How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Last updated: 2022-07-12

When I try to edit Amazon QuickSight permissions to AWS resources, I get an error. How do I resolve this?

Short description

When you edit Amazon QuickSight permissions, you might receive one of the following errors:

"The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
"We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."
"We cannot update the IAM Role"
"QuickSight has detected unknown policies attached to following roles please detach them and retry"
"Something went wrong For more information see Set IAM policy"

These errors occur when you edit the QuickSight permissions to your AWS resources from the AWS Identity and Access Management (IAM) console.

Note: It's a best practice to edit QuickSight permissions to AWS resources using the Amazon QuickSight console instead of the IAM console.

Resolution

Remove the aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 service roles that QuickSight assumes when interacting with other AWS services. Then, remove the managed policies that QuickSight attaches to aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 service roles. Finally, restore QuickSight access to your AWS services.

Verify IAM QuickSight and IAM permissions and then remove the service roles and policies

1.    Follow the instructions to view QuickSight user accounts. Make sure that you have a user with an ADMIN role.

2.    Open the IAM console.

3.    (Optional) If you haven't already done so, follow the instructions for creating an IAM user administrator.

4.    Make sure that your IAM policy allows you to create and delete QuickSight service and roles similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:DetachRolePolicy",
        "iam:DeleteRole",
        "iam:AttachRolePolicy",
        "iam:CreateRole"
      ],
      "Resource":[
         "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
         "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-s3-consumers-role-v0"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "iam:ListPolicies",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetPolicy",
        "iam:ListPolicyVersions",
        "iam:ListAttachedRolePolicies",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:ListEntitiesForPolicy",
        "iam:ListPoliciesGrantingServiceAccess",
        "iam:ListRoles",
        "iam:GetServiceLastAccessedDetails",
        "iam:ListAccountAliases",
        "iam:ListRolePolicies",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "iam:DeletePolicy",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion"
      ],
      "Resource": [
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3ConsumersPolicy"
      ]
    }
  ]
}

5.    In the navigation pane, choose Roles.

6.    In the role search pane, search for, and then delete the following IAM roles:

aws-quicksight-service-role-v0 aws-quicksight-s3-consumers-role-v0

Note: These service roles are automatically created by QuickSight when you set permissions in QuickSight.

7.    In the navigation pane, choose Policies.

8.    In the policies search pane, search for, and then delete the following customer managed IAM policies:

AWSQuickSightRedshiftPolicy AWSQuickSightRDSPolicy AWSQuickSightIAMPolicy AWSQuickSightS3Policy AWSQuickSightS3ConsumersPolicy

Note: QuickSight uses AWS managed policies when it is allowed to access an AWS resource. For example, it uses the AWSQuicksightAthenaAccess policy to control access to certain AWS resources. AWS managed policies can't be removed.

Restore QuickSight access to your AWS services

1.    Open the Amazon QuickSight console.

2.    In the navigation bar, choose the user name dropdown list, and then choose Manage QuickSight.

3.    In the navigation pane, choose Security & Permissions.

4.    In QuickSight access to AWS services, choose Manage.

5.    For Allow access and autodiscovery for these resources, choose the AWS services that you want to restore.

6.    Choose Save.

For more information about enabling AWS services that Amazon QuickSight can access, see Using other AWS services: scoping down access.


Did this article help?


Do you need billing or technical support?