Grant S3 Access via CloudFormation

Question & Answer
,
1

Is it possible via Cloudformation to have Quicksight grant access to an S3 bucket?

If it is not possible via Cloudformation would the correct method be to create a customer managed policy granting access to the bucket and attach it to IAM role aws-quicksight-service-role-v0?

I am trying to automate the creation of a solution via Cloudformation, the solution creates an S3 bucket and Athena table. I also want the reporting via CloudFormation. When I try to create the dataset and tie it to Athena table, it fails because it needs access to the S3 used by Athena. Trying to figure out how to best automate access to the S3 bucket.

2

Hey are you granting S3 Bucket Policy for the IAM role?

“Version”: “2012-10-17”,
“Id”: “BucketPolicy”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam:::role/service-role/aws-quicksight-service-role-v0”
},
“Action”: [
“s3:ListBucket”,
“s3:GetObject”,
“s3:GetObjectVersion”
],
“Resource”: [
“arn:aws:s3:::bucket”,
“arn:aws:s3:::bucket/*”
]
}
]
}```

Can you try this?

[/quote]
3

That won’t work. Quicksight manages an IAM role (aws-quicksight-service-role-v0) that is assumed by Quicksight to access S3. In that policy, Quicksight places a customer managed policy called “AWSQuickSightS3Policy”. If you do not select any buckets to permit, the content of the policy looks as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "NotAction": "*",
            "NotResource": "*"
        }
    ]
}

With that policy in place everything is denied.

I used Chrome developer tools to see what API calls are made when granting S3 access manually. What I found is that the GetResourcePermissions API is used to retrieve the current list of resources permitted and then API UpdateResourcePermissions is used to make the changes, the original list plus or minus the resources being allowed or no longer allowed.

The problem with those API’s is that as far as I can tell, they are undocumented. This would explain why I cannot automate it via CloudFormation. What is additionally challenging is that I could use a CloudFormation customer resource however Boto3 also does not support the API’s I listed before. So I need to use the requests library and sigv4 sign the requests to QuickSight with the required API’s. This is where I am now getting stuck.

4

Ignore my previous comment. After testing and re-reading the policy I understand this better. What the policy is actually saying is Deny all actions and resources except all actions and all resources. Effectively the policy is not actually denying anything. Equally it is not permitting anything. They key thing is that because is not actually explicitly denying, I can still attach another IAM policy to the IAM role aws-quicksight-service-role-v0 that permits access to the buckets that I need to automate the permission.

I have testing this and it now works. Thanks.

2 Likes