We have a CDK stack that creates a QuickSight::Dataset and Analysis. It uses aws-quicksight-service-role-v0 to give permissions to Athena and so on.
My colleague tried deploying the same stack but is getting permission errors because in his account there are 2 roles: aws-quicksight-s3-consumers-role-v0 and aws-quicksight-service-role-v0. I know quicksight will use the first one as a priority. How can he clean everything and create an account that is the same as our team’s, with only aws-quicksight-service-role-v0?
We have tried a lot already with no success
Hi,
Regarding what role is used : Authorizing connections to Amazon Athena - Amazon QuickSight
Regarding permission errors : Troubleshoot permission errors in Amazon QuickSight
What did you try and what errors are you still facing ? ( screenshots if any ) .
Kind Regards,
Koushik
Why does QuickSight create both mentioned roles in my colleagues account but in our account it only creates the aws-quicksight-service-role-v0?
How can he recreate his quicksight account so it is consistent?
Hi,
Were you able to perform the steps provided link in troubleshooting permissions errors ?
>>Possibly clearing out the roles. Provide access to those resource through the console as a test so that QuickSight can create them automatically. Then you test CDK deployments.
From QuickSight console : What happens when your colleague tries to create a connection to Athena and then create an analysis ? ( Is this cross-account scenario ? Set up cross-account access from Amazon Quicksight to S3 )
We tried the steps from the link with no success. Also tried deleting roles and quicksight account and recreating quicksight account.
QuickSight is using Athena to access DynamoDB. When querying DynamoDB from Athena console it works, but from quicksight it doesn’t because quicksight is using the wrong role
Hi,
Athena to access DynamoDB would mean you are using Athena Query Federation using the DynamoDB connector ?
If yes and application through Lambda code is deployed. Within the consumers role ( aws-quicksight-s3-consumers-role-v0 ) have you added the lambda:InvokeFunction policy ?
Yes I am using the DynamoDB connector and gave the lambda:InvokeFunction policy to the aws-quicksight-service-role-v0. But that is the problem. QuickSight is behaving inconsistently in that in our accounts this is working because QuickSight only creates and uses quicksight-service-role-v0 but one of my colleagues account creates this quicksight-s3-consumers-role-v0.
We could just add the policy to both roles but we would rather have a consistent setup in all accounts…
Thank you for letting us know. I would recommend filing a case with AWS Support where we can dive into the details so that we can help you further. Here are the steps to open a support case. If your company has someone who manages your AWS account, you might not have direct access to AWS Support and will need to raise an internal ticket to your IT team or whomever manages your AWS account. They should be able to open an AWS Support case on your behalf. Hope this helps!