Governance is the synergy of our era. If I could go one week without a discussion around governance that really just boils down to classic role-based access control practices..

The bad news I have for you is that today, in the year 2026 Unity Catalog does not work with S3 Access Points.

However it does show a different pathology than it once did, which leads me to believe that it could, if not for one silly little piece of technical debt.

The system I am building utilizes Amazon S3 Access Points for governance but must integrate into the {Databricks](https://databricks.com) platform. A platform which has its own ideas about governance: Unity Catalog. It should come as no surprise that a system which was named unity would go to great strides to make itself the center of the universe.

How troublesome!

Years ago a colleague and I tried to integrate Databricks Unity Catalog and S3 Access Points only for the approach to crash and burn. Integrating two different opaque tools like IAM permissions and Unity Catalog led to all sorts of attempted incantations, none of which actually succeeded.

The Databricks product team told us that the system did not support S3 Access Points “by design.” I found the reasoning very patronizing because it was presented as “we don’t support S3 Access Points by design to prevent users from circumventing Unity access controls.”

What I understand now is how that “by design” was more of an excuse “we just don’t want to test it” rather than something more substantive.

S3 Access Points can be referenced a number of ways like S3 Access Point Aliases to where even the most legacy system can integrate with them.

An access point alias name meets all the requirements of a valid Amazon S3 bucket name and consists of the following parts:

The first time we bounced off this problem S3 Access Point Aliases had been only recently released;

Despite all Unity Catalog’s protestations the errors we ended up seeing don’t convey a structural limitation when using S3 Access Point Aliases, instead they point to simply out-dated SDK support in the underlying Databricks Runtime.

My hunch is that the AWS SDK v1 being announced as deprecated over two years ago and being completely deprecated as of the end of 2025. Lots of Databricks and other Spark libraries still interact with S3 via the v1 SDK.  That SDK was originally released in 2010 (lol) and so it’s likely that the issue we were authentication issue we were seeing was mixed up in the support for S3 Access Point Aliases with this old SDK.

Since we bounced off this problem a number of years ago one thing that has changed for the better in Unity Catalog is that it is now possible to grant Unity a completely read-only configuration in IAM-based S3 bucket policies. While we cannot use S3 Access Points as part of our governance strategy, we can at least still grant a fairly limited permission to Unity for read-only operations.

Now I can have my esoteric Delta Lake datastores present in Unity without any risk of misconfiguration or error in Unity leading to data corruption!

Governance to a lot of enterprise vendors is about centralization of control, but for me it’s about defense in depth. I never want a business-critical system to be a single misconfiguration away from granting read or write access to the wrong principal.