Thank you for explaining the situation. I can understand the frustration caused when attaching additional policies to the Quick Sight IAM role results in errors.
There might be a workaround to allow accessing cross-account KMS keys from Quick Sight without modifying the Quick Sight role directly:
-
Create a new IAM role in your account that has the permissions to access the cross-account KMS key. Attach the customer’s key policy to this role.
-
Create an IAM user in your account and assign the newly created IAM role to this user.
-
Use this IAM user’s access key and secret to authenticate to Quick Sight as a data source. When connecting to data sources like Amazon Redshift, you can specify IAM credentials to use for authentication.
-
The queries made by Quick Sight using this data source will now use the IAM role with access to the cross-account KMS key.
This allows Quick Sight to access the required key without modifying the Quick Sight managed role directly. The key thing is to authenticate to data sources using an IAM user with the appropriate role rather than using the Quick Sight role.
Let me know if this helps resolve the issue!
If yes, please go ahead and mark this as a solution.
Thank you!
GL