Insufficient Permissions When Using Athena with Amazon QuickSight - Amazon QuickSight

Insufficient Permissions When Using Athena with Amazon QuickSight

If you receive an error message that says you have insufficient permissions, try the following steps to resolve your problem.

To resolve an insufficient permissions error

  1. Make sure that Amazon QuickSight can access the Amazon S3 buckets used by Athena:

    1. To do this, choose your profile name (upper right). Choose Manage QuickSight, and then choose Security & permissions.

    2. Choose Add or remove.

    3. Locate Athena in the list. Clear the check box by Athena, then select it again to enable Athena.

      Choose Connect both.

    4. Choose the buckets that you want to access from Amazon QuickSight.

      The settings for S3 buckets that you access here are the same ones that you access by choosing Amazon S3 from the list of AWS services. Be careful that you don't inadvertently disable a bucket that someone else uses.

    5. Choose Select to save your S3 buckets.

    6. Choose Update to save your new settings for Amazon QuickSight access to AWS services. Or, choose Cancel to exit without making any changes.

  2. If your data file is encrypted with an AWS KMS key, grant permissions to the Amazon QuickSight IAM role to decrypt the key. The easiest way to do this is to use the AWS CLI.

    You can run the create-grant command in AWS CLI to do this.

    aws kms create-grant --key-id <KMS key ARN> --grantee-principal <Your Amazon QuickSight Role ARN> --operations Decrypt

    The Amazon Resource Name (ARN) for the Amazon QuickSight role has the format arn:aws:iam::<account id>:role/service-role/aws-quicksight-service-role-v<version number> and can be accessed from the IAM console. To find your KMS key ARN, use the S3 console. Go to the bucket that contains your data file and choose the Overview tab. The key is located near KMS key ID.