Data Labs

1. Issue Description: Attachment of iceberg type datasets to Data Labs fails with the following error message: GE-1004 - Failed to create IAM role for service sagemaker-studio due to error - ROLE-1007 - Failed to create IAM role policy with error - An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Statement IDs (SID) in a single policy must be unique.

   Affected Versions: 3.2

   Explanation: An additional statement is added to the role policy document when an iceberg type dataset is attached to a Data Lab. The SID for this new statement overlaps with another statement created previously for Data Labs. This leads to a conflict exception, and the IAM role creation fails.

note

IAM policy shape for shared domains

When a domain is shared with a Data Lab, Amorphic prefers a single domain/* wildcard in the Data Lab's IAM role policy over listing every dataset path, to keep the policy compact.

Because Iceberg datasets require a different IAM statement shape than non-Iceberg datasets, domain/* is only used when every dataset in the domain is of the same type:

• Domain with all non-Iceberg datasets → policy uses domain/*
• Domain with all Iceberg datasets → policy uses domain/* (under the Iceberg-shaped statement)
• Domain with a mix of Iceberg and non-Iceberg datasets → policy falls back to individual domain_name/dataset_name/* entries, since the two statement shapes cannot share a single wildcard

If you want the shorter domain/* form on a domain that already contains an Iceberg dataset, every other dataset in that domain must also be Iceberg type. Mixing types forces the per-dataset expansion.