How do I allow Amazon QuickSight access to an S3 bucket with a deny policy?

2 minute read

I want to be sure that my Amazon Simple Storage Service (Amazon S3) bucket policy allows access from Amazon QuickSight.

Short description

If your Amazon S3 bucket uses a Deny policy, then that policy overrides any S3 permissions that you specify in the Amazon QuickSight console. To allow Amazon QuickSight to access the S3 bucket, add the Amazon QuickSight service role (aws-quicksight-service-role-v0) as an exception in your Deny policy.

Resolution

1. Confirm that Amazon QuickSight has permission to access the S3 bucket.

2. Use the AWS Command Line Interface (AWS CLI) or AWS Identity and Access Management (IAM) API to get the unique ID for the aws-quicksight-service-role-v0 role. The ID is unique to each Amazon QuickSight account. For example:

aws iam get-role --role-name aws-quicksight-service-role-v0 --query 'Role.RoleId' --output json
"AROAEXAMPLEID"

Note: If you receive an error when you run AWS CLI commands, be sure that you use the most recent version of the AWS CLI.

3. Open the Amazon S3 console.

4. Choose the bucket that you want to access with Amazon QuickSight.

5. Choose the Permissions view.

6. Choose Bucket Policy.

7. Enter a bucket policy similar to this example. Replace AROAEXAMPLEID with your unique ID. To add an exception for an IAM user, replace AIDAEXAMPLEUSERID with the unique ID of the IAM user. The IAM user policy must also contain an Allow statement for the S3 bucket. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::examplebucketname",
        "arn:aws:s3:::examplebucketname/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userid": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEUSERID"
          ]
        }
      }
    }
  ]
}

This Deny policy adds exceptions for the Amazon QuickSight service role and an IAM user.

Note: If you delete the Amazon QuickSight service role and the IAM user, then you're locked out of the bucket. To resolve this problem, log in as the AWS account root user, and then use the delete-bucket-policy command to delete the bucket policy.

Related information

How to restrict Amazon S3 bucket access to a specific IAM role

Topics

Analytics

Relevant content

S3 Bucket Policy Issue[API: s3:PutBucketPolicy Access Denied]
Accepted Answer
Nafiu
asked 8 months ago
S3 Block Public Access + Bucket Policy - Access Denied
AWS-User-5959212
asked 2 years ago
AWS - S3 - Creating a Bucket Policy - Error: Access Denied
Accepted Answer
chaganlal
asked 5 years ago
S3 access policy Vs S3 bucket policies ... how they interact.
Accepted Answer
Antonio Aga Rossi
asked 4 years ago
s3 bucket access denied
Accepted Answer
sadel
asked a month ago
How do I use wildcards with a Principal element and explicit deny in an Amazon S3 bucket policy?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot the error "You don't have permissions to edit bucket policy" when I try to modify a bucket policy in Amazon S3?
AWS OFFICIALUpdated a year ago
How can I troubleshoot issues when granting public read access to an Amazon S3 object using a bucket policy or an object ACL?
AWS OFFICIALUpdated a year ago
I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?
AWS OFFICIALUpdated a year ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published a year ago

How do I allow Amazon QuickSight access to an S3 bucket with a deny policy?

Short description

Resolution

Related information

Related videos

Relevant content