I am trying to create a datasource using Cloudformation. In one account I have both service roles of aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 and there I can create the data source. But in the production account I only have aws-quicksight-service-role-v0 and there I get access denied for the manifest file.
The S3 bucket have bucket policy where I am allowing the service roles to access the bucket. Like s3:GetObject and s3:GetObjectVersion on the files in the folder that has the CSV files.
In CLoudTrail where I see the access denied error I can’t see exactly which role quicksight is using.
Why are my two AWS accounts different in regards to Quicksight service roles? And how can I create a new service role with Cloudformation if that is the solution?
Hi @LucasP - Welcome to AWS QuickSight community and thanks for posting the question. Can you please validate what is the difference between aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 roles in the lower environment. This will give details what extra policy you will require in your prod account.
Hi
I our “dev” account the aws-quicksight-service-role-v0 role has:
AWSQuicksightAthenaAccess
AWSQuickSightRDSPolicy
AWSQuickSightSageMakerPolicy
aws-quicksight-s3-consumers-role-v0 has:
AWSQuicksightAthenaAccess (AWS managed)
AWSQuickSightLambdaPolicy (Customer managed but it only gives lambda:InvokeFunction to some function unrelated to my project)
I our “prod” account the aws-quicksight-service-role-v0 role has:
AWSQuicksightAthenaAccess
AWSQuickSightIAMPolicy
AWSQuickSightRDSPolicy
AWSQuickSightRedshiftPolicy
In “prod” aws-quicksight-s3-consumers-role-v0 is missing.
But what I think is the bucket policy that needs some more settings.
What works in “dev” is:
Principal:
AWS:
- arn:aws:iam::1234567890:role/service-role/aws-quicksight-s3-consumers-role-v0
Action:
- s3:GetObject
- s3:GetObjectVersion
Resource:
- !Sub “arn:${AWS::Partition}:s3:::${S3Bucket}/${S3CsvReportPrefix}/*”
So thought I only need to change the principal to
arn:aws:iam::987654321:role/service-role/aws-quicksight-service-role-v0
But why has Quicksight created different number of roles?
And which role is it going to use?
An observation: if I remove the account ID from the principal in the bucket policy then it fails in “dev” too.
Observation two: I can remove all custom mananged policies for the aws-quicksight-s3-consumers-role-v0 rol ein “dev” and I still can deploy.
Hi
I am convinced that the lack of the service role called aws-quicksight-s3-consumers-role-v0 is the root cause. But how can I create that from CLI or cloudformation? I don’t have access to to the console to manange QUicksight access to AWS services.
@LucasP were you able to find a work around for this issue or was @Sanjeeb2022 's response helpful in finding the solution? If we you were able to find a solution could you post it to help the community?
If you believe that it is the aws-quicksight-s3-consumers-role-v0 and you are lacking permissions, you should be able to have your accounts admin/root user grant you the necessary permissions in the console/IAM.