How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Last updated: 2020-03-02

When I try to edit Amazon QuickSight permissions to AWS resources, I get one of the following errors. How do I resolve this?

  • "The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
  • "We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."

Short Description

Amazon QuickSight assumes the service role (aws-quicksight-service-role-v0) to interact with other AWS services. The service role is automatically created when you start using QuickSight. When QuickSight is allowed to access an AWS resource, it attaches a managed policy to the service role.

These errors usually occur when you edit the QuickSight permissions to your AWS resources from the AWS Identity and Access Management (IAM) console. To avoid these errors, edit QuickSight permissions to AWS resources only from within the Amazon QuickSight console.


1.    Confirm that your IAM user is an administrator or has ADMIN access in QuickSight. For more information, see Managing User Access Inside Amazon QuickSight.

2.    Confirm that your IAM policy allows you to delete and then recreate the QuickSight service role and the corresponding customer managed policies (AWSQuickSightIAMPolicy, AWSQuickSightS3Policy, AWSQuickSightRDSPolicy, and AWSQuickSightRedshiftPolicy):

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
            "Resource": [

3.    In the IAM console, choose Roles in the left navigation pane.

4.    Search for aws-quicksight-service-role-v0, and then select the check box next to the role name.

5.    Choose Delete role.

6.    Choose Policies in the left navigation pane.

7.    Search for and then delete the following customer managed policies:
 QuickSight uses AWS managed policies, such as AWSQuicksightAthenaAccess, to control access to certain AWS resources. You can't delete AWS managed policies.

8.    Open the Amazon QuickSight console.

9.    To restore QuickSight access to your AWS services, see how to enable or disable the AWS services that Amazon QuickSight can access. When you complete these steps, QuickSight automatically recreates the service role. These actions then resolve the permission errors.

Did this article help you?

Anything we could improve?

Need more help?