Creating a namespace is getting permission on errors on several "ds" service actions

Question & Answer
,
1

Trying to create a quicksight namespace and is getting an error:

"CreationStatus": "RETRYABLE_FAILURE",
"IdentityStore": "QUICKSIGHT",
"NamespaceError": {
    "Type": "PERMISSION_DENIED",
    "Message": "You do not have permission to perform ds:CreateIdentityPoolDirectory in your IAM policy. Please ensure that you have ds:AuthorizeApplication, ds:CreateIdentityPoolDirectory, ds:UnauthorizeApplication, ds:DeleteDirectory, ds:DescribeDirectories and try again."
}

I am creating a namespace using a different IAM role(aka role2). The other IAM role(aka role1) that also create namespace works just fine. I checked for those particular service/resource “ds:*” but I don’t see these being set: ds:AuthorizeApplication, ds:CreateIdentityPoolDirectory, ds:UnauthorizeApplication, ds:DeleteDirectory, ds:DescribeDirectories.

The difference I see is that role2 does not have these that were in role1:
“ds:Check*”,
“ds:Get*”,
“ds:List*”,
“ds:Verify*”,

So I am not sure if the error message make sense or is accurate. So what permissions really is needed for creating a quicksight namespace?

2

Hi @alltej

If you encounter a error with a “PERMISSION_DENIED” message related to permissions such as ds:CreateIdentityPoolDirectory during namespace creation, it is usually because your IAM role is missing the required permissions.

To successfully create a QuickSight namespace with an IdentityStore type of “QUICKSIGHT”, your IAM role must include the following permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ds:AuthorizeApplication",
                "ds:UnauthorizeApplication",
                "ds:DeleteDirectory",
                "ds:CreateIdentityPoolDirectory",
                "ds:DescribeDirectories",
                "quicksight:CreateNamespace"
            ],
            "Resource": "*"
        }
    ]
}

Please refer to the below documentations this might be helpful for you.

3

But the other role (role1) I referenced above does not have these either but was able to create namespace.

"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"ds:DescribeDirectories",

I think at minimum should just be CreateNamespace and if it needs others that is outside of Quicksight, that should be handled internally? Like the “ds” action permissions should not be something I have to worry about. Just a thought

4

Hi @alltej

We understand that, ideally, all QuickSight related operations should only require QuickSight specific permissions such as quicksight:CreateNamespace. In most environments, this is indeed sufficient, and AWS handles any underlying directory or identity resources internally. However, in some cases, you may receive an error message that references additional Directory Service (ds:*) permissions, such as ds:CreateIdentityPoolDirectory and related actions.