Invalid request provided: Resultant state of actions on this resource is not supported

I’ve run into a really peculiar set of constraints. Trying to understand why is this a limitation and if there are any work arounds.

I am getting the following error:

Invalid request provided: Resultant state of actions on this resource is not supported.

Valid states:
[
  "quicksight:DescribeDataSet",
  "quicksight:DescribeDataSetPermissions",
  "quicksight:PassDataSet",
  "quicksight:DescribeIngestion",
  "quicksight:ListIngestions"
]

or

[
  "quicksight:DescribeDataSet",
  "quicksight:DescribeDataSetPermissions",
  "quicksight:PassDataSet",
  "quicksight:DescribeIngestion",
  "quicksight:ListIngestions",
  "quicksight:UpdateDataSet",
  "quicksight:DeleteDataSet",
  "quicksight:CreateIngestion",
  "quicksight:CancelIngestion",
  "quicksight:UpdateDataSetPermissions"
]

I am attempting to create an “almost owner” permission, which is basically everything an owner can do, with the exception of being able to delete the datasets, as we want to manage them as code and I’d like to prevent accidental deletions.

These are the permissions when a group is set as an owner:

  quicksight:ListIngestions
  quicksight:DeleteDataSet
  quicksight:UpdateDataSetPermissions
  quicksight:CancelIngestion
  quicksight:DescribeDataSetPermissions
  quicksight:UpdateDataSet
  quicksight:DescribeDataSet
  quicksight:PassDataSet
  quicksight:DescribeIngestion
  quicksight:CreateIngestion

I am removing the quicksight:DeleteDataSet action:

  quicksight:ListIngestions
- quicksight:DeleteDataSet
  quicksight:UpdateDataSetPermissions
  quicksight:CancelIngestion
  quicksight:DescribeDataSetPermissions
  quicksight:UpdateDataSet
  quicksight:DescribeDataSet
  quicksight:PassDataSet
  quicksight:DescribeIngestion
  quicksight:CreateIngestion

And getting the error above.

I think it’s a really weird limitation and it does not make sense to me as both the end user and as a devops professional.

Why wouldn’t a user be able to refresh a data set, without being able to delete it?

@m0ltar ,

In QuickSight, as we are looking at datasets. An AUTHOR can be an owner or a viewer (QuickSight UI ) .

The owner maps to

"quicksight:DescribeDataSet",
  "quicksight:DescribeDataSetPermissions",
  "quicksight:PassDataSet",
  "quicksight:DescribeIngestion",
  "quicksight:ListIngestions",
  "quicksight:UpdateDataSet",
  "quicksight:DeleteDataSet",
  "quicksight:CreateIngestion",
  "quicksight:CancelIngestion",
  "quicksight:UpdateDataSetPermissions"

The viewer maps to

                "quicksight:DescribeRefreshSchedule",
                "quicksight:ListIngestions",
                "quicksight:DescribeDataSetPermissions",
                "quicksight:ListRefreshSchedules",
                "quicksight:DescribeDataSet",
                "quicksight:PassDataSet",
                "quicksight:DescribeIngestion"

These are the only 2 possible states. You cannot restrict an author from being able to delete datasets if they have the permission of an owner.

I think this could possibly be a feature under custom permissions to further restrict actions of an owner.

Kind regards,
Koushik

1 Like

Hi Koushik, thanks for replying.

This is generally against the point of granular permissions though, no? It’s like the feature is backward.

1 Like

@Koushik_Muthanna We’re having the same issue, I posted over at An error occurred (InvalidParameterValueException) when calling the UpdateDataSetPermissions operation: Resultant state of ResourcePermissions on this resource is not supported. - #4 by d4rkd0s too