Create an IAM role for workspace deployment

This article describes how to:

  • Create and configure a cross-account IAM role for Databricks workspace deployment. This role gives Databricks limited access to your AWS account for the purposes of creating and managing compute and VPC resources.

  • Use the Databricks account console to create a credential configuration that references the IAM role.

Requirements

Automate IAM role creation

You can automate the IAM role creation by using one of the following automation options:

Manual IAM role creation

The following steps apply to a custom AWS workspace deployment. You only need to follow these steps if you are deploying a workspace using the Custom AWS configuration option.

Step 1: Create a cross-account IAM role

  1. Get your Databricks account ID. See Locate your account ID.

  2. Log into your AWS Console as a user with administrator privileges and go to the IAM console.

  3. Click the Roles tab in the sidebar.

  4. Click Create role.

    1. In Select type of trusted entity, click the AWS account tile.

    2. Select the Another AWS account checkbox.

    3. In the Account ID field, enter the Databricks account ID 414351767826. This is not the Account ID you copied from the Databricks account console.

    4. Select the Require external ID checkbox.

    5. In the External ID field, enter your Databricks account ID, which you copied from the Databricks account console.

    6. Click the Next button.

    7. In the Add Permissions page, click the Next button. You should now be on the Name, review, and create page.

    8. In the Role name field, enter a role name.

    9. Click Create role. The list of roles appears.

Step 2: Create an access policy

The access policy you add to the role depends on your Amazon VPC (Virtual Private Cloud) deployment type. For information about how Databricks uses each permission, see IAM permissions for Databricks-managed VPCs. Use the policy instructions that describe your deployment:

Option 1: Default deployment policy

  1. In the Roles section of the IAM console, click the IAM role you created in Step 1.

  2. Click the Add permissions drop-down and select Create inline policy.

  3. In the policy editor, click the JSON tab.

  4. Copy and paste the following access policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Stmt1403287045000",
          "Effect": "Allow",
          "Action": [
            "ec2:AllocateAddress",
            "ec2:AssignPrivateIpAddresses",
            "ec2:AssociateDhcpOptions",
            "ec2:AssociateIamInstanceProfile",
            "ec2:AssociateRouteTable",
            "ec2:AttachInternetGateway",
            "ec2:AttachVolume",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CancelSpotInstanceRequests",
            "ec2:CreateDhcpOptions",
            "ec2:CreateFleet",
            "ec2:CreateInternetGateway",
            "ec2:CreateLaunchTemplate",
            "ec2:CreateLaunchTemplateVersion",
            "ec2:CreateNatGateway",
            "ec2:CreateRoute",
            "ec2:CreateRouteTable",
            "ec2:CreateSecurityGroup",
            "ec2:CreateSubnet",
            "ec2:CreateTags",
            "ec2:CreateVolume",
            "ec2:CreateVpc",
            "ec2:CreateVpcEndpoint",
            "ec2:DeleteDhcpOptions",
            "ec2:DeleteFleets",
            "ec2:DeleteInternetGateway",
            "ec2:DeleteLaunchTemplate",
            "ec2:DeleteLaunchTemplateVersions",
            "ec2:DeleteNatGateway",
            "ec2:DeleteRoute",
            "ec2:DeleteRouteTable",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteSubnet",
            "ec2:DeleteTags",
            "ec2:DeleteVolume",
            "ec2:DeleteVpc",
            "ec2:DeleteVpcEndpoints",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeFleetHistory",
            "ec2:DescribeFleetInstances",
            "ec2:DescribeFleets",
            "ec2:DescribeIamInstanceProfileAssociations",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeInstances",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeLaunchTemplates",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:DescribeNatGateways",
            "ec2:DescribePrefixLists",
            "ec2:DescribeReservedInstancesOfferings",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSpotInstanceRequests",
            "ec2:DescribeSpotPriceHistory",
            "ec2:DescribeSubnets",
            "ec2:DescribeVolumes",
            "ec2:DescribeVpcs",
            "ec2:DetachInternetGateway",
            "ec2:DisassociateIamInstanceProfile",
            "ec2:DisassociateRouteTable",
            "ec2:GetLaunchTemplateData",
            "ec2:GetSpotPlacementScores",
            "ec2:ModifyFleet",
            "ec2:ModifyLaunchTemplate",
            "ec2:ModifyVpcAttribute",
            "ec2:ReleaseAddress",
            "ec2:ReplaceIamInstanceProfileAssociation",
            "ec2:RequestSpotInstances",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:RunInstances",
            "ec2:TerminateInstances"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:CreateServiceLinkedRole",
            "iam:PutRolePolicy"
          ],
          "Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "spot.amazonaws.com"
            }
          }
        }
      ]
    }
    
