Access Denied while restricting CreateUser API Access

Hi All, Need help in figuring out Access Denied issue while limiting access for creating users via Federation/SSO.
Flow of Events: First Time User → Clicks on App in Federation/SSO → Assumes a Role(ex: author-role) → Creates User in default Namespace

In the above flow, if the role has quicksight:CreateUser on Resource: “*” it works fine. But when we try to restrict quicksight:CreateUser access to Resource:“arn:aws:quicksight::<YOUR_AWS_ACCOUNTID>:user/${aws:userid}”, it fails with Access Denied. No CloudTrail Event is logged for CreateUser when Access Denied issue occurs.

As per below link we should be able to restrict access for CreateUser, please let me know if it is incorrect and we need Resource * or if there is something missing in the IAM policy.

Reference: IAM policy examples for Amazon QuickSight - Amazon QuickSight

Hi @shakti ,

Can you provide additional information about the federation type - Web federation (Login with Amazon, Amazon Cognito, Facebook, Google) or SAML federation?

After federating, is the user navigating directly to QuickSight console or using CLI/API to create a new user?

Thanks,
Raj

Thanks @rajjaya for checking, federation type is SAML federation and the user is navigated directly to QuickSight Console.

Flow of Events: First Time User → Clicks on App in Federation/SSO → Behind the scenes[Assumes an IAM Role(ex: author-role configured to trust the SAML Federartion) → Creates User in QS default Namespace]

Hi @shakti ,

Are you still facing this error ?

For SAML federation , we do have a tutorial Tutorial: Accessing Amazon QuickSight using Okta SSO - Amazon QuickSight and I see Resource does not require a * . Could you additionally check if the trust relationship is sts:AssumeRoleWithSAML .

If the issue still persists, please open a support ticket - Creating support cases and case management - AWS Support . If your company has someone who manages your AWS account, you might not have direct access to AWS Support and will need to raise an internal ticket to your IT team or whomever manages your AWS account. They should be able to open an AWS Support case on your behalf

Kind regards,
Koushik

Hi Koushik, Thanks for checking, yes still facing the issue. Yes the IAM Role’s trust relationship is sts:AssumeRoleWithSAML.
Had opened a case few weeks back, will update in case there is a resolution.