How do I allow Amazon QuickSight access to an S3 bucket with a deny policy?

Last updated: 2020-09-18

How can I be sure that my Amazon Simple Storage Service (Amazon S3) bucket policy allows access from Amazon QuickSight?

Short description

When your Amazon S3 bucket uses a Deny policy, that policy overrides any S3 permissions that you specify in the Amazon QuickSight console. To allow Amazon QuickSight to access the S3 bucket, add the Amazon QuickSight service role (aws-quicksight-service-role-v0) as an exception in your Deny policy.

Resolution

1.    Be sure that Amazon QuickSight has permission to access the S3 bucket.

2.    Use the AWS Command Line Interface (AWS CLI) or AWS Identity and Access Management (IAM) API to get the unique ID for the aws-quicksight-service-role-v0 role. The ID is unique to each Amazon QuickSight account. For example:

aws iam get-role --role-name aws-quicksight-service-role-v0 --query 'Role.RoleId' --output json 

"AROAEXAMPLEID"

Note: If you receive an error while running your AWS CLI commands, be sure that you’re using the most recent version of the AWS CLI.

3.    Open the Amazon S3 console.

4.    Choose the bucket that you want to access with Amazon QuickSight.

5.    Choose the Permissions view.

6.    Choose Bucket Policy.

7.    Enter a bucket policy similar to this example. Replace AROAEXAMPLEID with your unique ID. If you want to add an exception for an IAM user, replace AIDAEXAMPLEUSERID with the unique ID of the IAM user. The IAM user policy must also contain an Allow statement for the S3 bucket. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::examplebucketname",
        "arn:aws:s3:::examplebucketname/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userid": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEUSERID"
          ]
        }
      }
    }
  ]
}

This Deny policy adds exceptions for the Amazon QuickSight service role and an IAM user.

Note: If you delete the Amazon QuickSight service role and the IAM user, you will be locked out of the bucket. To resolve this problem, log in as the AWS account root user, and then use the delete-bucket-policy command to delete the bucket policy.


Did this article help?


Do you need billing or technical support?