  5. Click Review policy.

  6. In the Name field, enter a policy name.

  7. Click Create policy.

  8. (Optional) If you use Service Control Policies to deny certain actions at the AWS account level, ensure that sts:AssumeRole is allowlisted so Databricks can assume the cross-account role.

  9. In the role summary, copy the Role ARN to add to Databricks.

Option 2: Customer-managed VPC with default restrictions policy

  1. Log into your AWS Console as a user with administrator privileges and go to the IAM console.

  2. Click the Roles tab in the sidebar.

  3. In the list of roles, click the cross-account IAM role that you created in Step 1.

  4. Click the Add permissions drop-down and select Create inline policy.

  5. In the policy editor, click the JSON tab.

  6. Copy and paste the following access policy.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Stmt1403287045000",
          "Effect": "Allow",
          "Action": [
            "ec2:AssociateIamInstanceProfile",
            "ec2:AttachVolume",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CancelSpotInstanceRequests",
            "ec2:CreateTags",
            "ec2:CreateVolume",
            "ec2:DeleteTags",
            "ec2:DeleteVolume",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeIamInstanceProfileAssociations",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeInstances",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeNatGateways",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribePrefixLists",
            "ec2:DescribeReservedInstancesOfferings",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSpotInstanceRequests",
            "ec2:DescribeSpotPriceHistory",
            "ec2:DescribeSubnets",
            "ec2:DescribeVolumes",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcs",
            "ec2:DetachVolume",
            "ec2:DisassociateIamInstanceProfile",
            "ec2:ReplaceIamInstanceProfileAssociation",
            "ec2:RequestSpotInstances",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:RunInstances",
            "ec2:TerminateInstances",
            "ec2:DescribeFleetHistory",
            "ec2:ModifyFleet",
            "ec2:DeleteFleets",
            "ec2:DescribeFleetInstances",
            "ec2:DescribeFleets",
            "ec2:CreateFleet",
            "ec2:DeleteLaunchTemplate",
            "ec2:GetLaunchTemplateData",
            "ec2:CreateLaunchTemplate",
            "ec2:DescribeLaunchTemplates",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:ModifyLaunchTemplate",
            "ec2:DeleteLaunchTemplateVersions",
            "ec2:CreateLaunchTemplateVersion",
            "ec2:AssignPrivateIpAddresses",
            "ec2:GetSpotPlacementScores"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:CreateServiceLinkedRole",
            "iam:PutRolePolicy"
          ],
          "Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "spot.amazonaws.com"
            }
          }
        }
      ]
    }
    
  7. Click Review policy.

  8. In the Name field, enter a policy name.

  9. Click Create policy.

  10. (Optional) If you use Service Control Policies to deny certain actions at the AWS account level, ensure that sts:AssumeRole is allowlisted so Databricks can assume the cross-account role.

  11. In the role summary, copy the Role ARN.

Option 3: Customer-managed VPC with custom policy restrictions

Note

The Databricks production AWS account from which Amazon Machine Images (AMI) are sourced is 601306020600. You can use this account ID to create custom access policies that restrict which AMIs can be used within your AWS account. For more information, contact your Databricks account team.

