Unable to create glue notebook with Spark as engine type.

Question

I am trying to create a glue notebook using an IAM role that has policies 'AWSGlueConsoleFullAccess', 'AWSGlueServiceNotebookRole' and a custom policy as below:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateJob",
                "glue:StartJobRun",
                "glue:GetJobRun",
                "glue:GetJobRuns",
                "glue:GetJob",
                "glue:GetJobs",
                "glue:BatchStopJobRun",
                "glue:Start*",
                "glue:Get*",
                "glue:List*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:StartNotebook",
                "glue:TerminateNotebook",
                "glue:GlueNotebookRefreshCredentials",
                "glue:DeregisterDataPreview",
                "glue:GetNotebookInstanceStatus",
                "glue:GlueNotebookAuthorize"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::aws-glue*",
                "arn:aws:s3:::aws-glue*/"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateWorkflow",
                "glue:GetWorkflow",
                "glue:BatchStopJobRun",
                "glue:CreateTrigger",
                "glue:GetTriggers",
                "glue:DeleteWorkflow"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::123456789123:user/foo",
                "arn:aws:iam::123456789123:user/bar",
                "arn:aws:iam::123456789123:user/xyz"
            ]
        }
    ]
}
```
Role trust relationship looks like below

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com",
                "AWS": [
                    "arn:aws:iam::123456789123:user/foo",
                    "arn:aws:iam::123456789123:user/bar",
                    "arn:aws:iam::123456789123:user/xyz"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```
But notebook creation fails with 'Failed to start notebook' error with no further details. Debug console for the browser throws below error

```
Access to XMLHttpRequest at 'https://us-east-1.ctrl.prod.os.notifications.*****/notification-hubs' from origin 'https://us-east-1.console.aws.amazon.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
```
Can you help debug the issue? At this point, I have tried everything from other stack overflow links, changing browser and adding CORS unblock extension but nothing works.

Accepted Answer

I was able to solve the issue with the help of [IAM permissions for glue studio](https://docs.aws.amazon.com/glue/latest/dg/getting-started-min-privs.html) and passing my IAM role 'AWSGlueServiceNotebookRole' to glue service with the help of this [section](https://docs.aws.amazon.com/glue/latest/dg/getting-started-iam-permissions.html#create-iam-policy). I wasn't aware that you need to specifically pass the IAM role to glue service. I thought that mentioning glue in role's trust relationship was sufficient.

Unable to create glue notebook with Spark as engine type.

Relevant content