AccessDeniedException while using the QS APIs

Hi Team,
We are attempting to programmatically download a dashboard from Amazon QuickSight using Python (boto3). However, we are encountering the following error when invoking the StartDashboardSnapshotJob API:

Error:
AccessDeniedException: IdentityStore not found or unauthorized for account. Verify IdentityStore exists and credentials have proper permissions.

We are currently using an IAM role with the following permissions:
“Action”: [
“quicksight:GetDashboardEmbedUrl”,
“s3:*”,
“quicksight:DescribeUser”,
“quicksight:*”,
“identitystore:*”,
“quicksight:ListUsers”,
“glue:*”
],

Additionally, the Paginated Reports (Pixel-perfect reporting) feature has been enabled in our account.
Could anyone please help us understand what needs to be done further.

this is my sample code:

import time
import boto3

session = boto3.Session(profile_name='xxx')
client = session.client('quicksight', region_name='us-east-1')

ACCOUNT_ID = 'xxx'
DASHBOARD_ID = 'xxx'

OUTPUT_S3_BUCKET = 'xxx'
OUTPUT_S3_PREFIX = 'quicksight-exports'
OUTPUT_S3_REGION = 'us-east-1'
snapshot_response = client.start_dashboard_snapshot_job(
    AwsAccountId='xxx',
    DashboardId=DASHBOARD_ID,
    SnapshotJobId=f'snapshot-{int(time.time())}',

    UserConfiguration={
        "AnonymousUsers": [
            {}
        ]
    },

    SnapshotConfiguration={
        "FileGroups": [
            {
                "Files": [
                    {
                        "SheetSelections": [
                            {
                                "SheetId": "xxx",
                                "SelectionScope": "ALL_VISUALS"
                            }
                        ],
                        "FormatType": "PDF"
                    }
                ]
            }
        ],
        "DestinationConfiguration": {
            "S3Destinations": [
                {
                    "BucketConfiguration": {
                        "BucketName": OUTPUT_S3_BUCKET,
                        "BucketPrefix": OUTPUT_S3_PREFIX,
                        "BucketRegion": OUTPUT_S3_REGION
                    }
                }
            ]
        }
    }
)

Hi @samp and welcome back to the Quick Community!

At first glance, I think the error you’re seeing is most likely a region or identity store configuration issue rather than a missing permission. Even with full quicksight:* access, StartDashboardSnapshotJob can fail if QuickSight is unable to resolve the account’s identity store.

First, can you confirm that your QuickSight account is provisioned in us-east-1, as a region mismatch will trigger this error even with otherwise correct permissions. If your account uses IAM Identity Center/SSO, the IAM role making the API call must also be a registered QuickSight user or admin in the correct namespace, as identitystore:* alone is not sufficient. It’s also worth ensuring your UserConfiguration matches your account’s identity setup. For example, if your account is not configured for anonymous/embedded access, using a registered user configuration with the full QuickSight user ARN is the more reliable approach.

From what I can see your IAM permissions look fine otherwise, so the fix may come down to region alignment and how the identity context is being resolved.

Hope this helps!

Hi @samp . Checking in. We have not heard back from you regarding your question. We’d still like to help. If we do not hear back in the next 3 days, we will archive the question.”

Hi @Vaidy Thanks for the insights , the region is us-east-1. we verified it is all correct .

The issue is we are not able to figure out how to configure the account for anonymous/embedded access or using a registered user configuration with the full QuickSight user ARN.
are you aware of any aws documentation that we can use .It would really help us.

Thank you

Here are the key AWS docs that cover both embedding paths:

For Anonymous (Unregistered) Users

For Registered Users (with full User ARN)

A few things to double-check for your setup in us-east-1:

  1. Anonymous embedding — the dashboard ARN must be included in AuthorizedResourceArns when calling GenerateEmbedUrlForAnonymousUser, otherwise you’ll get an InvalidParameterValueException

  2. Registered user embedding (dashboard) — the IAM role must have quicksight:GenerateEmbedUrlForRegisteredUser and the user ARN format is: arn:aws:quicksight:us-east-1:<account-id>:user/<namespace>/<username>

  3. Registered user embedding (chat/Q&A) — use GenerateEmbedUrlForRegisteredUser with the GenerativeQnA experience type. A registered user identity is required. Make sure the user exists in QuickSight (via RegisterUser or federated IAM identity) before generating the embed URL

  4. Account-level setting — ensure “Embed for authenticated users” is enabled under Manage QuickSight → Security & Permissions

Thank you @Ramon_Lopez , we will try that out and update here

Thank you . we were able to work it out.