  1. Log into your AWS Console as a user with administrator privileges and go to the IAM console.

  2. Click the Roles tab in the sidebar.

  3. In the list of roles, click the cross-account IAM role that you created for in Step 1.

  4. Click the Add permissions dropdown then Create inline policy.

  5. In the policy editor, click the JSON tab.

  6. Copy and paste the following access policy.

    Replace the following values in the policy with your own configuration values:

    • ACCOUNTID — Your AWS account ID, which is a number.

    • VPCID — ID of the AWS VPC where you want to launch workspaces.

    • REGION — AWS Region name for your VPC deployment, for example us-west-2.

    • SECURITYGROUPID — ID of your AWS security group. When you add a security group restriction, you cannot reuse the cross-account IAM role or reference a credentials ID (credentials_id) for any other workspaces. For those other workspaces, you must create separate roles, policies, and credentials objects.

    Note

    If you have custom requirements configured for security groups with your customer-managed vpc, contact your Databricks account team for assistance with IAM policy customizations.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "NonResourceBasedPermissions",
          "Effect": "Allow",
          "Action": [
            "ec2:AssignPrivateIpAddresses",
            "ec2:CancelSpotInstanceRequests",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeIamInstanceProfileAssociations",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeInstances",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeNatGateways",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribePrefixLists",
            "ec2:DescribeReservedInstancesOfferings",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSpotInstanceRequests",
            "ec2:DescribeSpotPriceHistory",
            "ec2:DescribeSubnets",
            "ec2:DescribeVolumes",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeVpcs",
            "ec2:CreateTags",
            "ec2:DeleteTags",
            "ec2:GetSpotPlacementScores",
            "ec2:RequestSpotInstances",
            "ec2:DescribeFleetHistory",
            "ec2:ModifyFleet",
            "ec2:DeleteFleets",
            "ec2:DescribeFleetInstances",
            "ec2:DescribeFleets",
            "ec2:CreateFleet",
            "ec2:DeleteLaunchTemplate",
            "ec2:GetLaunchTemplateData",
            "ec2:CreateLaunchTemplate",
            "ec2:DescribeLaunchTemplates",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:ModifyLaunchTemplate",
            "ec2:DeleteLaunchTemplateVersions",
            "ec2:CreateLaunchTemplateVersion"
          ],
          "Resource": [
            "*"
          ]
        },
        {
          "Sid": "InstancePoolsSupport",
          "Effect": "Allow",
          "Action": [
            "ec2:AssociateIamInstanceProfile",
            "ec2:DisassociateIamInstanceProfile",
            "ec2:ReplaceIamInstanceProfileAssociation"
          ],
          "Resource": "arn:aws:ec2:REGION:ACCOUNTID:instance/*",
          "Condition": {
            "StringEquals": {
              "ec2:ResourceTag/Vendor": "Databricks"
            }
          }
        },
        {
          "Sid": "AllowEc2RunInstancePerTag",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTID:volume/*",
            "arn:aws:ec2:REGION:ACCOUNTID:instance/*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:RequestTag/Vendor": "Databricks"
            }
          }
        },
        {
          "Sid": "AllowEc2RunInstanceImagePerTag",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTID:image/*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:ResourceTag/Vendor": "Databricks"
            }
          }
        },
        {
          "Sid": "AllowEc2RunInstancePerVPCid",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTID:network-interface/*",
            "arn:aws:ec2:REGION:ACCOUNTID:subnet/*",
            "arn:aws:ec2:REGION:ACCOUNTID:security-group/*"
          ],
          "Condition": {
            "StringEquals": {
              "ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTID:vpc/VPCID"
            }
          }
        },
        {
          "Sid": "AllowEc2RunInstanceOtherResources",
          "Effect": "Allow",
          "Action": "ec2:RunInstances",
          "NotResource": [
            "arn:aws:ec2:REGION:ACCOUNTID:image/*",
            "arn:aws:ec2:REGION:ACCOUNTID:network-interface/*",
            "arn:aws:ec2:REGION:ACCOUNTID:subnet/*",
            "arn:aws:ec2:REGION:ACCOUNTID:security-group/*",
            "arn:aws:ec2:REGION:ACCOUNTID:volume/*",
            "arn:aws:ec2:REGION:ACCOUNTID:instance/*"
          ]
        },
        {
          "Sid": "EC2TerminateInstancesTag",
          "Effect": "Allow",
          "Action": [
            "ec2:TerminateInstances"
          ],
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTID:instance/*"
          ],
          "Condition": {
            "StringEquals": {
              "ec2:ResourceTag/Vendor": "Databricks"
            }
          }
        },
        {
          "Sid": "EC2AttachDetachVolumeTag",
          "Effect": "Allow",
          "Action": [
            "ec2:AttachVolume",
            "ec2:DetachVolume"
          ],
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTID:instance/*",
            "arn:aws:ec2:REGION:ACCOUNTID:volume/*"
          ],
          "Condition": {
            "StringEquals": {
              "ec2:ResourceTag/Vendor": "Databricks"
            }
          }
        },
        {
          "Sid": "EC2CreateVolumeByTag",
          "Effect": "Allow",
          "Action": [
            "ec2:CreateVolume"
          ],
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTID:volume/*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:RequestTag/Vendor": "Databricks"
            }
          }
        },
        {
          "Sid": "EC2DeleteVolumeByTag",
          "Effect": "Allow",
          "Action": [
            "ec2:DeleteVolume"
          ],
          "Resource": [
            "arn:aws:ec2:REGION:ACCOUNTID:volume/*"
          ],
          "Condition": {
            "StringEquals": {
              "ec2:ResourceTag/Vendor": "Databricks"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:CreateServiceLinkedRole",
            "iam:PutRolePolicy"
          ],
          "Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot",
          "Condition": {
            "StringLike": {
              "iam:AWSServiceName": "spot.amazonaws.com"
            }
          }
        },
        {
          "Sid": "VpcNonresourceSpecificActions",
          "Effect": "Allow",
          "Action": [
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:RevokeSecurityGroupIngress"
          ],
          "Resource": "arn:aws:ec2:REGION:ACCOUNTID:security-group/SECURITYGROUPID",
          "Condition": {
            "StringEquals": {
              "ec2:vpc": "arn:aws:ec2:REGION:ACCOUNTID:vpc/VPCID"
            }
          }
        }
      ]
    }
    
