如何解決 Amazon QuickSight 中的 AWS 資源權限錯誤？

2 分的閱讀內容

當我嘗試編輯 AWS 資源的 Amazon QuickSight 權限時，出現錯誤。如何解決此問題？

簡短描述

當您編輯 Amazon QuickSight 權限時，可能會收到下列其中一個錯誤訊息：

"The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."

"We were unable to update QuickSight permissions for AWS resources. Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."

"We cannot update the IAM Role"

"QuickSight has detected unknown policies attached to following roles please detach them and retry"

"Something went wrong For more information see Set IAM policy"

當您從 AWS Identity and Access Management (IAM) 主控台編輯 AWS 資源的 QuickSight 權限時，就會發生這些錯誤。

**注意：**最佳實務是使用 Amazon QuickSight 主控台 (而非 IAM 主控台) 編輯 AWS 資源的 QuickSight 權限。

解決方法

移除 aws-quicksight-service-role-v0 和 aws-quicksight-s3-consumers-role-v0 服務角色，這些是 QuickSight 與其他 AWS 服務互動時所承擔的服務角色。然後，移除 QuickSight 附加至 aws-quicksight-service-role-v0 和 aws-quicksight-s3-consumers-role-v0 服務角色的受管政策。最後，還原 QuickSight 對 AWS 服務的存取權。

**重要事項：**在開始之前，請確保您已備份 IAM 政策，然後再刪除它們。備份可協助您引用之前可存取的任何 Amazon Simple Storage Service (Amazon S3) 帳戶資源。

驗證 IAM QuickSight 和 IAM 權限，然後移除服務角色和政策

1. 按照說明檢視 QuickSight 使用者帳戶。確保您擁有具有管理員角色的使用者。

2. 開啟 IAM 主控台。

3. (選用) 如果尚未完成，請依照說明建立 IAM 使用者管理員。

4. 確保 IAM 政策允許您建立和刪除類似下列內容的 QuickSight 服務和角色：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:DetachRolePolicy",
        "iam:DeleteRole",
        "iam:AttachRolePolicy",
        "iam:CreateRole"
      ],
      "Resource":[
         "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
         "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-s3-consumers-role-v0"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "iam:ListPolicies",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetPolicy",
        "iam:ListPolicyVersions",
        "iam:ListAttachedRolePolicies",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:ListEntitiesForPolicy",
        "iam:ListPoliciesGrantingServiceAccess",
        "iam:ListRoles",
        "iam:GetServiceLastAccessedDetails",
        "iam:ListAccountAliases",
        "iam:ListRolePolicies",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "iam:DeletePolicy",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion"
      ],
      "Resource": [
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
        "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3ConsumersPolicy"
      ]
    }
  ]
}

5. 在導覽窗格中，選擇角色。

6. 在角色搜尋窗格中，搜尋並刪除下列 IAM 角色：

aws-quicksight-service-role-v0 aws-quicksight-s3-consumers-role-v0

**注意：**當您在 QuickSight 中設定權限時，QuickSight 會自動建立這些服務角色。

7. 在導覽窗格中，選擇政策。

8. 在政策搜尋窗格中，搜尋並刪除下列客戶受管 IAM 政策：

AWSQuickSightRedshiftPolicy AWSQuickSightRDSPolicy AWSQuickSightIAMPolicy AWSQuickSightS3Policy AWSQuickSightS3ConsumersPolicy

**注意：**如果允許 QuickSight 存取 AWS 資源，則 QuickSight 會使用 AWS 受管政策。例如，它會使用 AWSQuicksightAthenaAccess 政策來控制對特定 AWS 資源的存取權。無法移除 AWS 受管政策。