# Troubleshooting Amazon Quick Sight
<a name="troubleshooting"></a>

 Use this information to help you diagnose and fix common issues that you can encounter when using Amazon Quick Sight. 

**Note**  
 Need more help? You can visit the Amazon Quick Sight [User Community](https://answers.quicksight.aws.amazon.com/sn/index.html) or the [AWS forums](https://forums.aws.amazon.com). See also the [Quick Sight Resource Library](https://aws.amazon.com/quicksight/resource-library/). 

**Topics**
+ [

## Resolving Amazon Quick Sight issues and error messages
](#quicksight-errors)
+ [

# Connectivity issues when using Amazon Athena with Amazon Quick Sight
](troubleshoot-athena.md)
+ [

# Data source connectivity issues for Amazon Quick Sight
](troubleshoot-connect-to-datasources.md)
+ [

# Login issues with Quick Sight
](troubleshoot-login.md)
+ [

# Visual issues with Quick Sight
](visual-issues.md)

## Resolving Amazon Quick Sight issues and error messages
<a name="quicksight-errors"></a>

If you are having difficulties or receiving an error message, there's a few ways that you can go about resolving the issue. Following are some resources that can help:
+ For errors during dataset ingestion (importing data), see [SPICE ingestion error codes](errors-spice-ingestion.md).
+ For technical user questions, visit the [User Community](https://answers.quicksight.aws.amazon.com/sn/index.html).
+ For administrator questions, see the [AWS forums](https://forums.aws.amazon.com). 
+ If you need more customized assistance, contact AWS Support. To do this while you are signed in to your AWS account, choose **Support** at upper right, and then choose **Support Center**.

# Connectivity issues when using Amazon Athena with Amazon Quick Sight
<a name="troubleshoot-athena"></a>

Following, you can find information about troubleshooting issues that you might encounter when using Amazon Athena with Amazon Quick Sight.

Before you try troubleshooting anything else for Athena, make sure that you can connect to Athena. For information about troubleshooting Athena connection issues, see [I can't connect to Amazon Athena](troubleshoot-connect-athena.md). 

If you can connect but have other issues, it can be useful to run your query in the Athena console ([https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home)) before adding your query to Amazon Quick Sight. For additional troubleshooting information, see [Troubleshooting](https://docs.aws.amazon.com/athena/latest/ug/troubleshooting.html) in the *Athena User Guide*.

**Topics**
+ [

# Column not found when using Athena with Amazon Quick Sight
](troubleshoot-athena-column-not-found.md)
+ [

# Invalid data when using Athena with Amazon Quick Sight
](troubleshoot-athena-invalid-data.md)
+ [

# Query timeout when using Athena with Amazon Quick Sight
](troubleshoot-athena-query-timeout.md)
+ [

# Staging bucket no longer exists when using Athena with Amazon Quick Sight
](troubleshoot-athena-missing-bucket.md)
+ [

# Table incompatible when using AWS Glue with Athena in Amazon Quick Sight
](troubleshoot-athena-glue-table-not-upgraded.md)
+ [

# Table not found when using Athena with Amazon Quick Sight
](troubleshoot-athena-table-not-found.md)
+ [

# Workgroup and output errors when using Athena with Quick Sight
](troubleshoot-athena-workgroup.md)

# Column not found when using Athena with Amazon Quick Sight
<a name="troubleshoot-athena-column-not-found"></a>

You can receive a "`column not found`" error if the columns in an analysis are missing from the Athena data source. 

In Amazon Quick Sight, open your analysis. On the **Visualize** tab, choose **Choose dataset**, **Edit analysis data sets**. 

On the **Data sets in this analysis** screen, choose **Edit** near your dataset to refresh the dataset. Amazon Quick Sight caches the schema for two minutes. So it can take two minutes before the latest changes display. 

To investigate how the column was lost in the first place, you can go to the Athena console ([https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home)) and check the query history to find queries that edited the table.

If this error happened when you were editing a custom SQL query in preview, verify that the name of the column in the query, and check for any other syntax errors. For example, check that the column name isn't enclosed in single quotation marks, which are reserved for strings.

