Using AWS Secrets Manager secrets instead of database credentials in Amazon QuickSight

I am following this guide, and I have some clarification questions.

From my understanding and observation, the following is what happens.

From the QS UI, I must grant access to a secret.

This creates a managed policy (AWSQuickSightSecretsManagerReadOnlyPolicy), which adds policy grants for the secret.

Also, an IAM role is created (aws-quicksight-secretsmanager-role-v0), which QS service will assume. In that role, a managed policy, from above, is added.

This, thereby, grants QS access to a read a secret.

However, what I do not understand, is what the implicit magic in all of this?

When I add inline policy to aws-quicksight-secretsmanager-role-v0 of equal grants to the managed policy, and remove the checkbox from the QS UI for secret grant, then QS will fail to create the data source with a vague and generic error message:

Access denied for operation ‘AWS::QuickSight::DataSource’.

Why does it require ClickOps to grant secret access?

Why is the customer-managed inline policy not sufficient for QS to be able to read the secret?

As an engineer, I want to be able to deploy everything from code, without any clicking.

Hello @m0ltar, I appreciate the detail in your explanation of the issue you are facing. I am not certain why this feature is not currently implemented.

At AWS, our roadmap is primarily driven by our customers. Your feedback helps us build a
better service. I have tagged this as a feature request.

Let me know if you have any remaining questions or information you want to add, otherwise I will archive this for our support team. Thank you!

Well, all of my questions are still remaining

I am still not convinced I am doing it right.

Are you confirming that this is truly not implemented?

Hello @m0ltar, unfortunately, I do not fully understand the why for any of these issues. The way that QuickSight is built, it seems that it always knows if you edit these default roles in any way. Even if it should work, which from what I can tell, what you did should work as expected, QuickSight freaks out because you have altered that default role. Here is a link to some information about this issue for a different QuickSight role for a little more insight.

I wish I could give you a more concrete answer or a fix, but that is why I tagged as a feature request.

Hello @m0ltar, since we have not heard back with any remaining follow-up questions, I will archive this topic for the support team. I wish I had a better solution for you here, but hopefully we can get some updates on this in the future to better manage the secrets. Thank you!