Missing permissions for S3 data source

Hello,

I’m new to QuickSight (QS) and I try to understand what is necessary on a configuration/permission level in order to enable QS to read data via an S3 data source. (I am using QuickSight Enterprise Edition.)

I have created a non-public S3 bucket with SSE-S3 encryption (let’s say “qs-data”). In that bucket I have placed a JSON file “data.json” and a manifest JSON file pointing to that data.json.

When I know try to create a new S3 data source in QS and I upload that manifest file via the “New S3 data source” dialog in QS, I get the following error message after clicking on “Connect”:

“QuickSight doesn’t have permissions to access that database. Follow the instructions at Managing Amazon QuickSight Permissions to AWS Resources to grant QuickSight permissions to that Amazon database.”

(I read through the instructions referenced in the above error message but was still unable to resolve the issue.)

Is there a way to get more details on that error message such as technical logs that show what action was attempted by which service/user that led to this error message?

Besides that, even after reading through the available QS documentation on permissions and data sources, I am still not sure on which side(s) I’d need to tweak the permissions settings:

  • The above mentioned S3 bucket “qs-data” was manually created and has no IAM policy attached to it. Do I need to explicitly add permissions in the S3 bucket configuration which would allow QS to access that bucket? If so, what are those permissions? (Haven’t found those in the documentation.)

  • In QS, when I go into the “Manage QuickSight” section and there into the “Security & permissions” sub-section, I see that for “QuickSight access to AWS services”, “S3” is not listed below “Access granted to services”. However, “IAM” is listed there.

Does “S3” need to be listed there as well in order to enable QS to access an S3 bucket as a data source or is it sufficient that “IAM” is listed here so that the necessary permissions can be configured via IAM? If the latter is true, what IAM configuration would need to be done on QS side (compared to what may be needed on S3 side in the configuration of my “qs-data” bucket)?

Thanks for any help on this,
Kaspar

Hi @Kaspar,

yes. You need to manage S3 permission. You have to select the bucket you need.

grafik

BG

Hi @ErikG,

Thanks for the confirmation! In that case I will have contact our company tech support since although being a QS admin I don’t have the permission to add AWS services to that list. But now I know at least that this is mandatory to connect to S3.

Thanks,
Kaspar