By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Invalid request provided: Resultant state of actions on this resource is not supported

0

I've run into a really peculiar set of constraints. Trying to understand why is this a limitation and if there are any work arounds.

I am getting the following error:

Invalid request provided: Resultant state of actions on this resource is not supported.

Valid states:
[
  "quicksight:DescribeDataSet",
  "quicksight:DescribeDataSetPermissions",
  "quicksight:PassDataSet",
  "quicksight:DescribeIngestion",
  "quicksight:ListIngestions"
]

or

[
  "quicksight:DescribeDataSet",
  "quicksight:DescribeDataSetPermissions",
  "quicksight:PassDataSet",
  "quicksight:DescribeIngestion",
  "quicksight:ListIngestions",
  "quicksight:UpdateDataSet",
  "quicksight:DeleteDataSet",
  "quicksight:CreateIngestion",
  "quicksight:CancelIngestion",
  "quicksight:UpdateDataSetPermissions"
]

I am attempting to create an "almost owner" permission, which is basically everything an owner can do, with the exception of being able to delete the datasets, as we want to manage them as code and I'd like to prevent accidental deletions.

These are the permissions when a group is set as an owner:

  quicksight:ListIngestions
  quicksight:DeleteDataSet
  quicksight:UpdateDataSetPermissions
  quicksight:CancelIngestion
  quicksight:DescribeDataSetPermissions
  quicksight:UpdateDataSet
  quicksight:DescribeDataSet
  quicksight:PassDataSet
  quicksight:DescribeIngestion
  quicksight:CreateIngestion

I am removing the quicksight:DeleteDataSet action:

  quicksight:ListIngestions
- quicksight:DeleteDataSet
  quicksight:UpdateDataSetPermissions
  quicksight:CancelIngestion
  quicksight:DescribeDataSetPermissions
  quicksight:UpdateDataSet
  quicksight:DescribeDataSet
  quicksight:PassDataSet
  quicksight:DescribeIngestion
  quicksight:CreateIngestion

And getting the error above.

I think it's a really weird limitation and it does not make sense to me as both the end user and as a devops professional.

Why wouldn't a user be able to refresh a data set, without being able to delete it?

Topics
Analytics
Tags
Amazon QuickSight
Language
English
profile picture
m0ltar
asked 10 months ago199 views
2 Answers
0
Accepted Answer

It appears that QuickSight is not using IAM actions as they were intended. And they have essentially grouped these actions into predetermined roles, which map to the types of users QS allows: admin and viewer. There is no way to provide more granularity at the moment.

Specifying an IAM action set that does not satisfy the actions that are expected from a role (aka "valid state") will result in the above error.

profile picture
m0ltar
answered 10 months ago
0

Hi m0ltar.

Are you using Quicksight Enterprise with SPICE data? If so, this might be related to Quicksight first deleting the data and appending new one for incremental refreshes as discussed in the documentation.

I hope this helps.

profile pictureAWS
EXPERT
Jose Guay
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content