AccessDenied for manifest file in S3


I am trying to create a datasource using Cloudformation. In one account I have both service roles of aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 and there I can create the data source. But in the production account I only have aws-quicksight-service-role-v0 and there I get access denied for the manifest file.
The S3 bucket have bucket policy where I am allowing the service roles to access the bucket. Like s3:GetObject and s3:GetObjectVersion on the files in the folder that has the CSV files.

In CLoudTrail where I see the access denied error I can’t see exactly which role quicksight is using.

Why are my two AWS accounts different in regards to Quicksight service roles? And how can I create a new service role with Cloudformation if that is the solution?

Hi @LucasP - Welcome to AWS QuickSight community and thanks for posting the question. Can you please validate what is the difference between aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 roles in the lower environment. This will give details what extra policy you will require in your prod account.

Regards - Sanjeeb

I our “dev” account the aws-quicksight-service-role-v0 role has:

aws-quicksight-s3-consumers-role-v0 has:
AWSQuicksightAthenaAccess (AWS managed)
AWSQuickSightLambdaPolicy (Customer managed but it only gives lambda:InvokeFunction to some function unrelated to my project)

I our “prod” account the aws-quicksight-service-role-v0 role has:

In “prod” aws-quicksight-s3-consumers-role-v0 is missing.

But what I think is the bucket policy that needs some more settings.
What works in “dev” is:
- arn:aws:iam::1234567890:role/service-role/aws-quicksight-s3-consumers-role-v0
- s3:GetObject
- s3:GetObjectVersion
- !Sub “arn:${AWS::Partition}:s3:::${S3Bucket}/${S3CsvReportPrefix}/*”

So thought I only need to change the principal to

But why has Quicksight created different number of roles?

And which role is it going to use?

An observation: if I remove the account ID from the principal in the bucket policy then it fails in “dev” too.
Observation two: I can remove all custom mananged policies for the aws-quicksight-s3-consumers-role-v0 rol ein “dev” and I still can deploy.

I am convinced that the lack of the service role called aws-quicksight-s3-consumers-role-v0 is the root cause. But how can I create that from CLI or cloudformation? I don’t have access to to the console to manange QUicksight access to AWS services.