How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Last updated: 2019-10-01

When I try to edit Amazon QuickSight permissions to AWS resources, I get one of the following errors. How do I resolve this?

  • "The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
  • "We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."

Short Description

Amazon QuickSight assumes the service role (aws-quicksight-service-role-v0) to interact with other AWS services. The service role is automatically created when you start using Amazon QuickSight. When Amazon QuickSight is allowed to access an AWS resource, Amazon QuickSight attaches a managed policy to the service role.

These errors usually occur when you edit the Amazon QuickSight permissions to your AWS resources from the AWS Identity and Access Management (IAM) console. Edit Amazon QuickSight permissions to AWS resources only from within Amazon QuickSight.

Resolution

1.     Confirm that your IAM user is an administrator, or has ADMIN access in Amazon QuickSight. For more information, see Managing User Access Inside Amazon QuickSight.

2.     Confirm that your IAM policy allows you to delete and then recreate the Amazon QuickSight service role and the corresponding customer managed policies (AWSQuickSightIAMPolicy, AWSQuickSightS3Policy, AWSQuickSightRDSPolicy, and AWSQuickSightRedshiftPolicy), as shown in the following example.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:CreateRole"
            ],
            "Resource": "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:ListAttachedRolePolicies",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:ListEntitiesForPolicy",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListRoles",
                "iam:GetServiceLastAccessedDetails",
                "iam:ListAccountAliases",
                "iam:ListRolePolicies",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:DeletePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
            ]
        }
    ]
}

3.     In the IAM console, choose Roles in the left navigation pane.

4.     Search for aws-quicksight-service-role-v0, and then select the check box next to the role name.

5.     Choose Delete role.

6.     Choose Policies in the left navigation pane.

7.     Search for and then delete the following customer managed policies:
AWSQuickSightIAMPolicy
AWSQuickSightRedshiftPolicy
AWSQuickSightS3Policy
AWSQuickSightRDSPolicy 
Note:
Amazon QuickSight uses AWS managed policies, such as AWSQuicksightAthenaAccess, to control access to certain AWS resources. You can't delete AWS managed policies.

8.     Open the Amazon QuickSight console.

9.     To restore Amazon QuickSight access to your AWS services, see Using other AWS Services: Scoping Down Access. When you complete these steps, Amazon QuickSight automatically recreates the service role. These actions then resolve the permission errors.


Did this article help you?

Anything we could improve?


Need more help?