How to create a QuickSight Account without aws-quicksight-s3-consumers-role-v0?

We have a CDK stack that creates a QuickSight::Dataset and Analysis. It uses aws-quicksight-service-role-v0 to give permissions to Athena and so on.
My colleague tried deploying the same stack but is getting permission errors because in his account there are 2 roles: aws-quicksight-s3-consumers-role-v0 and aws-quicksight-service-role-v0. I know quicksight will use the first one as a priority. How can he clean everything and create an account that is the same as our team’s, with only aws-quicksight-service-role-v0?
We have tried a lot already with no success

Hi,

Regarding what role is used : Authorizing connections to Amazon Athena - Amazon QuickSight
Regarding permission errors : Troubleshoot permission errors in Amazon QuickSight

What did you try and what errors are you still facing ? ( screenshots if any ) .

Kind Regards,
Koushik


Why does QuickSight create both mentioned roles in my colleagues account but in our account it only creates the aws-quicksight-service-role-v0?
How can he recreate his quicksight account so it is consistent?

Hi,

Were you able to perform the steps provided link in troubleshooting permissions errors ?
>>Possibly clearing out the roles. Provide access to those resource through the console as a test so that QuickSight can create them automatically. Then you test CDK deployments.

From QuickSight console : What happens when your colleague tries to create a connection to Athena and then create an analysis ? ( Is this cross-account scenario ? Set up cross-account access from Amazon Quicksight to S3 )

We tried the steps from the link with no success. Also tried deleting roles and quicksight account and recreating quicksight account.

QuickSight is using Athena to access DynamoDB. When querying DynamoDB from Athena console it works, but from quicksight it doesn’t because quicksight is using the wrong role

Hi,

Athena to access DynamoDB would mean you are using Athena Query Federation using the DynamoDB connector ?
If yes and application through Lambda code is deployed. Within the consumers role ( aws-quicksight-s3-consumers-role-v0 ) have you added the lambda:InvokeFunction policy ?

Yes I am using the DynamoDB connector and gave the lambda:InvokeFunction policy to the aws-quicksight-service-role-v0. But that is the problem. QuickSight is behaving inconsistently in that in our accounts this is working because QuickSight only creates and uses quicksight-service-role-v0 but one of my colleagues account creates this quicksight-s3-consumers-role-v0.

We could just add the policy to both roles but we would rather have a consistent setup in all accounts…

@Gunar can you send more details to quicksight-help@amazon.com like the request id, dataset id, the region you run your query and the timestamp you ran the query?