AccessDeniedException while using the QS APIs

Q&A
,
1

Hi Team,
We are attempting to programmatically download a dashboard from Amazon QuickSight using Python (boto3). However, we are encountering the following error when invoking the StartDashboardSnapshotJob API:

Error:
AccessDeniedException: IdentityStore not found or unauthorized for account. Verify IdentityStore exists and credentials have proper permissions.

We are currently using an IAM role with the following permissions:
“Action”: [
“quicksight:GetDashboardEmbedUrl”,
“s3:*”,
“quicksight:DescribeUser”,
“quicksight:*”,
“identitystore:*”,
“quicksight:ListUsers”,
“glue:*”
],

Additionally, the Paginated Reports (Pixel-perfect reporting) feature has been enabled in our account.
Could anyone please help us understand what needs to be done further.

this is my sample code:

import time
import boto3

session = boto3.Session(profile_name='xxx')
client = session.client('quicksight', region_name='us-east-1')

ACCOUNT_ID = 'xxx'
DASHBOARD_ID = 'xxx'

OUTPUT_S3_BUCKET = 'xxx'
OUTPUT_S3_PREFIX = 'quicksight-exports'
OUTPUT_S3_REGION = 'us-east-1'
snapshot_response = client.start_dashboard_snapshot_job(
    AwsAccountId='xxx',
    DashboardId=DASHBOARD_ID,
    SnapshotJobId=f'snapshot-{int(time.time())}',

    UserConfiguration={
        "AnonymousUsers": [
            {}
        ]
    },

    SnapshotConfiguration={
        "FileGroups": [
            {
                "Files": [
                    {
                        "SheetSelections": [
                            {
                                "SheetId": "xxx",
                                "SelectionScope": "ALL_VISUALS"
                            }
                        ],
                        "FormatType": "PDF"
                    }
                ]
            }
        ],
        "DestinationConfiguration": {
            "S3Destinations": [
                {
                    "BucketConfiguration": {
                        "BucketName": OUTPUT_S3_BUCKET,
                        "BucketPrefix": OUTPUT_S3_PREFIX,
                        "BucketRegion": OUTPUT_S3_REGION
                    }
                }
            ]
        }
    }
)
2

Hi @samp and welcome back to the Quick Community!

At first glance, I think the error you’re seeing is most likely a region or identity store configuration issue rather than a missing permission. Even with full quicksight:* access, StartDashboardSnapshotJob can fail if QuickSight is unable to resolve the account’s identity store.

First, can you confirm that your QuickSight account is provisioned in us-east-1, as a region mismatch will trigger this error even with otherwise correct permissions. If your account uses IAM Identity Center/SSO, the IAM role making the API call must also be a registered QuickSight user or admin in the correct namespace, as identitystore:* alone is not sufficient. It’s also worth ensuring your UserConfiguration matches your account’s identity setup. For example, if your account is not configured for anonymous/embedded access, using a registered user configuration with the full QuickSight user ARN is the more reliable approach.

From what I can see your IAM permissions look fine otherwise, so the fix may come down to region alignment and how the identity context is being resolved.

Hope this helps!

3

Hi @samp . Checking in. We have not heard back from you regarding your question. We’d still like to help. If we do not hear back in the next 3 days, we will archive the question.”