Hi Team,
We are attempting to programmatically download a dashboard from Amazon QuickSight using Python (boto3). However, we are encountering the following error when invoking the StartDashboardSnapshotJob API:
Error:
AccessDeniedException: IdentityStore not found or unauthorized for account. Verify IdentityStore exists and credentials have proper permissions.
We are currently using an IAM role with the following permissions:
“Action”: [
“quicksight:GetDashboardEmbedUrl”,
“s3:*”,
“quicksight:DescribeUser”,
“quicksight:*”,
“identitystore:*”,
“quicksight:ListUsers”,
“glue:*”
],
Additionally, the Paginated Reports (Pixel-perfect reporting) feature has been enabled in our account.
Could anyone please help us understand what needs to be done further.
At first glance, I think the error you’re seeing is most likely a region or identity store configuration issue rather than a missing permission. Even with full quicksight:* access, StartDashboardSnapshotJob can fail if QuickSight is unable to resolve the account’s identity store.
First, can you confirm that your QuickSight account is provisioned in us-east-1, as a region mismatch will trigger this error even with otherwise correct permissions. If your account uses IAM Identity Center/SSO, the IAM role making the API call must also be a registered QuickSight user or admin in the correct namespace, as identitystore:* alone is not sufficient. It’s also worth ensuring your UserConfiguration matches your account’s identity setup. For example, if your account is not configured for anonymous/embedded access, using a registered user configuration with the full QuickSight user ARN is the more reliable approach.
From what I can see your IAM permissions look fine otherwise, so the fix may come down to region alignment and how the identity context is being resolved.
Hi @samp . Checking in. We have not heard back from you regarding your question. We’d still like to help. If we do not hear back in the next 3 days, we will archive the question.”
Hi @Vaidy Thanks for the insights , the region is us-east-1. we verified it is all correct .
The issue is we are not able to figure out how to configure the account for anonymous/embedded access or using a registered user configuration with the full QuickSight user ARN.
are you aware of any aws documentation that we can use .It would really help us.
A few things to double-check for your setup in us-east-1:
Anonymous embedding — the dashboard ARN must be included in AuthorizedResourceArns when calling GenerateEmbedUrlForAnonymousUser, otherwise you’ll get an InvalidParameterValueException
Registered user embedding (dashboard) — the IAM role must have quicksight:GenerateEmbedUrlForRegisteredUser and the user ARN format is: arn:aws:quicksight:us-east-1:<account-id>:user/<namespace>/<username>
Registered user embedding (chat/Q&A) — use GenerateEmbedUrlForRegisteredUser with the GenerativeQnA experience type. A registered user identity is required. Make sure the user exists in QuickSight (via RegisterUser or federated IAM identity) before generating the embed URL
Account-level setting — ensure “Embed for authenticated users” is enabled under Manage QuickSight → Security & Permissions