search

aws-samples / aws-cudos-framework-deployment

Command Line Interface tool for Cloud Intelligence Dashboards deployment
https://catalog.workshops.aws/awscid
MIT No Attribution
377 stars 144 forks source link

DataTransfer Cost Analysis Dashboard - data_transfer_view permissions denied #705

Closed qmg-drettie closed 6 months ago

qmg-drettie commented 6 months ago

After running cid-cmd deploy --dashboard-id datatransfer-cost-analysis-dashboard as per the steps in the install guide QuickSight is unable to perform an initial load of the dataset with an error. -

Error type:
PERMISSION_DENIED [Learn more](https://docs.aws.amazon.com/console/quicksight/errors)
User does not have permission to access the above project
Error details:

Insufficient permissions to execute the query. User: arn:aws:sts::123456789000:assumed-role/CidQuickSightDataSourceRole/QuickSight-RoleSession-1702742468509 is not authorized to perform: glue:GetPartition on resource: arn:aws:glue:eu-west-2:123456789000:catalog because no identity-based policy allows the glue:GetPartition action [Execution ID: 544ae0e7-2b96-4e8f-8698-f02b804d9165]

The AthenaAccess policy attached to the QuickSightDataSourceRole seems to be missing the glue:GetPartition action

iakov-aws commented 6 months ago

Hi David, Thanks for raising this and proposing the fix. Checking.

iakov-aws commented 6 months ago

This make sense. Not sure when QS uses glue:GetPartition vs glue:GetPartitions, so make sense to include both. Thanks for the contribution! Merged.