Problem
When you try to create a new workspace through AWS Quickstart with an IP access list enabled on your Databricks Account, you encounter an error with the CloudFormation deployment.
Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream.
Then, when you check your Cloudwatch logs, you see the following message.
HTTP error occurred: 403 Client Error: Forbidden for url: https://accounts.cloud.databricks.com/api/2.0/accounts/xxxxxxxxxx/credentials
HTTP content: b'{
"error_code": "403",
"message": "Unauthorized access to account:xxxxxxxxx"
}'
Cause
Your IP access list only allows your corporate IP ranges and not the AWS-owned IPs, resulting in the error.
Solution
Make sure the necessary AWS-owned IPs are allowed on the IP access list along with your organization’s client IPs.
Refer to the AWS documentation, AWS IP address ranges to verify whether the required IP ranges are listed. If they are not, contact AWS support to obtain the specific IP addresses that can be added to the IP access list.
Alternatively, you can temporarily disable the IP access list, create the workspace using Quickstart, and re-enable it afterwards. For details on how to disable and re-enable, refer to the Databricks Configure IP access lists for the account console documentation.