Allow Quicksight to access S3 bucket using Terraform or API
Hi all,
I'm currently trying to set up QuickSight in an AWS account that never has used QuickSight so far. However, I'm having some troubles to allow QuickSight to access a S3 bucket. I am using Terraform.
I can create a new QuickSight subscription using Terraform with:
resource "aws_quicksight_account_subscription" "create_initial_subscription" {
account_name = "rr"
authentication_method = "IAM_AND_QUICKSIGHT"
edition = "STANDARD"
notification_email = var.admin_email_address
}
Unfortunately, this does not create any roles that QuickSight could use to get data from S3 (while if using the web interface to create a new Quicksight subscription, there is a wizard which automatically create a new role or asks if the user wants to use an existing role).
Therefore I tried to use Terraform to create a new QuickSight role and assign the right policies to access S3 to it. As soon as I select this new created role in the web interface (Mange Quicksight --> Security & permissions --> Manage --> "Choose which role Quicksight should use") everything is working fine. But obviously, I do not want to have this manual step when using Terraform.
So, is there any API or Terraform command I can use for telling Quicksight which IAM role it should use? Or is there any other workaround to create a new subscription and give access to S3 using Terraform/API/CDK?
Thank you in advance!
- Newest
- Most votes
- Most comments
You would have to attach a policy to the S3 bucket using the "put-bucket-policy".
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html
This is a template you can use that should allow Quicksight rights to S3:
{
“Version”: “2012-10-17”,
“Id”: “BucketPolicy”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam:::role/service-role/aws-quicksight-service-role-v0”
},
“Action”: [
“s3:ListBucket”,
“s3:GetObject”,
“s3:GetObjectVersion”
],
“Resource”: [
“arn:aws:s3:::bucket”,
“arn:aws:s3:::bucket/*”
]
}
]
}
Relevant content
- asked 8 months ago
- asked 9 months ago
- asked 2 years ago
AWS OFFICIALUpdated 18 days ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 9 months ago
Thanks, but unfortunately this is also not working. The problem is not that Quicksight has not the permission to access S3, the problem is how to tell Quicksight which IAM role it should use for that. If you create a new Quicksight subscription using the CreateAccountSubscription API (https://docs.aws.amazon.com/quicksight/latest/APIReference/API_CreateAccountSubscription.html), it does not create any Quicksight roles, so that the aws-quicksight-service-role-v0 is not avaliable for the S3 bucket policy.