How do I resolve the "AccessDeniedException" error when I use the create-group AWS CLI command to create QuickSight groups?

2 minute read

I used the AWS Command Line Interface (AWS CLI) command create-group to create Amazon QuickSight groups but I received an "AccessDeniedExeption" error.

Short description

The following error might occur when you use the AD Connector to sign in to Amazon QuickSight: "An error occurred (AccessDeniedException) when calling the CreateGroup operation: Group operations are not enabled for this account."

QuickSight manages only the identities that are created and maintained in QuickSight. If AD Connector is set up, then AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) groups are used.

The AWS Managed Microsoft AD groups are used to map users to admin, author, and reader roles. You can't use the create-group AWS CLI command to create QuickSight managed groups when you manage users through AWS Managed Microsoft AD.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.


Use AWS Managed Microsoft AD to create groups

You can create at least three groups after you establish your Active Directory:

  • Amazon QuickSight admins
  • Amazon QuickSight authors
  • Amazon QuickSight readers

Note: Only the Enterprise edition of QuickSight supports AD Connector and AWS Managed Microsoft AD. For more information, see Best practices for AWS Managed Microsoft AD.

Use the AWS CLI Command to create groups

To use the AWS CLI to create and manage QuickSight groups, you must first unsubscribe from QuickSight. Then, re-subscribe and change how you connect to QuickSight to use AWS Identity and Access Management (IAM) identities and QuickSight managed users. For more information, see Identity and access management in Amazon QuickSight.

Note: Unsubscribing deletes all QuickSight users, data, and assets.

Related information

Creating and managing groups using the Amazon QuickSight console

Can I use AWS Managed Microsoft AD to authenticate users in QuickSight?

AWS OFFICIALUpdated 2 months ago
No comments

Relevant content