  7. Click Review policy.

  8. In the Name field, enter a policy name.

  9. Click Create policy.

  10. (Optional) If you use Service Control Policies to deny certain actions at the AWS account level, ensure that sts:AssumeRole is allowlisted so Databricks can assume the cross-account role.

  11. In the role summary, copy the Role ARN.

Step 3: Create a credential configuration in Databricks

When you have created the IAM role, you can tell Databricks about it by creating a credential configuration that uses that role’s ID.

To create a credential configuration:

  1. In the account console, click Cloud resources.

  2. Click Credential configuration.

  3. Click Add credential configuration.

  4. In the Credential configuration name field, enter a human-readable name for your new credential configuration.

  5. In the Role ARN field, enter your role’s ARN.

  6. Click Add.

Validation is not run during credential configuration creation. Some errors are detected only when you use the configuration to create a new workspace. These errors can include an invalid ARN or incorrect permissions for the role, among others.

Delete a credential configuration

Credential configurations cannot be edited after creation. If the configuration has incorrect data or if you no longer need it, delete the credential configuration:

  1. In the account console, click Cloud resources.

  2. Click Credential configuration.

  3. On the credential configuration row, click the Actions menu icon, and select Delete.

    You can also click the credential configuration name and click Delete on the pop-up dialog.

  4. On the confirmation dialog, click Confirm Delete.