QuickSight DataSource created using boto3 is not able to access LakeFormation data through Athena

0

I am having issues using boto3 to create Athena DataSources in Quicksight. If I create an Athena DataSource from the QuickSight console I'm able to use it in a DataSet and see my Athena tables (stored in Lake Formation). If create that same DataSource (exact same configuration) using a boto3 client and an assumed role with QuickSight permissions, it is not able to see the LakeFormation tables. What permissions are used by QuickSight to determine the data DataSources access? Do I need to add permissions to my assumed role? I've tried giving it LF tag access and full Athena permissions without any luck. What is needed to access Lake Formation data in QuickSight through DataSources created using boto3?

Here are two screenshots to demonstrate what is happening. The DataSources have the exact same DataSourceParameters and Permissions.

DataSource created in QuickSight can select tables

DataSource created by boto3 can't see any tables

asked 2 years ago817 views
2 Answers
0

Do you these permissions while creating data source ?

    "Permissions": [
        {
            "Principal": "arn:aws:quicksight:us-east-1:xxxxxx:user/default/xxxxx/xxxx",
            "Actions": [
                "quicksight:UpdateDataSourcePermissions",
                "quicksight:DescribeDataSource",
                "quicksight:DescribeDataSourcePermissions",
                "quicksight:PassDataSource",
                "quicksight:UpdateDataSource",
                "quicksight:DeleteDataSource"
            ]
        }
    ]
AWS
answered 2 years ago
  • Yes. I am able to see the DataSource in QuickSight and can select it when creating a DataSet. I have updated the question with some screen shots to illustrate what is happening.

0

Have you been able to solve the problem?

we've faced it yesterday and (although not really solving it) we came up with a partial 'solution'

Apparently, for some reason the QuickSight 'Database' Dropdown, is not using the service role attached to it

but it is using the default Lakeformation Group IAMAllowedPrincipals to fetch the databases,

We granted database permissions to IAMAllowedPrincipals, and only then we were able to fetch the database

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions