• Databricks
  • Databricks
  • Help Center
  • Documentation
  • Knowledge Base
  • Community
  • Support
  • Feedback
  • Try Databricks
English
  • English
  • 日本語
  • Português
Amazon Web Services
  • Microsoft Azure
  • Google Cloud Platform
Databricks on AWS

Get started

  • Get started
  • What is Databricks?
  • DatabricksIQ
  • Release notes

Load & manage data

  • Work with database objects
  • Connect to data sources
  • Connect to compute
  • Discover data
  • Query data
  • Ingest data
  • Work with files
  • Transform data
  • Schedule and orchestrate workflows
  • Monitor data and AI assets
  • Share data securely

Work with data

  • Data engineering
  • AI and machine learning
  • Generative AI tutorial
  • Business intelligence
  • Data warehousing
  • Notebooks
  • Delta Lake
  • Developers
  • Technology partners

Administration

  • Account and workspace administration
  • Security and compliance
    • Authentication and access control
    • Networking
      • Users to Databricks networking
      • Serverless compute plane networking
      • Classic compute plane networking
        • Enable private connectivity using AWS PrivateLink
        • Manage private access settings
        • Manage VPC endpoint registrations
        • Configure a customer-managed VPC
        • VPC peering
        • Configure Databricks S3 commit service-related settings
    • Data security and encryption
    • Secret management
    • Auditing, privacy, and compliance
  • Data governance (Unity Catalog)
  • Lakehouse architecture

Reference & resources

  • Reference
  • Resources
  • What’s coming?
  • Documentation archive

Updated Nov 04, 2024

Send us feedback

  • Documentation
  • Security and compliance guide
  • Networking
  • Classic compute plane networking
  • Configure Databricks S3 commit service-related settings

Configure Databricks S3 commit service-related settings

Databricks runs a commit service that coordinates writes to Amazon S3 from multiple clusters. This service runs in the Databricks control plane. For additional security, you can disable the service’s direct upload optimization as described in Disable the direct upload optimization. To further restrict access to your S3 buckets, see Restrict access to specific IP addresses.

If you receive AWS GuardDuty alerts related to the S3 commit service, see AWS GuardDuty alerts related to S3 commit service.

About the commit service

The S3 commit service helps guarantee consistency of writes across multiple clusters on a single table in specific cases. For example, the commit service helps Delta Lake implement ACID transactions.

In the default configuration, Databricks sends temporary AWS credentials from the compute plane to the control plane in the commit service API call. Instance profile credentials are valid for six hours.

The compute plane writes data directly to S3, and then the S3 commit service in the control plane provides concurrency control by finalizing the commit log upload (completing the multipart upload described below). The commit service does not read any data from S3. It puts a new file in S3 if it does not exist.

The most common data that is written to S3 by the Databricks commit service is the Delta log, which contains statistical aggregates from your data, such as the column’s minimum and maximum values. Most Delta log data is sent to S3 from the control plane using an Amazon S3 multipart upload.

After the cluster stages the multipart data to write the Delta log to S3, the S3 commit service in the Databricks control plane finishes the S3 multipart upload by letting S3 know that it is complete. As a performance optimization for very small updates, by default the commit service sometimes pushes small updates directly from the control plane to S3. This direct update optimization can be disabled. See Disable the direct upload optimization.

In addition to Delta Lake, the following Databricks features use the same S3 commit service:

  • Structured Streaming

  • Auto Loader

  • The SQL command COPY INTO

The commit service is necessary because Amazon doesn’t provide an operation that puts an object only if it does not yet exist. Amazon S3 is a distributed system. If S3 receives multiple write requests for the same object simultaneously, it overwrites all but the last object written. Without the ability to centrally verify commits, simultaneous commits from different clusters would corrupt tables.

AWS GuardDuty alerts related to S3 commit service

Important

Commits to tables managed by Unity Catalog do not trigger GuardDuty alerts.

If you use AWS GuardDuty and you access data using AWS IAM instance profiles, GuardDuty may create alerts for default Databricks behavior related to Delta Lake, Structured Streaming, Auto Loader, or COPY INTO. These alerts are related to instance credential exfiltration detection, which is enabled by default. These alerts include the title UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS.

You can configure your Databricks deployment to address GuardDuty alerts related to the S3 commit service by creating an AWS instance profile that assumes the role of your original S3 data access IAM role.

As an alternative to using instance profile credentials, this new instance profile can configure clusters to assume a role with short duration tokens. This capability already exists in all recent Databricks Runtime versions and can be enforced globally via cluster policies.

  1. If you have not already done so, create a normal instance profile to access the S3 data. This instance profile uses instance profile credentials to directly access the S3 data.

    This section refers to the role ARN in this instance profile as the <data-role-arn>.

  2. Create a new instance profile that will use tokens and references your instance profile that directly accesses the data. Your cluster will reference this new token-based instance profile. See Tutorial: Configure S3 access with an instance profile.

    This instance profile does not need any direct S3 access. Instead it needs only the permissions to assume the IAM role that you use for data access. This section refers to the role ARN in this instance profile as the <cluster-role-arn>.

    1. Add an attached IAM policy on the new cluster instance profile IAM role (<cluster-role-arn>). Add the following policy statement to your new cluster Instance profile IAM Role and replace <data-role-arn> with the ARN of your original instance profile that accesses your bucket.

      {
  "Effect": "Allow",
  "Action": "sts:AssumeRole",
  "Resource": "<data-role-arn>"
}

    2. Add a trust policy statement to your existing data access IAM Role and replace <cluster-role-arn> with the ARN of the original instance profile that accesses your bucket.

      {
  "Effect": "Allow",
  "Principal": {
      "AWS": "<cluster-role-arn>"
  },
  "Action": "sts:AssumeRole"
}

  3. To use notebook code that makes direct connection to S3 without using DBFS, configure your clusters to use the new token-based instance profile and to assume the data access role.

    • Configure a cluster for S3 access to all buckets. Add the following to the cluster’s Spark configuration:

      fs.s3a.credentialsType AssumeRole
fs.s3a.stsAssumeRole.arn <data-role-arn>

    • You can configure this for a specific bucket:

      fs.s3a.bucket.<bucket-name>.aws.credentials.provider org.apache.hadoop.fs.s3a.auth.AssumedRoleCredentialProvider
fs.s3a.bucket.<bucket-name>.assumed.role.arn <data-role-arn>

Disable the direct upload optimization

As a performance optimization for very small updates, by default the commit service sometimes pushes small updates directly from the control plane to S3. To disable this optimization, set the Spark parameter spark.hadoop.fs.s3a.databricks.s3commit.directPutFileSizeThreshold to 0. You can apply this setting in the cluster’s Spark config or set it using cluster policies.

Disabling this feature may result in a small performance impact for near real-time Structured Streaming queries with constant small updates. Consider testing the performance impact with your data before disabling this feature in production.

Restrict access to specific IP addresses

You can limit specific S3 buckets to be accessible only from specific IP addresses. For example, you can restrict access to only your own environment and the IP addresses for the Databricks control plane, including the S3 commit service. This reduces the risk that credentials are used from other locations. See (Optional) Restrict access to S3 buckets.

© Databricks 2024. All rights reserved. Apache, Apache Spark, Spark, and the Spark logo are trademarks of the Apache Software Foundation.

Send us feedback | Privacy Policy | Terms of Use