How do I troubleshoot AWS resource permission errors in Quick Suite?

Short description

If you edit Quick Suite permissions to your AWS resources in the AWS Identity and Access Management (IAM) console, then you might receive the following errors:

• "The role used by Quick Suite for AWS resource access was modified to an un-recoverable state outside of Quick Suite, so you can no longer edit AWS resource permissions in Quick Suite."
• "We were unable to update Quick Suite permissions for AWS resources. Either you are not authorized to edit Quick Suite permissions on AWS resources, or the Quick Suite permissions were changed using the IAM console and are therefore no longer updateable through Quick Suite."
• "We cannot update the IAM Role"
• "Quick Suite has detected unknown policies attached to following roles please detach them and retry"
• "Something went wrong For more information see Set IAM policy"

It's a best practice to edit Quick Suite permissions to AWS resources in the Quick Suite console.

Resolution

When Quick Suite interacts with other AWS services, Quick Suite assumes the aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 service roles, and then attaches managed policies to the roles. Remove these service roles, and then remove the attached managed policies. Finally, restore Quick Suite access to your AWS services.

Important: Make sure that you back up your IAM policies before you delete them. You can use the backup to refer to Amazon Simple Storage Service (Amazon S3) account resources that you previously had access to.

Verify Quick Suite and IAM permissions and then remove the service roles and policies

Complete the following steps:

1. View your Quick Suite user accounts, and confirm that you have a user with an ADMIN role.

2. Open the IAM console.

3. (Optional) If you haven't already done so, then create an IAM user administrator.

4. Make sure that your IAM policy allows you to create and delete Quick Sight services and roles. 
   Example IAM policy:

   {  
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "VisualEditor0",
         "Effect": "Allow",
         "Action": [
           "iam:GetRole",
           "iam:DetachRolePolicy",
           "iam:DeleteRole",
           "iam:AttachRolePolicy",
           "iam:CreateRole"
         ],
         "Resource":[
            "arn:aws:iam::Account-id:role/service-role/aws-quicksight-service-role-v0"
            "arn:aws:iam::Account-id:role/service-role/aws-quicksight-s3-consumers-role-v0"
         ]
       },
       {
         "Sid": "VisualEditor1",
         "Effect": "Allow",
         "Action": [
           "iam:ListPolicies",
           "iam:GetPolicyVersion",
           "iam:GetRole",
           "iam:GetPolicy",
           "iam:ListPolicyVersions",
           "iam:ListAttachedRolePolicies",
           "iam:GenerateServiceLastAccessedDetails",
           "iam:ListEntitiesForPolicy",
           "iam:ListPoliciesGrantingServiceAccess",
           "iam:ListRoles",
           "iam:GetServiceLastAccessedDetails",
           "iam:ListAccountAliases",
           "iam:ListRolePolicies",
           "s3:ListAllMyBuckets"
         ],
         "Resource": "*"
       },
       {
         "Sid": "VisualEditor2",
         "Effect": "Allow",
         "Action": [
           "iam:DeletePolicy",
           "iam:CreatePolicy",
           "iam:CreatePolicyVersion",
           "iam:DeletePolicyVersion"
         ],
         "Resource": [
           "arn:aws:iam::Account-id:policy/service-role/AWSQuickSightIAMPolicy",
           "arn:aws:iam::Account-id:policy/service-role/AWSQuickSightRDSPolicy",
           "arn:aws:iam::Account-id:policy/service-role/AWSQuickSightS3Policy",
           "arn:aws:iam::Account-id:policy/service-role/AWSQuickSightRedshiftPolicy"
           "arn:aws:iam::Account-id:policy/service-role/AWSQuickSightS3ConsumersPolicy"
         ]
       }
     ]
   }

5. In the navigation pane, choose Roles.

6. In the role search pane, find and delete the aws-quicksight-service-role-v0 and aws-quicksight-s3-consumers-role-v0 IAM roles.
   Note: When you set permissions in Quick Suite, Quick Suite automatically creates these service roles. If Quick Suite didn't create the aws-quicksight-s3-consumers-role-v0 role, then delete the aws-quicksight-service-role-v0 role and continue.

7. In the navigation pane, choose Policies.

8. In the policies search pane, find and delete customer managed IAM policies. For example, delete the following customer-managed policies in the example IAM policy in step 4:
   AWSQuickSightRedshiftPolicy
   AWSQuickSightRDSPolicy
   AWSQuickSightIAMPolicy
   AWSQuickSightS3Policy
   AWSQuickSightS3ConsumersPolicy
   Note: The policies mentioned cover a limited number of services associated with Quick Suite. To completely resolve IAM policy conflicts, remove all customer-managed policies linked to Quick Suite that were added directly through IAM.

Restore Quick Suite access to your AWS services

Complete the following steps:

1. Open the Quick Suite console.
2. Choose your user name on the application bar and then choose Manage Quick Suite.
3. In the navigation pane under Permissions, choose AWS resources.
4. For Quick Suite access to AWS services, choose the AWS services that you want to restore.
5. Choose Save.

Note: When you allow Quick Suite access to an AWS resource, Quick Suite uses AWS managed policies. For example, Quick Suite uses the AWSQuicksightAthenaAccess policy to control access to certain AWS resources. You can't remove AWS managed policies.

For more information about how to configure access to resources in other AWS services for Quick Sight, see Configuring Amazon Quick Sight access to AWS data sources.