How do I allow Amazon QuickSight access to an S3 bucket with a deny policy?

2 minute read
0

I want to be sure that my Amazon Simple Storage Service (Amazon S3) bucket policy allows access from Amazon QuickSight.

Short description

If your Amazon S3 bucket uses a Deny policy, then that policy overrides any S3 permissions that you specify in the Amazon QuickSight console. To allow Amazon QuickSight to access the S3 bucket, add the Amazon QuickSight service role (aws-quicksight-service-role-v0) as an exception in your Deny policy.

Resolution

1.    Confirm that Amazon QuickSight has permission to access the S3 bucket.

2.    Use the AWS Command Line Interface (AWS CLI) or AWS Identity and Access Management (IAM) API to get the unique ID for the aws-quicksight-service-role-v0 role. The ID is unique to each Amazon QuickSight account. For example:

aws iam get-role --role-name aws-quicksight-service-role-v0 --query 'Role.RoleId' --output json
"AROAEXAMPLEID"

Note: If you receive an error when you run AWS CLI commands, be sure that you use the most recent version of the AWS CLI.

3.    Open the Amazon S3 console.

4.    Choose the bucket that you want to access with Amazon QuickSight.

5.    Choose the Permissions view.

6.    Choose Bucket Policy.

7.    Enter a bucket policy similar to this example. Replace AROAEXAMPLEID with your unique ID. To add an exception for an IAM user, replace AIDAEXAMPLEUSERID with the unique ID of the IAM user. The IAM user policy must also contain an Allow statement for the S3 bucket. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::examplebucketname",
        "arn:aws:s3:::examplebucketname/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userid": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEUSERID"
          ]
        }
      }
    }
  ]
}

This Deny policy adds exceptions for the Amazon QuickSight service role and an IAM user.

Note: If you delete the Amazon QuickSight service role and the IAM user, then you're locked out of the bucket. To resolve this problem, log in as the AWS account root user, and then use the delete-bucket-policy command to delete the bucket policy.

Related information

How to restrict Amazon S3 bucket access to a specific IAM role

AWS OFFICIAL
AWS OFFICIALUpdated a year ago