Allow QuickSight access to buckets with restrictive policies
When bucket policies restrict access to just customer defined IP ranges or VPCs, QuickSight won’t be able to access these buckets via S3 connector. To enable access for QuickSight, you can bypass the IP/VPC check for just QuickSight service roles by adding a ArnNotEquals check to your S3 bucket policies deny statement. Sample deny statement is given below.
Note -
- Make sure you replace all place holders.
- Ensure that the trust relationship to QuickSight role/s is granted only to QuickSight service.
(Depending on your instance, you might see one or both of these roles in IAM) - The three actions listed in statement below are the ones that QuickSight needs at minimum.
Same bypass principal will work if your policy applies to all S3 actions. - You still need to allow access to the bucket via QuickSight management panel.
- If you are using a custom role for QuickSight, use that role’s arn in the policy instead of the standard QuickSight role arns.
Sample bucket policy
{
"Version": "2012-10-17",
"Id": "Policy1644867078422",
"Statement": [
{
"Sid": "RestrictAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::<Bucket Name>",
"arn:aws:s3:::<Bucket Name>/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"<Allowed IP Range>"
]
},
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::<Account Number>:role/service-role/aws-quicksight-s3-consumers-role-v0",
"arn:aws:iam::<Account Number>:role/service-role/aws-quicksight-service-role-v0"
]
}
}
}
]
}
How does this work ?
For access to be denied, both the conditions - NotIpAddress and ArnNotEquals - need to evaluate to true. When QuickSight S3 connector is trying to access the data, the PrincipalArn will be one of the two roles listed in the ArnNotEquals condition; hence, it will evaluate to false and the request won’t be denied.
Regards,
Arun Santhosh