As per Minimal setup for cloud storage, the IDBROKER_ROLE requires two policies:

• aws-cdp-idbroker-assume-role-policy
• aws-cdp-log-policy

Current cloudera-deploy AWS setup here shows that the IDBroker_role only has the IDBroker Assume Role Policy and is lacking the CDP Log policy hence failing validations in cdpctl, specifically describing the actions under the aws-cdp-log-policy.

• IdBroker role has the necessary S3 logs location actions. ❌
• IdBroker role has the necessary S3 bucket actions. ❌