My Quicksight is configured with a custom IAM role, which Quicksight assumes every time it refreshes Quicksight datasets. Those datasets are connected to an Athena Data Source.
Before applying LakeFormation permissions all has been working as expected. The Quicksight role has then been granted all necessary permissions in Lake Formation. When I assume that role(aws sts) in a script, access works as expected and I can see the data, but in Quicksight dataset refreshes there is an ongoing exception:
[Simba][AthenaJDBC](100071) An error has been thrown from the AWS Athena client. Insufficient Lake Formation permission(s) on <table_name> (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; ...
In Cloudtrail, when comparing the two approaches(GetTable event), in the assume-role approach the only difference is that it is invokedBy: athena.amazonaws.com , while from QS: quicksight.amazonaws.com.
Also, from the QS Cloudtrail this is the only info I get:
"errorCode": "AccessDenied",
"errorMessage": "An unknown error occurred",
"additionalEventData": {
"LakeFormationTrustedCallerInvocation": "true"
},
The quicksight IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutBucketPublicAccessBlock",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::<s3_bucket_results>/*",
"arn:aws:s3:::<s3_bucket_results>"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"athena:StopQueryExecution",
"athena:StartQueryExecution",
"athena:RunQuery",
"athena:ListWorkGroups",
"athena:ListTableMetadata",
"athena:ListQueryExecutions",
"athena:ListEngineVersions",
"athena:ListDatabases",
"athena:ListDataCatalogs",
"athena:GetWorkGroup",
"athena:GetTables",
"athena:GetTableMetadata",
"athena:GetTable",
"athena:GetQueryResultsStream",
"athena:GetQueryResults",
"athena:GetQueryExecutions",
"athena:GetQueryExecution",
"athena:GetNamespaces",
"athena:GetNamespace",
"athena:GetExecutionEngines",
"athena:GetExecutionEngine",
"athena:GetDatabase",
"athena:GetDataCatalog",
"athena:GetCatalogs",
"athena:CancelQueryExecution",
"athena:BatchGetQueryExecution"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"glue:UpdateTable",
"glue:UpdatePartition",
"glue:UpdateDatabase",
"glue:GetTables",
"glue:GetTable",
"glue:GetPartitions",
"glue:GetPartition",
"glue:GetDatabases",
"glue:GetDatabase",
"glue:CreateTable",
"glue:CreatePartition",
"glue:CreateDatabase",
"glue:BatchGetPartition",
"glue:BatchCreatePartition"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "lakeformation:*",
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3_bucket>/*",
"arn:aws:s3:::<s3_bucket>",
]
}
]
}
Trust relationship for IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "quicksight.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Quicksight is configured in eu-west-2. Lakeformation, S3, Glue and Athena are also configured in eu-west-2.
Also, I have tried to configure individual Quicksight users access, by adding their Quicksight ARNs in Lake formation, by following this AWS Guide here. It works. But I cannot understand why this does not work with Quicksight's IAM role. Does anyone have any suggestions here as to how further debug or fix?