question Re: Unable to initialize compute cluster CDP Public cloud in Support Questions

Unable to initialize compute cluster CDP Public cloud

Lorenzo_F — Wed, 29 Apr 2026 07:43:32 GMT

Hi everyone,

I’m facing an issue while initializing a compute cluster on an existing CDP Public Cloud environment (AWS) using restricted IAM policies.

The operation fails with the following error:

IAM Restricted Resource Policy validation cannot be completed on AWS:
secret encryption is enabled but the secret encryption KMS key is not provided.
Liftie does not have the permission to create the KMS key.
Please provide a valid Customer Managed Key for secret encryption

In the other experience (CDE,CDF) I bypassed this error by adding skip validation. Unfortunately, skip validation is not possible when activating the compute cluster. I've modified also the cross account role by adding the action as mentioned on paragraph "For Let CDP generate CMK" https://docs.cloudera.com/dataflow/cloud/aws-requirements/cdf-aws-requirements.pdf but nothing to do.

Do you have any suggestion?

Thanks

Re: Unable to initialize compute cluster CDP Public cloud

RAGHUY — Tue, 05 May 2026 09:33:34 GMT

Use a pre‑created Customer Managed KMS Key (CMK) for secret encryption; with restricted IAM, Liftie cannot create the key automatically.

In AWS KMS, create or select a symmetric CMK in the same region as the CDP environment.

Edit the Compute Restricted IAM policy and in the statement RestrictedKMSPermissionsUsingCustomerProvidedKey, replace the placeholder with the exact CMK ARN.

Make sure that statement includes KMS actions such as kms:CreateGrant, kms:DescribeKey, kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*.

On the CMK itself, edit the KMS key policy to allow the required service roles (for example AWSServiceRoleForAutoScaling and the EKS/EC2 roles used by CDP) to use the key with the same KMS actions.

Re‑run the compute cluster activation; since skip‑validation is not supported here, it will only succeed once the CMK and all related permissions are correctly configured.

If, after these changes, the error persists, the next step is to capture the environment name, CMK ARN, and the full key policy, and open a case with Cloudera Support

@Lorenzo_F

Re: Unable to initialize compute cluster CDP Public cloud

Lorenzo_F — Tue, 05 May 2026 10:03:34 GMT

Hi @RAGHUY ,

thanks for the suggestion. I already have other Cloudera experiences installed (CDE, CDF, CML) and haven't used custom CMKs. Do you know if enabling the CMK at the environment level would have any impact on these services?

Thanks

Re: Unable to initialize compute cluster CDP Public cloud

RAGHUY — Tue, 05 May 2026 10:16:52 GMT

Enabling a CMK at the environment level is meant for new encryption use in that environment, not for changing how already running services are encrypted.

It should not disrupt existing CDE, CDF, or CML services that are already deployed and running.

Existing services generally continue using the encryption setup they already have.

The CMK choice is typically applied to new resources or new clusters created after the CMK is configured.

In practice, the main impact is on future deployments, not on the current installed services.

The CMK setting is usually a one-time environment configuration for that environment. @Lorenzo_F

Re: Unable to initialize compute cluster CDP Public cloud

DianaTorres — Fri, 08 May 2026 03:48:09 GMT

@Lorenzo_F Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks.