Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I allow Quick Suite access to an S3 bucket with a deny policy?

3 minute read
0

I want to make sure that my Amazon Simple Storage Service (Amazon S3) bucket policy allows access from Amazon Quick Suite.

Short description

If your Amazon S3 bucket uses a Deny policy, then that policy overrides any S3 permissions that you specify in the Quick Suite console. To allow Quick Suite to access the S3 bucket, add the Amazon Quick Sight service role (aws-quicksight-service-role-v0) as an exception in your Deny policy.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

  1. Confirm that Quick Suite has permission to access the S3 bucket.

  2. To get the unique ID for the aws-quicksight-service-role-v0 role, run the get-role AWS CLI command:

    aws iam get-role --role-name aws-quicksight-service-role-v0 --query 'Role.RoleId' --output json"AROAEXAMPLEID"

    Note: You can also use the AWS Identity and Access Management (IAM) GetRole API call. The ID is unique to each Quick Suite account.

  3. (Optional) If you want to add an exception for an IAM user, then run the get-user AWS CLI command to find the user's unique ID:

    aws iam get-user --user-name example-username

    Note: Replace example-username with the IAM username.

  4. Open the Amazon S3 console.

  5. Select your S3 bucket.

  6. Choose the Permissions tab.

  7. Under Bucket Policy, choose Edit.

  8. Enter a bucket policy similar to the following example:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::examplebucketname",
        "arn:aws:s3:::examplebucketname/*"
      ],
      "Condition": {
        "StringNotLike": {
          "aws:userid": [
            "AROAEXAMPLEID:*",
            "AIDAEXAMPLEUSERID"
          ]
        }
      }
    }
  ]
}

    Note: Replace examplebucketname with your S3 bucket name and AROAEXAMPLEID with your unique ID. To add an exception for an IAM user, replace AIDAEXAMPLEUSERID with the unique ID of the IAM user. The IAM user policy must also contain an Allow statement for the S3 bucket.

If you delete the Quick Sight service role and the IAM user, then you're locked out of the bucket. To resolve this issue, log in as the AWS account root user, and then use the delete-bucket-policy AWS CLI command to delete the bucket policy.

Related information

How to restrict Amazon S3 bucket access to a specific IAM role

Topics
AnalyticsBusiness ApplicationsMachine Learning & AI
Tags
Amazon Quick SightAmazon Quick Suite
Language
English
AWS OFFICIALUpdated 3 months ago
No comments

Relevant content