We cannot update the IAM Role

I have created a new Athena account which is required for demo purposes. When trying to configure the Athena connector and assign the Lmbda function I get the following error.

We cannot update the IAM Role. The reason could be one or more from the following:

  • The role does not explicitly trust QuickSight service principal.
  • Following policies are either not attached to the QuickSight role or attached to more than one:
    • arn:aws:iam::819603067923:policy/service-role/AWSQuickSightLambdaPolicy
  • Make sure the credentials you’re using have following permissions:
    • iam:CreateRole, iam:CreatePolicy, iam:AttachRolePolicy, iam:CreatePolicyVersion, iam:DeletePolicyVersion, iam:ListAttachedRolePolicies, iam:GetRole, iam:GetPolicy, iam:DetachRolePolicy, iam:GetPolicyVersion and iam:ListPolicyVersions

My user has the required iam permissions

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“iam:GetRole”,
“iam:DetachRolePolicy”,
“iam:DeleteRole”,
“iam:AttachRolePolicy”,
“iam:CreateRole”
],
“Resource”: [
“"
]
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“iam:ListPolicies”,
“iam:GetPolicyVersion”,
“iam:GetRole”,
“iam:GetPolicy”,
“iam:ListPolicyVersions”,
“iam:ListAttachedRolePolicies”,
“iam:GenerateServiceLastAccessedDetails”,
“iam:ListEntitiesForPolicy”,
“iam:ListPoliciesGrantingServiceAccess”,
“iam:ListRoles”,
“iam:GetServiceLastAccessedDetails”,
“iam:ListAccountAliases”,
“iam:ListRolePolicies”,
“s3:ListAllMyBuckets”
],
“Resource”: "
”
},
{
“Sid”: “VisualEditor2”,
“Effect”: “Allow”,
“Action”: [
“iam:DeletePolicy”,
“iam:CreatePolicy”,
“iam:CreatePolicyVersion”,
“iam:DeletePolicyVersion”
],
“Resource”: [
“*”
]
}
]
}

and the aws-quicksight-service-role-v0 role has the following policies attached

AWSQuickSightIAMPolicy
AWSQuickSightLambdaPolicy

Any ideas on what I am doing wrong?

Thanks,

Heath

Ok, So I resolved this by deleting the policies and letting Quicksight recreate them. Now I can’t write to the spill bucket with the lambda.

region: ap-southeast-2
timestamp: 1726178800881
requestId: 111a8e4e-049f-4fb5-ba0b-2648974b2ee1
sourceErrorCode: 100071
sourceErrorMessage: [Simba]AthenaJDBC An error has been thrown from the AWS Athena client. GENERIC_USER_ERROR: Encountered an exception[java.lang.NullPointerException] from your LambdaFunction[arn:aws:lambda:ap-southeast-2:819603067923:function:dynamodbconnector] executed in context[S3SpillLocation{bucket=‘athena-spill-bucket-pr’, key=‘athena-spill/e1a16518-127d-4d3b-85db-c75bee602257/76eef42d-b349-478e-baac-28bdd8de61fd’, directory=true}] with message[java.lang.NullPointerException] [Execution ID: e1a16518-127d-4d3b-85db-c75bee602257]
sourceErrorState: HY000
sourceException: java.sql.SQLException
sourceType: ATHENA
1 Like