// There are generally two deployment options. If additional are required, add them here To launch clusters into the VPC workspace, Databricks must have access to a cross-account IAM role in your AWS account. This Quick Start provides two deployment options: IMPORTANT: Choose the first option if you can create an IAM role in your account, otherwise choose the second option. Note that the second option requires you to configure IAM roles before launching the deployment. * Deploy a Databricks workspace, and create a new cross-account IAM role. You must have sufficient permissions to create a new IAM role. * Deploy a Databricks workspace, and use an existing cross-account IAM role. For more information, see https://docs.databricks.com/administration-guide/account-api/iam-role.html#create-a-cross-account-role-and-an-access-policy[Create a cross-account role and an access policy^]. For this option, create an additional IAM role with the following permissions: . Embed the *AWSLambdaBasicExecutionRole* policy. . Configure the inline policy to access to the Quick Start S3 location: + ---- { "Sid": "S3SourceBucket", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:List*" ], "Resource": "arn:aws:s3:::aws-quickstart/*" } ---- + . Configure the inline policy to allow for managing the S3 bucket used to host the code of the Lambda function: + ---- { "Sid": "S3Buckets", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::" } ---- + . If you choose the optional customer managed key feature, configure the AWS KMS permissions: + ---- { "Sid": "KMS", "Effect": "Allow", "Action": [ "kms:Get*", "kms:PutKeyPolicy" ], "Resource": "*" } ---- + . If you choose to enable Private Link, you need to include the following permissions: + ---- { "Sid": "AllowEndpointCreation", "Effect": "Allow", "Action": "ec2:CreateVpcEndpoint", "Resource": [ "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Sid": "RestrictEndpointCreation", "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:CreateTags", "ec2:DeleteVpcEndpoints" ], "Resource": "arn:aws:ec2:*:*:vpc-endpoint/*", "Condition": { "StringEquals": { "ec2:VpceServiceName": [ "com.amazonaws.vpce.us-east-1.vpce-svc-09143d1e626de2f04", "com.amazonaws.vpce.us-east-1.vpce-svc-00018a8c3ff62ffdf", "com.amazonaws.vpce.us-east-2.vpce-svc-041dc2b4d7796b8d3", "com.amazonaws.vpce.us-east-2.vpce-svc-090a8fab0d73e39a6", "com.amazonaws.vpce.us-west-2.vpce-svc-0129f463fcfbc46c5", "com.amazonaws.vpce.us-west-2.vpce-svc-0158114c0c730c3bb", "com.amazonaws.vpce.eu-west-1.vpce-svc-0da6ebf1461278016", "com.amazonaws.vpce.eu-west-1.vpce-svc-09b4eb2bc775f4e8c", "com.amazonaws.vpce.eu-west-2.vpce-svc-01148c7cdc1d1326c", "com.amazonaws.vpce.eu-west-2.vpce-svc-05279412bf5353a45", "com.amazonaws.vpce.eu-central-1.vpce-svc-081f78503812597f7", "com.amazonaws.vpce.eu-central-1.vpce-svc-08e5dfca9572c85c4", "com.amazonaws.vpce.ap-southeast-1.vpce-svc-02535b257fc253ff4", "com.amazonaws.vpce.ap-southeast-1.vpce-svc-0557367c6fc1a0c5c", "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b87155ddd6954974", "com.amazonaws.vpce.ap-southeast-2.vpce-svc-0b4a72e8f825495f6", "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02691fd610d24fd64", "com.amazonaws.vpce.ap-northeast-1.vpce-svc-02aa633bda3edbec0", "com.amazonaws.vpce.ap-south-1.vpce-svc-0dbfe5d9ee18d6411", "com.amazonaws.vpce.ap-south-1.vpce-svc-03fd4d9b61414f3de", "com.amazonaws.vpce.ca-central-1.vpce-svc-0205f197ec0e28d65", "com.amazonaws.vpce.ca-central-1.vpce-svc-0c4e25bdbcbfbb684" ] } } }, { "Sid": "AllowEndpointModification", "Effect": "Allow", "Action": "ec2:ModifyVpcEndpoint", "Resource": [ "arn:aws:ec2:*:*:vpc-endpoint/*" ] }, { "Sid": "AllowDescribes", "Effect": "Allow", "Action": [ "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Effect": "Allow", "Sid": "AllowVPCAssociationWithHostedZone", "Action": [ "route53:AssociateVPCWithHostedZone", "route53:DisassociateVPCFromHostedZone" ], "Resource": [ "arn:aws:route53:::hostedzone/*", "arn:aws:ec2:*:*:vpc/*" ] } ----