Step 3: Add an S3 IAM role to the EC2 policy

This article outlines how to add your new IAM role to the EC2 instance policy. Before you complete these steps, make sure to note the IAM role used to create the Databricks deployment, because this is the role you will be editing.

Locate the IAM role that created the Databricks deployment

If you don’t know which IAM role created the Databricks deployment, do the following:

1. As an acount admin, log in to the account console.

2. Go to Workspaces and click your workspace name.

3. In the Credentials box, note the role name at the end of the Role ARN.

For example, in the Role ARN arn:aws:iam::123456789123:role/finance-prod, the role name is finance-prod.

Add the S3 IAM role to the EC2 policy

1. In the AWS console, go to the IAM service.

2. Click the Roles tab in the sidebar.

3. Click the role that created the Databricks deployment.

4. On the Permissions tab, click the policy.

5. Click Edit Policy.

6. Append the following block to the end of the Statement array. Ensure that you don’t overwrite any of the existing policy. Replace <iam-role-for-s3-access> with the role you created in Step 1: Create an instance profile:

       {
         "Effect": "Allow",
         "Action": "iam:PassRole",
         "Resource": "arn:aws:iam::<aws-account-id-databricks>:role/<iam-role-for-s3-access>"
       }
   

7. Click Review policy.

8. Click Save changes.

Next steps

After you modify the instance policy, you can add the instance profile to your Databricks workspace. See Step 4: Add an instance profile to Databricks.