使用AWS re:Post即您表示您同意 AWS re:Post 使用条款

如何故障排除 Amazon QuickSight 中的 AWS 资源权限错误?

2 分钟阅读
0

我尝试编辑针对 AWS 资源的 QuickSight 权限,但收到了一个错误。

简短描述

当您编辑 Amazon QuickSight 权限时,您可能会收到以下错误之一:

  • "The role used by QuickSight for AWS resource access was modified to an un-recoverable state outside of QuickSight, so you can no longer edit AWS resource permissions in QuickSight."
  • "We were unable to update QuickSight permissions for AWS resources.Either you are not authorized to edit QuickSight permissions on AWS resources, or the QuickSight permissions were changed using the IAM console and are therefore no longer updateable through QuickSight."
  • "We cannot update the IAM Role"
  • "QuickSight has detected unknown policies attached to following roles please detach them and retry"
  • "Something went wrong For more information see Set IAM policy"

当您从 AWS Identity and Access Management(IAM)控制台编辑 AWS 资源的 QuickSight 权限时,会发生这些错误。

**注意:**最佳实践是使用 Amazon QuickSight 控制台而不是 IAM 控制台编辑针对 AWS 资源的 QuickSight 权限。

解决方法

删除 QuickSight 在与其他 AWS 服务交互时承担的 aws-quicksight-service-role-v0aws-quicksight-s3-consumers-role-v0 服务角色。然后,删除 QuickSight 附加到 aws-quicksight-service-role-v0aws-quicksight-s3-consumers-role-v0 服务角色的托管策略。最后,恢复 QuickSight 对您的 AWS 服务的访问权限。

**重要事项:**在开始之前,请确保在删除您的 IdiAM 策略之前对其进行了备份。备份可以帮助您查看之前拥有访问权限的任何 Amazon Simple Storage Service(Amazon S3)账户资源。

验证 IAM QuickSight 和 IAM 权限,然后删除服务角色和策略

  1. 按照说明查看 QuickSight 用户账户。确保您的用户具有 ADMIN 角色。

  2. 打开 IAM 控制台

  3. (可选)如果您尚未创建 IAM 用户管理员,请按照说明进行创建。

  4. 确保您的 IAM 策略允许您创建和删除类似于以下内容的 QuickSight 服务和角色:

    {  
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "iam:GetRole",
            "iam:DetachRolePolicy",
            "iam:DeleteRole",
            "iam:AttachRolePolicy",
            "iam:CreateRole"
          ],
          "Resource":[
             "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-service-role-v0"
             "arn:aws:iam::<Account-id>:role/service-role/aws-quicksight-s3-consumers-role-v0"
          ]
        },
        {
          "Sid": "VisualEditor1",
          "Effect": "Allow",
          "Action": [
            "iam:ListPolicies",
            "iam:GetPolicyVersion",
            "iam:GetRole",
            "iam:GetPolicy",
            "iam:ListPolicyVersions",
            "iam:ListAttachedRolePolicies",
            "iam:GenerateServiceLastAccessedDetails",
            "iam:ListEntitiesForPolicy",
            "iam:ListPoliciesGrantingServiceAccess",
            "iam:ListRoles",
            "iam:GetServiceLastAccessedDetails",
            "iam:ListAccountAliases",
            "iam:ListRolePolicies",
            "s3:ListAllMyBuckets"
          ],
          "Resource": "*"
        },
        {
          "Sid": "VisualEditor2",
          "Effect": "Allow",
          "Action": [
            "iam:DeletePolicy",
            "iam:CreatePolicy",
            "iam:CreatePolicyVersion",
            "iam:DeletePolicyVersion"
          ],
          "Resource": [
            "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightIAMPolicy",
            "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRDSPolicy",
            "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3Policy",
            "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightRedshiftPolicy"
            "arn:aws:iam::<Account-id>:policy/service-role/AWSQuickSightS3ConsumersPolicy"
          ]
        }
      ]
    }
  5. 在导航窗格中,选择角色

  6. 在角色搜索窗格中,搜索并删除以下 IAM 角色:aws-quicksight-service-role-v0 aws-quicksight-s3-consumers-role-v0 **注意:**当您在 QuickSight 中设置权限时,QuickSight 会自动创建这些服务角色。

  7. 在导航窗格中,选择策略

  8. 在策略搜索窗格中,搜索并删除以下客户托管的 IAM 策略
    AWSQuickSightRedshiftPolicy
    AWSQuickSightRDSPolicy
    AWSQuickSightIAMPolicy
    AWSQuickSightS3Policy
    AWSQuickSightS3ConsumersPolicy

**注意:**当允许 QuickSight 访问 AWS 资源时,它会使用 AWS 托管策略。例如,它使用 AWSQuicksightAthenaAccess 策略来控制对特定 AWS 资源的访问权限。AWS 托管策略无法删除。

恢复对 AWS 服务的 QuickSight 访问权限

  1. 打开 Amazon QuickSight 控制台
  2. 在导航栏中,选择用户名下拉列表,然后选择管理 QuickSight
  3. 在导航窗格中,选择安全性和权限
  4. QuickSight 访问 AWS 服务的权限中,选择管理
  5. 允许访问和自动发现这些资源中,选择要恢复的 AWS 服务。
  6. 选择保存

有关在 QuickSight 的其他 AWS 服务中配置访问权限的更多信息,请参阅 Accessing data sources

相关信息

IAM policy examples for Amazon QuickSight

AWS managed policies for Amazon QuickSight

AWS 官方
AWS 官方已更新 9 个月前