Insufficient permissions when using Athena with Amazon QuickSight - Amazon QuickSight

Insufficient permissions when using Athena with Amazon QuickSight

If you receive an error message that says you have insufficient permissions, try the following steps to resolve your problem.

You need administrator permissions to troubleshoot this issue.

To resolve an insufficient permissions error
  1. Make sure that Amazon QuickSight can access the Amazon S3 buckets used by Athena:

    1. To do this, choose your profile name (upper right). Choose Manage QuickSight, and then choose Security & permissions.

    2. Choose Add or remove.

    3. Locate Athena in the list. Clear the check box by Athena, then select it again to enable Athena.

      Choose Connect both.

    4. Choose the buckets that you want to access from Amazon QuickSight.

      The settings for S3 buckets that you access here are the same ones that you access by choosing Amazon S3 from the list of AWS services. Be careful that you don't inadvertently disable a bucket that someone else uses.

    5. Choose Select to save your S3 buckets.

    6. Choose Update to save your new settings for Amazon QuickSight access to AWS services. Or choose Cancel to exit without making any changes.

  2. If your data file is encrypted with an AWS KMS key, grant permissions to the Amazon QuickSight IAM role to decrypt the key. The easiest way to do this is to use the AWS CLI.

    You can run the create-grant command in AWS CLI to do this.

    aws kms create-grant --key-id <AWS KMS key ARN> --grantee-principal <Your Amazon QuickSight Role ARN> --operations Decrypt

    The Amazon Resource Name (ARN) for the Amazon QuickSight role has the format arn:aws:iam::<account id>:role/service-role/aws-quicksight-service-role-v<version number> and can be accessed from the IAM console. To find your AWS KMS key ARN, use the S3 console. Go to the bucket that contains your data file and choose the Overview tab. The key is located near KMS key ID.

For Amazon Athena, Amazon S3, and Athena Query Federation connections, QuickSight uses the following IAM role by default:

arn:aws:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-s3-consumers-role-v0

If the aws-quicksight-s3-consumers-role-v0 is not present, then QuickSight uses:

arn:aws:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-service-role-v0