如何排查 Amazon QuickSight 中的 AWS 资源权限错误?

上次更新日期:2022 年 11 月 8 日

我尝试编辑 Amazon QuickSight 对 AWS 资源的权限时,收到一个错误。如何解决此问题?

简短描述

编辑 Amazon QuickSight 权限时,您可能会收到下面的某种错误:

"The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
"We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."
"We cannot update the IAM Role"
"QuickSight has detected unknown policies attached to following roles please detach them and retry"
"Something went wrong For more information see Set IAM policy"

当您从 AWS Identity and Access Management (IAM) 控制台编辑 QuickSight 对您的 AWS 资源的权限时,将会发生这些错误。

注意:最佳做法是使用 Amazon QuickSight 控制台而不是 IAM 控制台编辑 AWS 资源的 QuickSight 权限。

解决方法

移除 aws-quicksight-service-role-v0aws-quicksight-s3-consumers-role-v0 服务角色,QuickSight 在与其他 AWS 服务交互时将承担这些服务角色。然后,移除 QuickSight 连接到 aws-quicksight-service-role-v0aws-quicksight-s3-consumers-role-v0 服务角色的托管策略。最后,恢复 QuickSight 对 AWS 服务的访问。

重要提示:在开始之前,请确保您已备份 IAM 策略,然后再将其删除。该备份可以帮助您引用您之前有权访问的任何 Amazon Simple Storage Service (Amazon S3) 账户资源。

验证 IAM QuickSight 和 IAM 权限,然后移除服务角色和策略

1.    按照说明查看 QuickSight 用户账户。请确保您有一个具有 ADMIN 角色的用户。

2.    打开 IAM 控制台

3.    (可选)如果您尚未这样做,请按照创建 IAM 用户管理员的说明进行操作。

4.    确保您的 IAM policy 允许您创建和删除 QuickSight 服务和角色,如下所示:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:DetachRolePolicy",
        "iam:DeleteRole",
        "iam:AttachRolePolicy",
        "iam:CreateRole"
      ],
      "Resource":[
         "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
         "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-s3-consumers-role-v0"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "iam:ListPolicies",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetPolicy",
        "iam:ListPolicyVersions",
        "iam:ListAttachedRolePolicies",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:ListEntitiesForPolicy",
        "iam:ListPoliciesGrantingServiceAccess",
        "iam:ListRoles",
        "iam:GetServiceLastAccessedDetails",
        "iam:ListAccountAliases",
        "iam:ListRolePolicies",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "iam:DeletePolicy",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion"
      ],
      "Resource": [
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3ConsumersPolicy"
      ]
    }
  ]
}

5.    在导航窗格中,选择 Roles(角色)。

6.    在角色搜索窗格中,搜索以下 IAM 角色,然后将其删除:

aws-quicksight-service-role-v0 aws-quicksight-s3-consumers-role-v0

注意:当您在 QuickSight 中设置权限时,QuickSight 会自动创建这些服务角色。

7.    在导航窗格中,选择策略

8.    在策略搜索窗格中,搜索并删除如下客户托管的 IAM 策略

AWSQuickSightRedshiftPolicy AWSQuickSightRDSPolicy AWSQuickSightIAMPolicy AWSQuickSightS3Policy AWSQuickSightS3ConsumersPolicy

注意:如果允许访问 AWS 资源,QuickSight 将使用 AWS 托管策略。例如,它使用 AWSQuicksightAthenaAccess 策略来控制对某些 AWS 资源的访问。无法移除 AWS 托管策略。

恢复 QuickSight 对 AWS 服务的访问

1.    打开 Amazon QuickSight 控制台

2.    在导航栏中,选择用户名下拉列表,然后选择管理 QuickSight

3.    在导航窗格中,选择安全与权限

4.    在 AWS 服务的 QuickSight 访问权限中,选择管理

5.    对于允许访问和自动发现这些资源,请选择要还原的 AWS 服务。

6.    选择保存

有关启用 Amazon QuickSight 可以访问的 AWS 服务的更多信息,请参阅使用其他 AWS 服务:缩小访问范围


这篇文章对您有帮助吗?


您是否需要账单或技术支持?