CODEWITHSUNDEEP
amazon-s3databricksamazon-iamaws-databricksdatabricks-connect
Priyanka Gupta
Priyanka Gupta

Reputation: 39

Unable to create a workspace in databricks using AWS

I am trying to create a workspace in databricks linked to AWS. Its failing on the last step.

It says-

MALFORMED_REQUEST: Failed storage configuration validation checks: List,Put,PutWithBucketOwnerFullControl,Delete

enter image description here

I have given all required permissions in s3 policy, databricks role permissions and trust relationships. Yet I am getting this error.

S3 Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::account-number:role/databricks-access"
        },
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::learning-databricks"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::account-number:role/databricks-access"
        },
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": "arn:aws:s3:::learning-databricks/*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::account-number:role/databricks-access"
        },
        "Action": "s3:PutObjectAcl",
        "Resource": "arn:aws:s3:::learning-databricks/*",
        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::414351767826:root"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::learning-databricks",
            "arn:aws:s3:::learning-databricks/*"
        ],
        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    }
]

}

Databricks role permissions:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:DescribeVolumes",
            "ec2:DescribeVpcs",
            "ec2:CreateInternetGateway",
            "ec2:CreateVPC",
            "ec2:DeleteVPC",
            "ec2:AllocateAddress",
            "ec2:ReleaseAddress",
            "ec2:DescribeNatGateways",
            "ec2:DeleteNatGateway",
            "ec2:DeleteVpcEndpoints",
            "ec2:CreateRouteTable",
            "ec2:DisassociateRouteTable",
            "ec2:CreateSecurityGroup",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:CreateSubnet",
            "ec2:DeleteSubnet",
            "ec2:CreateNetworkInterface",
            "ec2:DeleteNetworkInterface",
            "ec2:AttachNetworkInterface",
            "ec2:DetachNetworkInterface",
            "ec2:ModifyNetworkInterfaceAttribute",
            "iam:PassRole",
            "ec2:RunInstances",
            "ec2:StopInstances",
            "ec2:TerminateInstances",
            "ec2:StartInstances"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::learning-databricks",
            "arn:aws:s3:::learning-databricks/*"
        ],
        "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control"
            }
        }
    }
]

}

Databricks Role Trust Relationship:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::414351767826:root"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "External-uuid"
            }
        }
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::aws-account:root"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "External-uuid"
            }
        }
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::aws-account:role/databricks-access"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "External-uuid"
            }
        }
    }
]

}

Upvotes: 1

Views: 98

Answers (1)

Douglas M
Douglas M

Reputation: 1126

I've been struggling with this all night, and just fixed it by putting adding a bucket policy.

While creating your storage configuration:

Add storage configuration

Open "Generate Policy", copy the bucket policy out...

Expanded policy

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "Grant Databricks Access",
   "Effect": "Allow",
   "Principal": {
    "AWS": "arn:aws:iam::414351767826:root"
   },
   "Action": [
    "s3:GetObject",
    "s3:GetObjectVersion",
    "s3:PutObject",
    "s3:DeleteObject",
    "s3:ListBucket",
    "s3:GetBucketLocation"
   ],
   "Resource": [
    "arn:aws:s3:::acme-data-bucket/*",
    "arn:aws:s3:::acme-data-bucket"
   ],
   "Condition": {
    "StringEquals": {
     "aws:PrincipalTag/DatabricksAccountId": [
      "0d26daa6-dead-beaf-9999-acctidabcdefg"
     ]
    }
   }
  }
 ]
}

The go to your AWS console page, s3 bucket, permissions, and edit bucket policy, and paste:

S3 Bucket Permissions, with pasted bucket policy

Go back to trying to create your workspace. Hopefully it will work for you like it just worked for me.

Upvotes: 0

Related Questions