Adding permissions for Lambda access - JSON

rafael_rodrigues · October 4, 2023, 9:16pm

I want to trigger refreshs on a DataSet in QuickSight using a Lambda. Both QuickSight and Lambda are in the same account. When I tested it, I faced issues regarding permissions:

User: arn:aws:sts::<Account-Id>:assumed-role/<Lambda-Role-Name>/<Lambda-Name> is not authorized to perform: quicksight:CreateIngestion on resource: arn:aws:quicksight:us-east-1:<Account-Id>:dataset/<Data-Set-Id>/ingestion/<Operation-Id> because no identity-based policy allows the quicksight:CreateIngestion action (Service: AmazonQuickSight; Status Code: 403; Error Code: AccessDeniedException;

Then, I tried setting up permissions for the Lamba. I tried aws quicksight update-data-set-permissions with following JSON:

{
  "AwsAccountId": "<Account-Id>",
  "DataSetId": "<Data-Set-Id>",
  "GrantPermissions": [{
    "Principal": "arn:aws:iam::<Account-Id>:role/<Lamba-Role-Name>",
    "Actions": [
      "quicksight:CreateIngestion"
    ]
  }]
}

But I keep getting this error:

An error occurred (InvalidParameterValueException) when calling the UpdateDataSetPermissions operation: Invalid principal arn:aws:iam::<Account-Id>:role/<Lambda-Role-Name>; only QuickSight principals are supported at this point.

I tried registering this role as an user, but it also failed:

aws quicksight register-user --identity-type IAM --email email@amazon.com --user-role ADMIN --iam-arn arn:aws:iam::<Account-Id>:role/<Lambda-Role-Name> --aws-account-id <Account-Id> --namespace default

An error occurred (InvalidParameterValueException) when calling the RegisterUser operation: Invalid resource identifiers provided. Please check the documentation.

I was able to register the root user ( arn:aws:iam::<Account-Id>:root ) successfully. But it didn’t solve my problem.

andres007 · October 5, 2023, 8:21am

Hello @rafael_rodrigues,

Welcome to QuickSight Community, it is great having you here!

You need to give the permissons to the Lambda Execution role

This is a lambda I have that is starting a CreateIngestion

The inline policy I use loks like this:

You can find more about how to modify your Lambda Execution role here:

Hope this helps!

Kind regards,
Andres.

rafael_rodrigues · October 5, 2023, 5:53pm

Andres,

Your suggestion worked wonderfully. Thank you very much!

I was initially contemplating that permissions should be granted in QuickSight - from QuickSight to Lambda. It appeared to be a more logical approach to me. However, now it’s clear that, since they are within the same account, I simply needed to add permissions to Lambda to enable it to perform QuickSight actions.

Once again, thanks for your prompt response.

nasa · February 25, 2025, 11:12am

Hello @rafael_rodrigues

My lambda function is facing timeout issue. The function is running in a VPC and cant access the Quicksight.

How have you configured the VPC, Subnets and Security Group of your lambda function?