Hi All, Need help in figuring out Access Denied issue while limiting access for creating users via Federation/SSO.
Flow of Events: First Time User → Clicks on App in Federation/SSO → Assumes a Role(ex: author-role) → Creates User in default Namespace
In the above flow, if the role has quicksight:CreateUser on Resource: “*” it works fine. But when we try to restrict quicksight:CreateUser access to Resource:“arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}”, it fails with Access Denied. No CloudTrail Event is logged for CreateUser when Access Denied issue occurs.
As per below link we should be able to restrict access for CreateUser, please let me know if it is incorrect and we need Resource * or if there is something missing in the IAM policy.
Can you provide additional information about the federation type - Web federation (Login with Amazon, Amazon Cognito, Facebook, Google) or SAML federation?
After federating, is the user navigating directly to QuickSight console or using CLI/API to create a new user?
Thanks @rajjaya for checking, federation type is SAML federation and the user is navigated directly to QuickSight Console.
Flow of Events: First Time User → Clicks on App in Federation/SSO → Behind the scenes[Assumes an IAM Role(ex: author-role configured to trust the SAML Federartion) → Creates User in QS default Namespace]
If the issue still persists, please open a support ticket - Creating support cases and case management - AWS Support . If your company has someone who manages your AWS account, you might not have direct access to AWS Support and will need to raise an internal ticket to your IT team or whomever manages your AWS account. They should be able to open an AWS Support case on your behalf
Hi Koushik, Thanks for checking, yes still facing the issue. Yes the IAM Role’s trust relationship is sts:AssumeRoleWithSAML.
Had opened a case few weeks back, will update in case there is a resolution.