How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Last updated: 2020-09-18

When I try to edit Amazon QuickSight permissions to AWS resources, I get an error. How do I resolve this?

Short description

When you edit Amazon QuickSight permissions, you might encounter one of the following errors:

"The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
"We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."

These errors occur when you edit the QuickSight permissions to your AWS resources from the AWS Identity and Access Management (IAM) console. To resolve these errors, remove the aws-quicksight-service-role-v0 service role that QuickSight assumes when interacting with other AWS services. Additionally, remove the managed policy that QuickSight attaches to the aws-quicksight-service-role-v0 service role.

Note: It's a best practice to edit QuickSight permissions to AWS resources from within the Amazon QuickSight console instead.

Resolution

If you encounter permissions errors when QuickSight tries to access AWS resources, perform the following steps:

Note: If you've already deleted the IAM role and policies from the IAM console, then skip to step 8.

1.    Confirm that your IAM user is an administrator or has ADMIN access in QuickSight. For more information, see Managing user access inside Amazon QuickSight.

2.    Confirm that your IAM policy allows you to delete. Then, recreate the QuickSight service role and the corresponding customer managed policies (AWSQuickSightIAMPolicy, AWSQuickSightS3Policy, AWSQuickSightRDSPolicy, and AWSQuickSightRedshiftPolicy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:CreateRole"
            ],
            "Resource": "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:ListAttachedRolePolicies",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:ListEntitiesForPolicy",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListRoles",
                "iam:GetServiceLastAccessedDetails",
                "iam:ListAccountAliases",
                "iam:ListRolePolicies",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:DeletePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
                "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
            ]
        }
    ]
}

3.    In the IAM console, choose Roles in the left navigation pane.

4.    Search for aws-quicksight-service-role-v0, and then select the check box next to the role name. This service role is automatically created when you use QuickSight.

5.    Choose Delete role.

6.    Choose Policies in the left navigation pane.

7.    Search for, and then delete the following customer managed IAM policies:
AWSQuickSightIAMPolicy
AWSQuickSightRedshiftPolicy
AWSQuickSightS3Policy
AWSQuickSightRDSPolicy

Note: QuickSight uses AWS managed policies when it is allowed to access an AWS resource. For example, it uses the AWSQuicksightAthenaAccess policy to control access to certain AWS resources. AWS managed policies can't be removed.

8.    Open the Amazon QuickSight console.

9.    Restore QuickSight access to your AWS services. QuickSight will then automatically recreate your service role, resolving any permissions errors. For more information about enabling AWS services that Amazon QuickSight can access, see Using other AWS services: scoping down access.


Did this article help?


Do you need billing or technical support?