Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
We’ve updated our product names and community labels - click here for full details

Unable to initialize compute cluster CDP Public cloud

Labels:
avatar
author-rank Lorenzo_F
Explorer

Created ‎04-29-2026 12:43 AM

Hi everyone,

I’m facing an issue while initializing a compute cluster on an existing CDP Public Cloud environment (AWS) using restricted IAM policies.

The operation fails with the following error:

IAM Restricted Resource Policy validation cannot be completed on AWS:
secret encryption is enabled but the secret encryption KMS key is not provided.
Liftie does not have the permission to create the KMS key.
Please provide a valid Customer Managed Key for secret encryption

 

In the other experience (CDE,CDF) I bypassed this error by adding skip validation. Unfortunately, skip validation is not possible when activating the compute cluster. I've modified also the cross account role by adding the action as mentioned on paragraph "For Let CDP generate CMK" https://docs.cloudera.com/dataflow/cloud/aws-requirements/cdf-aws-requirements.pdf but nothing to do.

 

Do you have any suggestion?

 

Thanks

120 Views
0 Kudos
3 REPLIES 3

avatar
author-rank RAGHUY author-rank
Super Collaborator

Created ‎05-05-2026 02:33 AM

Use a pre‑created Customer Managed KMS Key (CMK) for secret encryption; with restricted IAM, Liftie cannot create the key automatically.

In AWS KMS, create or select a symmetric CMK in the same region as the CDP environment.

Edit the Compute Restricted IAM policy and in the statement RestrictedKMSPermissionsUsingCustomerProvidedKey, replace the placeholder with the exact CMK ARN.

Make sure that statement includes KMS actions such as kms:CreateGrant, kms:DescribeKey, kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*.

On the CMK itself, edit the KMS key policy to allow the required service roles (for example AWSServiceRoleForAutoScaling and the EKS/EC2 roles used by CDP) to use the key with the same KMS actions.

Re‑run the compute cluster activation; since skip‑validation is not supported here, it will only succeed once the CMK and all related permissions are correctly configured. 

 

If, after these changes, the error persists, the next step is to capture the environment name, CMK ARN, and the full key policy, and open a case with Cloudera Support

@Lorenzo_F 

38 Views
0 Kudos

avatar
author-rank Lorenzo_F
Explorer

Created ‎05-05-2026 03:03 AM

Hi @RAGHUY ,

thanks for the suggestion. I already have other Cloudera experiences installed (CDE, CDF, CML) and haven't used custom CMKs. Do you know if enabling the CMK at the environment level would have any impact on these services?

Thanks

 

37 Views
0 Kudos

avatar
author-rank RAGHUY author-rank
Super Collaborator

Created ‎05-05-2026 03:16 AM

Enabling a CMK at the environment level is meant for new encryption use in that environment, not for changing how already running services are encrypted.

It should not disrupt existing CDE, CDF, or CML services that are already deployed and running.

Existing services generally continue using the encryption setup they already have.

The CMK choice is typically applied to new resources or new clusters created after the CMK is configured.

In practice, the main impact is on future deployments, not on the current installed services.

The CMK setting is usually a one-time environment configuration for that environment. @Lorenzo_F 

32 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
View More Announcements