Invalid request provided: Resultant state of actions on this resource is not supported
I've run into a really peculiar set of constraints. Trying to understand why is this a limitation and if there are any work arounds.
I am getting the following error:
Invalid request provided: Resultant state of actions on this resource is not supported. Valid states: [ "quicksight:DescribeDataSet", "quicksight:DescribeDataSetPermissions", "quicksight:PassDataSet", "quicksight:DescribeIngestion", "quicksight:ListIngestions" ] or [ "quicksight:DescribeDataSet", "quicksight:DescribeDataSetPermissions", "quicksight:PassDataSet", "quicksight:DescribeIngestion", "quicksight:ListIngestions", "quicksight:UpdateDataSet", "quicksight:DeleteDataSet", "quicksight:CreateIngestion", "quicksight:CancelIngestion", "quicksight:UpdateDataSetPermissions" ]
I am attempting to create an "almost owner" permission, which is basically everything an owner can do, with the exception of being able to delete the datasets, as we want to manage them as code and I'd like to prevent accidental deletions.
These are the permissions when a group is set as an owner:
quicksight:ListIngestions
quicksight:DeleteDataSet
quicksight:UpdateDataSetPermissions
quicksight:CancelIngestion
quicksight:DescribeDataSetPermissions
quicksight:UpdateDataSet
quicksight:DescribeDataSet
quicksight:PassDataSet
quicksight:DescribeIngestion
quicksight:CreateIngestion
I am removing the quicksight:DeleteDataSet action:
quicksight:ListIngestions - quicksight:DeleteDataSet quicksight:UpdateDataSetPermissions quicksight:CancelIngestion quicksight:DescribeDataSetPermissions quicksight:UpdateDataSet quicksight:DescribeDataSet quicksight:PassDataSet quicksight:DescribeIngestion quicksight:CreateIngestion
And getting the error above.
I think it's a really weird limitation and it does not make sense to me as both the end user and as a devops professional.
Why wouldn't a user be able to refresh a data set, without being able to delete it?
- 最新
- 投票最多
- 评论最多
It appears that QuickSight is not using IAM actions as they were intended. And they have essentially grouped these actions into predetermined roles, which map to the types of users QS allows: admin and viewer. There is no way to provide more granularity at the moment.
Specifying an IAM action set that does not satisfy the actions that are expected from a role (aka "valid state") will result in the above error.
Hi m0ltar.
Are you using Quicksight Enterprise with SPICE data? If so, this might be related to Quicksight first deleting the data and appending new one for incremental refreshes as discussed in the documentation.
I hope this helps.
