AccessDenied error on Unity Catalog when querying external locations

Update the S3 bucket policy references to the deleted role’s Amazon Resource Name (ARN).

Written by ismael.khalique

Last published at: May 23rd, 2025

Problem

You continue to experience AccessDenied errors when querying external locations after a previously-deleted Unity Catalog IAM role is recreated. 

java.nio.file.AccessDeniedException: s3://<bucket-name>.<region>.amazonaws.com/path/to/object: getFileStatus on s3://<bucket-name>.<region>.amazonaws.com/path/to/object: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden; request: HEAD https://<bucket-name>.<region>.amazonaws.com /src/tables/services/path/_delta_log {} Hadoop 3.3.6, aws-sdk-java/1.12.610 Linux/5.15.0-1072-aws OpenJDK_64-Bit_Server_VM/17.0.11+9-LTS java/17.0.11 scala/2.12.15 kotlin/1.6.0 vendor/<vendor-name>. cfg/retry-mode/legacy com.amazonaws.services.s3.model.GetObjectMetadataRequest; Request ID: <request-id>, Extended Request ID: <extended-request-id>, Cloud Provider: AWS, Instance ID: <instance-id> credentials-provider: <credentials-provider> credential-header: <credential-header> Credential=REDACTED_ACCESS_KEY(xxxxxxxx)/20241109/<region>/s3/aws4_request signature-present: true (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden

 

Cause

This error can happen when the external location’s S3 bucket policy includes conditions that reference the deleted role for read and write access. 

 

When an IAM role is deleted, AWS modifies policies that reference the role's Amazon Resource Name (ARN) for read or write access, replacing them with a Unique Role ID identifier. 

 

As a result, if the S3 bucket policy for the external location previously referenced the deleted IAM role, it no longer grants the same permissions because the original role no longer exists. Instead, the bucket policy now denies read or write requests, leading to AccessDenied errors.

 

Recreating the IAM role with the same name is not sufficient because the S3 bucket policy no longer recognizes the new role as the same entity. Access requests to the external location are denied and return the error. 

 

Solution

  1. Inspect the bucket policy for the external location. Look for any references to the deleted Unity Catalog IAM role, which will now be a unique role ID with format AROAXXXXXXXXXXXXXXXX
  2. Replace this unique role ID with the correct Unity Catalog role ARN. Repeat for all similar external location S3 bucket policies.
  3. Verify that the IAM role associated with the storage credential that the external location uses has the required read and write permission on the referenced S3 bucket. You can confirm this by reviewing the IAM role’s attached policies to ensure they grant appropriate access to the specified S3 path. 
  4. If the issue persists, consider recreating the Unity Catalog external location in Databricks. To do this, go to your Databricks workspace, navigate to Catalog > Settings > External Locations, and manually create a new external location. 

 

For additional information, refer to the Create a storage credential for connecting to AWS S3 documentation.

 

For more information on how deleted IAM roles are handled, refer to the AWS article Understanding AWS's Handling of Deleted IAM Roles in Policies.