Using Athena data connectors to visualize DynamoDB data with AWS QuickSight

Hello, I have the following error when creating a data set from Athena, using the Athena connector for Dynamo?

[Simba]AthenaJDBC An error has been thrown from the AWS Athena client. Failed to invoke lambda function due to com.amazonaws.services.lambda.model.AWSLambdaException: User: arn:aws:sts::assumed-role/aws-quicksight-service-role-v0/QuickSight-RoleSession-is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-:function:dynamodbdata because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 1c2bf3e5-76be-494a-87aa-2352c85b582b; Proxy: null) [Execution ID not available]

How to solve?

Hi @Luis,
Validate if you have allowed QuickSight has access to lambda functions ( Manage QuickSight > Security & permissions : Amazon Athena )

Kind regards,
Koushik

1 Like

When accessing, it does not list any Lambda, the lambda was created in Ohio with the respective template.

I believe it has to be in same region as Athena. Test by creating the lambda function in us-east-1 and check if you are able to see the function.

@Koushik_Muthanna Athena is used in Ohio like Lambda and Dynamo, Quick Sight management is done in Northern Virginia, how can this be resolved?

Hi @Luis, can you try to move your lambda function to Northern Virginia, and enable the lambda function to access the Dynamo table across region?

We hope this solution worked for you. Let us know if this is resolved. And if it is, please help the community by marking this answer as a “Solution.”

2 Likes

At the moment, giving Lambda execution permissions to the aws-quicksight-service-role-v0/ role manually has been solved. Are these the best practices?

1 Like

That works well as a solution!

1 Like