cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cant create cluster: "Aws Authorization Failure:" .. not authorized to perform: sts:AssumeRole

Go to solution
jvk
New Contributor III

‎04-18-2024 11:53 PM

Full error here:

Aws Authorization Failure:
Failure happened when talking to AWS, AWS API error code: AccessDenied AWS error message: User: arn:aws:iam::414351767826:user/ConsolidatedManagerIAMUser-ConsolidatedManagerUser-VX02FYW0SSCY is not authorized to perform: sts:AssumeRole on resource:

Would you know why this could occur?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Kaniz_Fatma
Community Manager
Community Manager

‎04-19-2024 02:51 AM

Hi @jvkThe “AccessDenied” error message you’re encountering in AWS indicates that the user “arn:aws:iam::414351767826:user/ConsolidatedManagerIAMUser-ConsolidatedManagerUser-VX02FYW0SSCY” does not have the necessary permissions to perform the “sts:AssumeRole” action on a specific resource.

  • Verify that the user has the correct permissions to assume the specified role. You can do this by examining the user’s IAM policies.
  • Ensure that there is an explicit “Allow” statement for the “sts:AssumeRole” action in the user’s policy. If there is no applicable “Allow” statement, the policy implicitly denies access.
  • Remember that IAM policies deny access by default, so you must explicitly allow the principal (user) to perform the desired action.
  • Access-denied errors can occur due to explicit or implicit denials:
    • Explicit Denial: When a policy contains a “Deny” statement for the specific AWS action.
    • Implicit Denial: When there is neither an applicable “Deny” nor an “Allow” statement.
  • Make sure to understand the policy type responsible for the denial.
  • Look for additional details in the error message. It might mention the type of policy responsible for the denial (e.g., Service Control Policy).
  • If not, follow the guidelines mentioned above to troubleshoot further.

View solution in original post

4 REPLIES 4

Go to solution
daniel_sahal
Esteemed Contributor

‎04-19-2024 02:16 AM

@jvk 
This is definitely a permission issues.

0 Kudos

Go to solution
Kaniz_Fatma
Community Manager
Community Manager

‎04-19-2024 02:51 AM

Hi @jvkThe “AccessDenied” error message you’re encountering in AWS indicates that the user “arn:aws:iam::414351767826:user/ConsolidatedManagerIAMUser-ConsolidatedManagerUser-VX02FYW0SSCY” does not have the necessary permissions to perform the “sts:AssumeRole” action on a specific resource.

  • Verify that the user has the correct permissions to assume the specified role. You can do this by examining the user’s IAM policies.
  • Ensure that there is an explicit “Allow” statement for the “sts:AssumeRole” action in the user’s policy. If there is no applicable “Allow” statement, the policy implicitly denies access.
  • Remember that IAM policies deny access by default, so you must explicitly allow the principal (user) to perform the desired action.
  • Access-denied errors can occur due to explicit or implicit denials:
    • Explicit Denial: When a policy contains a “Deny” statement for the specific AWS action.
    • Implicit Denial: When there is neither an applicable “Deny” nor an “Allow” statement.
  • Make sure to understand the policy type responsible for the denial.
  • Look for additional details in the error message. It might mention the type of policy responsible for the denial (e.g., Service Control Policy).
  • If not, follow the guidelines mentioned above to troubleshoot further.

Go to solution
jvk
New Contributor III
In response to Kaniz_Fatma

‎04-21-2024 10:18 PM

Where would I go to adjust the IAM policies for databricks? Would this need to be done in my AWS account? I don't remember having to connect AWS to databricks in order to set up the cluster initially. 

0 Kudos

Go to solution
jvk
New Contributor III

‎04-21-2024 10:22 PM

Never mind, I see it now thanks!

0 Kudos

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you won’t want to miss the chance to attend and share knowledge.

If there isn’t a group near you, start one and help create a community that brings people together.

Request a New Group
Announcements