How can I be sure that my Amazon Simple Storage Service (Amazon S3) bucket Deny policy allows access from Amazon QuickSight? 

When your S3 bucket has a Deny policy, that policy overrides any S3 permissions that you specify on the Amazon QuickSight console. To allow Amazon QuickSight to access the S3 bucket, you must add the Amazon QuickSight service role (aws-quicksight-service-role-v0) as an exception in your Deny policy. 

1.    Be sure that Amazon QuickSight has permission to access the S3 bucket.

2.    Use the AWS Command Line Interface (AWS CLI) or IAM API to get the unique ID for the aws-quicksight-service-role-v0 role. Example:

aws iam get-role --role-name aws-quicksight-service-role-v0 --query 'Role.RoleId' --output json 

"AROAEXAMPLEID"

The ID is unique to each Amazon QuickSight account. You use the unique ID in step 5.

3.    Open the Amazon S3 console.

4.    Choose the bucket that you want to access with Amazon QuickSight.

5.    Choose the Permissions view.

6.    Choose Bucket Policy.

7.    Enter a bucket policy similar to this example. Replace AROAEXAMPLEID with the unique ID from step 1. If you also want to add an exception for an IAM user, replace AIDAEXAMPLEUSERID with the unique ID of the IAM user. The IAM user policy must also contain an Allow statement for the S3 bucket. For more information, see Example: Allow an IAM user access to one of your buckets.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::"examplebucketname",
                "arn:aws:s3:::"examplebucketname/*"
                ]
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "AROAEXAMPLEID:*",
                        "AIDAEXAMPLEUSERID"
                    ]
                }
            }
        }
    ]
}

This Deny policy adds exceptions for the Amazon QuickSight service role and an IAM user.

Note: If you delete the Amazon QuickSight service role, you will be locked out of the bucket. To resolve this problem, log in as the AWS account root user, and then use the delete-bucket-policy command to delete the bucket policy.  


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-18