I figured it out. I needed this roles with these actions:
const quicksightLambdaRole = new Role(this, "quicksightLambdaRole", {
managedPolicies: [
ManagedPolicy.fromManagedPolicyArn(
this,
"quicksight-AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
),
],
assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
});
quicksightLambdaRole.addToPolicy(
new PolicyStatement({
resources: ["*"],
effect: Effect.ALLOW,
actions: [
"quicksight:*",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:GetManagedApplicationInstance",
"sso:CreateManagedApplicationInstance",
"sso:GetManagedApplicationInstance",
"sso:DeleteManagedApplicationInstance",
"sso:GetManagedApplicationInstance",
"sso:SearchGroups",
"sso:GetProfile",
"sso:AssociateProfile",
"sso:DisassociateProfile",
"sso:ListProfiles",
"sso:ListDirectoryAssociations",
"sso:DescribeRegisteredRegions",
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
],
})
);