How do I resolve access and permission issues that occur when I connect my Amazon S3 bucket with Quick Sight?

7 minute read

I want to connect my Amazon Simple Storage Service (Amazon S3) buckets with Amazon Quick Sight. However, I encounter access, permissions, or data integration issues.

Short description

If you misconfigured your access policies or the manifest file, then you might encounter one of the following errors when you connect Quick Sight to an Amazon S3 data source:

"S3_FILE_INACCESSIBLE – Couldn't connect to an S3 bucket"
"S3_MANIFEST_ERROR – Couldn't connect to S3 data. Make sure that your S3 manifest file is valid"
"Access denied when trying to access manifest file"
"Insufficient permission to access the manifest file"
"PERMISSION_DENIED – Access to the requested resources was denied by the data source"
"Manifest file isn't found"

To resolve these errors, identify the root cause of the access issue. Check the Quick Sight permissions to Amazon S3, your AWS Identity and Access Management (IAM) role policies, your S3 bucket policies, and the manifest file configuration.

Resolution

Verify that you authorized Quick Sight to access your S3 buckets

Complete the following steps:

Open the Quick Sight console.
Select your profile icon, and then choose Manage account.
Under Permissions, choose AWS resources.
For Quick access to AWS services, choose Amazon S3.
Choose Select S3 buckets, and then select the buckets that contain your data files and manifest files.
Choose Save.

For more information about data source integrations, see Supported data sources.

Check the Quick Sight service role permissions

By default, Quick Sight uses the aws-quicksight-service-role-v0 service role to access Amazon S3. Or, you can select an IAM role to manage access.

Confirm that the default role's permissions policy includes the AWSQuickSightS3Policy managed policy that allows access to the buckets where your data and manifest files are.

If you use a custom IAM role, then make sure that its role policy has at least the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::your-bucket-name"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::your-bucket-name/*"
        }
    ]
}

Note: Replace your-bucket-name with your bucket name.

For more information, see Run queries with Amazon S3 data sources.

Verify that the bucket policy allows access

Complete the following steps:

Open the Amazon S3 console.
Navigate to the bucket that contains your data, and then choose the Permissions tab.
Under Bucket policy, confirm that there are no explicit Deny statements that block the Quick Sight service role or the IAM role that you use for Quick Sight.

(Optional) To grant access across AWS accounts, choose Edit, and then enter a bucket policy that's similar to the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowQuickSightAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::QUICKSIGHT-ACCOUNT-ID:role/service-role/aws-quicksight-service-role-v0"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}

Note: Replace your-bucket-name with your bucket name. For more information, see Datasets using S3 files in another AWS account.

Check your Amazon S3 manifest file configuration

Important: If you upload the manifest directly to Quick Sight instead of through an Amazon S3 URI, then you can't retrieve the file path later. If you correct the manifest file, then you must re-upload it.

Quick Sight uses a manifest file to locate and parse your Amazon S3 data.

To make sure that the file works as expected, take the following actions to validate the file settings:

Make sure that the manifest file uses valid JSON and the correct format.
Example file:

{
    "fileLocations": [
        {
            "URIPrefixes": [
                "s3://your-bucket-name/your-prefix/"
            ]
        }
    ],
    "globalUploadSettings": {
        "format": "CSV",
        "delimiter": ",",
        "textqualifier": "'",
        "containsHeader": "true"
    }
}

Confirm that the Amazon S3 URIs in the manifest point to existing objects or prefixes.
Make sure that Quick Sight has access to the bucket with the manifest file and data file that the manifest references.
Make sure that the Amazon S3 URIs use the s3://bucket-name/key format and don't include the AWS Region.
Verify that your file names with spaces or special characters are correctly URL-encoded in the manifest file.
Confirm that all files that the manifest references use the same file format and have the same number and type of columns.
Make sure that you use UTF-8 encoding.
Note: You can't use UTF-8 with byte-order mark (BOM) in Quick Sight.
(JSON files only) Make sure that you don't specify delimiter, textqualifier, or containsHeader parameters in globalUploadSettings.

