What causes CLOUD_ACCESS_DENIED?

The EC2 instance profile or Azure managed identity attached to the cluster does not have read/write permission on the storage bucket or container. The storage path is in a different account or subscription and cross-account permissions are not configured. Unity Catalog external location credentials are not set up correctly. The IAM role or managed identity was recently modified and storage permissions were removed. A workspace-level storage access policy is blocking the access

How do I fix CLOUD_ACCESS_DENIED?

Verify the IAM role (AWS) or managed identity (Azure) attached to the cluster has the required storage permissions. For Unity Catalog, check the external location and storage credential configuration in the Unity Catalog settings. Test access from the cluster using dbutils.fs.ls('storage-path') to confirm the error. Check for recent IAM policy or RBAC changes that may have removed storage access. For cross-account access on AWS, verify the bucket policy allows access from the Databricks account

High severitysql

Power BI Refresh Error:
CLOUD_ACCESS_DENIED

What does this error mean?

The Databricks cluster does not have permission to access the specified cloud storage path. This error occurs when the cluster's IAM role (AWS) or managed identity (Azure) lacks the necessary storage permissions.

Common causes

1The EC2 instance profile or Azure managed identity attached to the cluster does not have read/write permission on the storage bucket or container
2The storage path is in a different account or subscription and cross-account permissions are not configured
3Unity Catalog external location credentials are not set up correctly
4The IAM role or managed identity was recently modified and storage permissions were removed
5A workspace-level storage access policy is blocking the access

How to fix it

1Verify the IAM role (AWS) or managed identity (Azure) attached to the cluster has the required storage permissions
2For Unity Catalog, check the external location and storage credential configuration in the Unity Catalog settings
3Test access from the cluster using dbutils.fs.ls('storage-path') to confirm the error
4Check for recent IAM policy or RBAC changes that may have removed storage access
5For cross-account access on AWS, verify the bucket policy allows access from the Databricks account

Frequently asked questions

How do I test storage access from a Databricks cluster?

Use dbutils.fs.ls('s3://bucket-name/path') or dbutils.fs.ls('abfss://container@account.dfs.core.windows.net/path') in a notebook attached to the cluster.

Does Unity Catalog change how storage permissions work?

Yes — with Unity Catalog, storage access is controlled through storage credentials and external locations, not directly through instance profiles. Both need to be configured correctly.