Create account subscription from SDK policy

hugob · July 10, 2023, 9:28am

Hey guys,

We’re running a multi-tenant SAAS, so each client has an AWS account.
We use QS to make analytics and reporting, and we could make this work through CDK.

The first step is to call the SDK “CreateAccountSubscription”, we’re calling it through a custom lambda. This works when the lambda policy is

resources: "*",
actions: "*"

But for some reason when we set

resource: "*",
actions: "quicksight:*"

And the error is “Not authorised to do this action”, so no way of knowing what kind of authorisation it needs to do this creation.
I would prefer not leaving “*” in my policy, so if someone know exactly it would very appreciable

Thanks a lot

gillepa · July 11, 2023, 1:31pm

Hi @hugob

It is indeed strange that it works on all actions but not on quicksight-specific actions. There appears to be an issue with how permissions are set for the role Lambda is using. Some ideas to help you figure out the issue:

Check the IAM Role Attached to the Lambda Function: Do you have any Actions set to Deny? if you do, they will take precedence. Check for Resource Restrictions: if your IAM policy has resource restrictions, make sure the resources you’re trying to access with QuickSight are included in the policy.
Instead of using quicksight:*, try specifying the exact action that you’re trying to perform. For example, if you’re trying to create a new account subscription, you might need to use quicksight:CreateAccountSubscription.
Use AWS CloudTrail to Identify the Missing Permission: AWS CloudTrail logs every API call made in your AWS account. You can use CloudTrail to identify the exact permission that’s missing. Look for the API call that’s failing and check the error message. The error message should tell you what permission is missing.
Contact AWS Support: If all else fails, you might need to contact AWS Support.

Hope it helps,
GL

hugob · July 12, 2023, 9:50am

Hey @gillepa

Thanks for answering quickly.

1 and 2. I first checked the IAM role again, to be sure of what the lambda could or could not do, and this is the only policy it has

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "quicksight:CreateAccountSubscription",
                "quicksight:DeleteAccountSubscription"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

I went into CloudTrail to check the log, but sadly it is the same as i had already (and that disappear with *), i.e

"errorCode": "AccessDenied",
"errorMessage": "You are not authorized to perform this action",

So i am contacting AWS support right now, hoping to have an answer.
If i find a solution, i will reply in this thread

Thanks

Koushik_Muthanna · July 12, 2023, 11:17am

@hugob ,

Creating an account also requires directory services : IAM policy examples for Amazon QuickSight - Amazon QuickSight

hugob · July 12, 2023, 11:56am

Thanks A LOT @Koushik_Muthanna !

It works now. The error is a bit cryptic, would be great to have more infos.

But anyway, you saved me a lot of time, thank you very much