How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Short description

When you edit Amazon QuickSight permissions, you might receive one of the following errors:

• "The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
• "We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."
• "We cannot update the IAM Role"
• "QuickSight has detected unknown policies attached to following roles please detach them and retry"
• "Something went wrong For more information see Set IAM policy"

These errors occur when you edit the QuickSight permissions to your AWS resources from the AWS Identity and Access Management (IAM) console.

Note: It's a best practice to edit QuickSight permissions to AWS resources using the Amazon QuickSight console and not the IAM console.

Resolution

Remove the aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 service roles that QuickSight assumes when interacting with other AWS services. Then, remove the managed policies that QuickSight attaches to aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 service roles. Finally, restore QuickSight access to your AWS services.

Important: Before you begin, make sure that you have a backup of your IdiAM policies before you delete them. The backup can help you to refer to any Amazon Simple Storage Service (Amazon S3) account resources that you had access to previously.

Verify IAM QuickSight and IAM permissions and then remove the service roles and policies

1. Follow the instructions to view QuickSight user accounts. Make sure that you have a user with an ADMIN role.

2. Open the IAM console.

3. (Optional) If you haven't already done so, follow the instructions for creating an IAM user administrator.

4. Make sure that your IAM policy allows you to create and delete QuickSight service and roles similar to the following:

   {  
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": [
           "iam:GetRole",
           "iam:DetachRolePolicy",
           "iam:DeleteRole",
           "iam:AttachRolePolicy",
           "iam:CreateRole"
         ],
         "Resource":[
            "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
            "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-s3-consumers-role-v0"
         ]
       },
       {
         "Sid": "VisualEditor1",
         "Effect": "Allow",
         "Action": [
           "iam:ListPolicies",
           "iam:GetPolicyVersion",
           "iam:GetRole",
           "iam:GetPolicy",
           "iam:ListPolicyVersions",
           "iam:ListAttachedRolePolicies",
           "iam:GenerateServiceLastAccessedDetails",
           "iam:ListEntitiesForPolicy",
           "iam:ListPoliciesGrantingServiceAccess",
           "iam:ListRoles",
           "iam:GetServiceLastAccessedDetails",
           "iam:ListAccountAliases",
           "iam:ListRolePolicies",
           "s3:ListAllMyBuckets"
         ],
         "Resource": "*"
       },
       {
         "Sid": "VisualEditor2",
         "Effect": "Allow",
         "Action": [
           "iam:DeletePolicy",
           "iam:CreatePolicy",
           "iam:CreatePolicyVersion",
           "iam:DeletePolicyVersion"
         ],
         "Resource": [
           "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
           "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
           "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
           "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
           "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3ConsumersPolicy"
         ]
       }
     ]
   }

5. In the navigation pane, choose Roles.

6. In the role search pane, search for, and then delete the following IAM roles: aws-quicksight-service-role-v0 aws-quicksight-s3-consumers-role-v0 Note: These service roles are automatically created by QuickSight when you set permissions in QuickSight.

7. In the navigation pane, choose Policies.

8. In the policies search pane, search for, and then delete the following customer managed IAM policies:
   AWSQuickSightRedshiftPolicy
   AWSQuickSightRDSPolicy
   AWSQuickSightIAMPolicy
   AWSQuickSightS3Policy
   AWSQuickSightS3ConsumersPolicy

Note: QuickSight uses AWS managed policies when it is allowed to access an AWS resource. For example, it uses the AWSQuicksightAthenaAccess policy to control access to certain AWS resources. AWS managed policies can't be removed.

Restore QuickSight access to your AWS services

1. Open the Amazon QuickSight console.
2. In the navigation bar, choose the user name dropdown list, and then choose Manage QuickSight.
3. In the navigation pane, choose Security & Permissions.
4. In QuickSight access to AWS services, choose Manage.
5. For Allow access and autodiscovery for these resources, choose the AWS services that you want to restore.
6. Choose Save.

For more information to configure access to in other AWS services for QuickSight, see Accessing data sources.

Related information

IAM policy examples for Amazon QuickSight

AWS managed policies for Amazon QuickSight