If you use URIPrefixes, then make sure that the prefix path ends with a trailing slash (/). Also, make sure that the total number of files under all prefixes doesn't exceed the quota of 1,000 files. If you have more than 1,000 files, then consolidate them into fewer, larger files.

For more information about manifest file configuration, see Supported formats for Amazon S3 manifest files.

Resolve the "Manifest file isn't found" error

If you receive the "Manifest file isn't found" error message, then take the following actions:

Confirm that the manifest file exists in the S3 bucket that the manifest references.
Make sure that Quick Sight has s3:GetObject permission for the manifest file, not only for the data files.
If you use a manifest URL, then confirm that the URL uses the correct format.
Example URL:
s3://bucket-name/path/to/manifest.json

(Encrypted Amazon S3 data only) Grant AWS KMS decrypt permissions

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

If you encrypt your files with an AWS Key Management Service (AWS KMS) key, then provide decrypt permissions to the Quick Sight IAM role.

To update the permissions, run the following create-grant AWS CLI command:

aws kms create-grant --key-id your-kms-key-arn \
    --grantee-principal arn:aws:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-service-role-v0 \
    --operations Decrypt

Note: Replace your-kms-key-arn with your key's Amazon Resource Name (ARN).

Troubleshoot further issues

If you validated your IAM policies and permissions and the manifest file, but still encounter issues, then take the following actions based on your issue.

You use different Regions and encounter issues

Quick Sight can access Amazon S3 files in any Region. If you use different Regions between your S3 bucket and Quick Sight account, then confirm that the bucket's URI identifies the Region. If you use the correct URI and still encounter issues, then change your configuration so that the bucket and account are in the same Region.

There are issues with your Athena integration

If you use Amazon Athena to query Amazon S3 data, then make sure that the Quick Sight role has the required permissions. The role must have athena:getWorkGroup permissions for the source data bucket and Athena query output bucket. For more information, see Insufficient permissions when using Athena with Amazon Quick Sight.

There are Lake Formation issues

If you use AWS Lake Formation, then make sure that the Quick Sight service role has the required data lake permissions and also Amazon S3 permissions. For more information, see Using AWS Lake Formation with Amazon Quick.

There are snapshot job issues

To use snapshot export jobs that write to Amazon S3, make sure that the Quick Sight role has s3:PutObject permissions on the destination bucket.

The Security & permissions page doesn't load

If you can't access the Security & permissions page in Quick Sight, then confirm that your IAM user or role has admin permissions. Only Quick Sight administrators can update these settings.

Related information

Troubleshooting

How Amazon S3 works with IAM

SPICE ingestion error codes

Topics: Analytics Machine Learning & AI Business Applications
Tags: Amazon Quick Sight
Language: English

AWS OFFICIALUpdated 8 days ago

No comments

Relevant content

QuickSight cannot connect to S3 bucket
yucheng
asked 8 months ago
QuickSight Dashboard Image Display Issues with S3 Bucket Integration
Almaz
asked 2 years ago
Amazon QuickSight Access Error
User-1439942
asked a month ago
Can not select multiple S3 bucket from Security & permissions page
savcuoglu
asked 5 years ago
Quick sight : No Athena tables found
ash
asked 2 years ago
How do I allow Quick Suite access to an S3 bucket with a deny policy?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot row-level security issues in Quick Sight?
AWS OFFICIALUpdated 7 months ago
How do I set up cross-account access from Quick Suite to an Amazon S3 bucket in another account?
AWS OFFICIALUpdated a month ago
How do I resolve "Access denied" errors when I use Athena as a data source in Quick Suite?
AWS OFFICIALUpdated 7 months ago
Quick Sight Datasource Connectivity Guide.
EXPERT
Tanaya Badve
published 6 months ago