I am following this guide, and I have some clarification questions.
From my understanding and observation, the following is what happens.
From the QS UI, I must grant access to a secret.
This creates a managed policy (AWSQuickSightSecretsManagerReadOnlyPolicy
), which adds policy grants for the secret.
Also, an IAM role is created (aws-quicksight-secretsmanager-role-v0
), which QS service will assume. In that role, a managed policy, from above, is added.
This, thereby, grants QS access to a read a secret.
However, what I do not understand, is what the implicit magic in all of this?
When I add inline policy to aws-quicksight-secretsmanager-role-v0
of equal grants to the managed policy, and remove the checkbox from the QS UI for secret grant, then QS will fail to create the data source with a vague and generic error message:
Access denied for operation ‘AWS::QuickSight::DataSource’.
Why does it require ClickOps to grant secret access?
Why is the customer-managed inline policy not sufficient for QS to be able to read the secret?
As an engineer, I want to be able to deploy everything from code, without any clicking.