Quick Suite - IAM Identity Center Member Instance Integration Issue

Sai_Santhosh_Pothapr · November 25, 2025, 4:04pm

I am attempting to create an a Quick Suite instance with an account level IAM Identity Center instance in the AWS console in us-east-1. I have currently setup an account level instance that is using Okta. I do have an organizational instance, but that is intended for logging into the console and must remain separate. I have been following this [guide]( Manage access to insights with an account instance of AWS IAM Identity Center and Amazon Quick Sight ) however in the signup page, the IAM Identity Center instance we created within the account does not appear.

See the following image:

I inspected the network tab in browser and there were several API calls with 403 errors to IAM Identity Center in other regions other than us-east-1 where my current IAM IDC is located. Unsure if this is related, but here are the responses:

{
“Message”: “User: arn:aws:sts::XXXXXX:assumed-role/MY_ADMIN_ROLE is not authorized to perform: quicksight:subscribe on resource: arn:aws:quicksight:us-east-2:XXXXXXXX:* with an explicit deny in a service control policy”
}

WLS-Luis · November 26, 2025, 5:05pm

Hi @Sai_Santhosh_Pothapr,

Welcome to the Quick Suite Community! I believe this SCP issue could be occurring because even though you have an IAM account instance, there is probably some clashing for some reason with the organizational instance. I would definitely look at your organizational instance just to make sure all commands like Subscribe are enabled for linked accounts.

If the issue is still not apparent after doing so, I cannot specifically help with account-based issues so I would definitely recommend creating a support ticket with AWS Support, as they may be able to provide more account-based help!

jagdishrawat · December 3, 2025, 4:46am

Hi @Sai_Santhosh_Pothapr

The screenshot indicates that your IAM Identity Center is attempting to connect at the organization level.

If you have enabled it at the account level, you’ll need to add the following additional permissions in order to proceed.

You need to add below policy to the user which you are using for creating QuickSight.

{
“Statement”: [
{
“Sid”: “Statement1”,
“Effect”: “Allow”,
“Action”: [
“quicksight:",
“iam:ListAttachedRolePolicies”,
“iam:GetPolicy”,
“iam:CreatePolicyVersion”,
“iam:DeletePolicyVersion”,
“iam:GetPolicyVersion”,
“iam:ListPolicyVersions”,
“iam:DeleteRole”,
“iam:CreateRole”,
“iam:GetRole”,
“iam:ListRoles”,
“iam:CreatePolicy”,
“iam:ListEntitiesForPolicy”,
“iam:listPolicies”,
“s3:ListAllMyBuckets”,
“athena:ListDataCatalogs”,
“athena:GetDataCatalog”,
“sso:DescribeApplication”,
“sso:DescribeInstance”,
“sso:CreateApplication”,
“sso:PutApplicationAuthenticationMethod”,
“sso:PutApplicationGrant”,
“sso:DeleteApplication”,
“sso:SearchGroups”,
“sso:GetProfile”,
“sso:CreateApplicationAssignment”,
“sso:DeleteApplicationAssignment”,
“sso:ListInstances”,
“sso:DescribeRegisteredRegions”,
“organizations:DescribeOrganization”
],
“Resource”: [
"”
]
}
]
}

Once the correct permissions are applied, clicking on IAM Identity Center will display the expected screen, instead of the error you are currently encountering.

Hope this help

Jagdish

Topic		Replies	Views
Amazon Quick Sight now supports account instances of IAM Identity Center What's New	0	89	July 9, 2024
Signing up for QuickSuite using Organization's IAM Identify Center Instance Q&A Business-Intelligence-Engineer	4	65	November 18, 2025
Manage access to insights with an account instance of AWS IAM Identity Center and Amazon Quick Sight Blogs	1	1915	April 17, 2024
Access Quicksight console via an assumed IAM role instead of IDC Q&A admin , account	2	76	November 6, 2025
Quick Sight: IAM Identity Center Integration: 2024 Amazon Quick Sight Learning Series Videos Business-Intelligence-Engineer , IAM , IDC	0	479	March 14, 2024

Quick Suite - IAM Identity Center Member Instance Integration Issue

Related topics