Would this need to be done in my AWS account? I don't remember having to connect AWS to databricks in order to set up the cluster initially. 

jvk
New Contributor III

Never mind, I see it now thanks!

Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!