Unable to connect to Athena Dataset in QuickSight (403 error)

Hello,

I’m currently trying to ingest an Athena based dataset into QuickSight and failing. I’m getting a 403 error thrown and it appears to be related to the s3 location that the Athena table sources from. Below is the error message I get (removed our account number for privacy)

sourceErrorCode: 100071
sourceErrorMessage: [Simba]AthenaJDBC An error has been thrown from the AWS Athena client. com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 85ESE7VP9MQN2CPQ; S3 Extended Request ID: sP8G4i3f9miUIh+bFTNP+QqNZv0pWiJfq/A6N7W8A4grzh+WGpQpLFp32fyvUIZiy+Crd8T04To=; Proxy: null), S3 Extended Request ID: sP8G4i3f9miUIh+bFTNP+QqNZv0pWiJfq/A6N7W8A4grzh+WGpQpLFp32fyvUIZiy+Crd8T04To= (Path: s3://-------------------) [Execution ID: b39982c0-cc80-46a5-8201-7994e8e04889]

Notes:

  • This is an table created to capture cloudtrail events. I can query the table without issue in Athena
  • Under “Manage QuickSight” > “Security & permissions”, I’ve checked the box for the s3 bucket where the cloudtrail logs live, as well as the bucket where Athena query results land, Athena is also checked
  • The cloudtrail bucket is set for Object Ownership as “Bucket owner enforced”, ACLs disabled
  • The cloudtrail bucket is using SSE-S3 for default encryption
  • My IAM user has full S3 permissions
  • The quicksight service role has been given full s3 permissions for troubleshooting purposes

Hi @divey - If you go in the QuickSight Management console can you confirm you’ve given access to QuickSight to use not just S3 but Athena?

Screenshot 2023-06-15 at 16.08.34

Hi @eperts,

Athena is checked here. Most of my existing datasets are based on Athena tables, I just seem to be struggling with this particular one, which makes me think it’s related to the bucket itself but I can’t seem to pinpoint it

Hi @divey - Can you please add the bucket also in the resource like. This will ensure you have access to S3 and “Resource”: “arn:aws:s3:::aws-quickcloudtrail/*" ensure its contain. Please add the bucket as well and test it.

“Resource”: “arn:aws:s3:::aws-quickcloudtrail"

Regards - Sanjeeb

This can be closed/archived, I was able to resolve my issue.

The issue was the role “aws-quicksight-service-role-v0” not having the proper S3 permissions.

I had ensured that the role " aws-quicksight-s3-consumers-role-v0" had proper permissions by giving it full s3 permissions to test but not to the regular service-role.

Turns out we had a customer managed policy called " AWSQuickSightS3Policy" applied to the “aws-quicksight-service-role-v0”. I just had to manually add the buckets to the permissions list for this policy and that solved my issue. For clarity, this policy was not applied to the consumers role but was to the service_role

It was a bit confusing that it ended up being the “aws-quicksight-service-role-v0” role with the issue. I went through access logs and per the logs, the “aws-quicksight-s3-consumers-role-v0” was the assumed role making the call to Athena/S3 and getting the 403 error

1 Like

Hi @divey - Good to know that the issue is resolved by giving permission issue. You can marked your suggestion as solution so that it can help other community members as well.

Regards - Sanjeeb