如何排查 Amazon QuickSight 中的 AWS 资源权限错误?

上次更新时间:2020 年 9 月 18 日

我尝试编辑 Amazon QuickSight 对 AWS 资源的权限时,收到一个错误。如何解决此问题?

简短描述

编辑 Amazon QuickSight 权限时,您可能会遇到下面的某种错误:

"The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
"We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."

当您从 AWS Identity and Access Management (IAM) 控制台编辑 QuickSight 对您的 AWS 资源的权限时,将会发生这些错误。要解决这些错误,您需要移除 QuickSight 在与其他 AWS 服务交互时代入的 aws-quicksight-service-role-v0 服务角色。此外,您还需要移除 QuickSight 附加到 aws-quicksight-service-role-v0 服务角色的托管策略

注意:最佳实践是使用 Amazon QuickSight 控制台来编辑 QuickSight 对 AWS 资源的权限。

解决方法

如果在 QuickSight 尝试访问 AWS 资源时遇到权限错误,请执行以下步骤:

注意:如果您已从 IAM 控制台删除了该 IAM 角色和策略,请跳至第 8 步。

1.    确认您的 IAM 用户是管理员,或者在 QuickSight 中具有管理员访问权限。有关更多信息,请参阅在 Amazon QuickSight 内管理用户访问权

2.    确认您的 IAM 策略允许您删除。然后重新创建 QuickSight 服务角色和相应的客户管理的策略(AWSQuickSightIAMPolicy、AWSQuickSightS3Policy、AWSQuickSightRDSPolicy 和 AWSQuickSightRedshiftPolicy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:CreateRole"
            ],
            "Resource": "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:ListAttachedRolePolicies",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:ListEntitiesForPolicy",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListRoles",
                "iam:GetServiceLastAccessedDetails",
                "iam:ListAccountAliases",
                "iam:ListRolePolicies",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:DeletePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
            ]
        }
    ]
}

3.    在 IAM 控制台的左侧导航窗格中,选择角色

4.    搜索 aws-quicksight-service-role-v0,然后选中角色名称旁的复选框。在使用 QuickSight 时,系统将自动创建服务角色。

5.    选择删除角色

6.    在左侧导航窗格中选择策略

7.    搜索然后删除下面的客户托管 IAM 策略
AWSQuickSightIAMPolicy
AWSQuickSightRedshiftPolicy
AWSQuickSightS3Policy
AWSQuickSightRDSPolicy

注意:如果允许访问 AWS 资源,QuickSight 将使用 AWS 托管策略。例如,它使用 AWSQuicksightAthenaAccess 策略来控制对某些 AWS 资源的访问。无法删除 AWS 托管策略。

8.    打开 Amazon QuickSight 控制台

9.    恢复 QuickSight 对 AWS 服务的访问。然后,QuickSight 将自动重新创建您的服务角色,解决任何权限错误。有关启用 Amazon QuickSight 可以访问的 AWS 服务的更多信息,请参阅使用其他 AWS 服务:缩小访问范围


这篇文章对您有帮助吗?


您是否需要账单或技术支持?