If you still have the issue, verify that your tables, columns, and queries comply with Athena requirements. For more information, see [Names for Tables, Databases, and Columns](https://docs.aws.amazon.com/athena/latest/ug/tables-databases-columns-names.html) and [Troubleshooting](https://docs.aws.amazon.com/athena/latest/ug/troubleshooting.html) in the *Athena User Guide*.

# Invalid data when using Athena with Amazon Quick Sight
<a name="troubleshoot-athena-invalid-data"></a>

An invalid data error can occur when you use any operator or function in a calculated field. To address this, verify that the data in the table is consistent with the format that you supplied to the function.

For example, suppose that you are using the function `parseDate(expression, [‘format’], [‘time_zone’])` as **parseDate(date\$1column, ‘MM/dd/yyyy’)**. In this case, all values in `date_column` must conform to `'MM/dd/yyyy'` format (`’05/12/2016’`). Any value that isn't in this format (**‘2016/12/05’**) can cause an error.

# Query timeout when using Athena with Amazon Quick Sight
<a name="troubleshoot-athena-query-timeout"></a>

If your query times out, you can try these options to resolve your problem.

If the failure was generated while working on an analysis, remember that the Amazon Quick Sight timeout for generating any visual is two minutes. If you're using a custom SQL query, you can simplify your query to optimize running time. 

If you are in direct query mode (not using SPICE), you can try importing your data to SPICE. However, if your query exceeds the Athena 30-minute timeout, you might get another timeout while importing data into SPICE. For the most current information on Athena limits, see [Amazon Athena Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#amazon-athena-limits) in the *AWS General Reference*.

# Staging bucket no longer exists when using Athena with Amazon Quick Sight
<a name="troubleshoot-athena-missing-bucket"></a>

Use this section to help solve this error: "**The staging bucket for this query result no longer exists in the underlying data source.**"

 When you create a dataset using Athena, Amazon Quick Sight creates an Amazon S3 bucket. By default, this bucket has a name similar to "`aws-athena-query-results-<REGION>-<ACCOUNTID>`". If you remove this bucket, then your next Athena query might fail with an error saying the staging bucket no longer exists. 

 To fix this error, create a new bucket with the same name in the correct AWS Region. 

# Table incompatible when using AWS Glue with Athena in Amazon Quick Sight
<a name="troubleshoot-athena-glue-table-not-upgraded"></a>

If you are getting errors when using AWS Glue tables in Athena with Amazon Quick Sight, it might be because you're missing some metadata. Follow these steps to find out if your tables don't have the `TableType` attribute that Amazon Quick Sight needs for the Athena connector to work. Usually, the metadata for these tables wasn't migrated to the AWS Glue Data Catalog. For more information, see [Upgrading to the AWS Glue Data Catalog Step-by-Step](https://docs.aws.amazon.com/athena/latest/ug/glue-upgrade.html) in the* AWS Glue Developer Guide.*

If you don't want to migrate to the AWS Glue Data Catalog at this time, you have two options. You can recreate each AWS Glue table through the AWS Glue Management Console. Or you can use the AWS CLI scripts listed in the following procedure to identify and update tables with missing `TableType` attributes.

If you prefer to use the CLI to do this, use the following procedure to help you design your scripts.

**To use the CLI to design scripts**

1. Use the CLI to learn which AWS Glue tables have no `TableType` attributes.

   ```
   aws glue get-tables --database-name <your_datebase_name>;
   ```

   For example, you can run the following command in the CLI.

   ```
   aws glue get-table --database-name "test_database" --name "table_missing_table_type"
   ```

   Following is a sample of what the output looks like. You can see that the table `"table_missing_table_type"` doesn't have the `TableType` attribute declared.

   ```
   {
   		"TableList": [
   			{
   				"Retention": 0,
   				"UpdateTime": 1522368588.0,
   				"PartitionKeys": [
   					{
   						"Name": "year",
   						"Type": "string"
   					},
   					{
   						"Name": "month",
   						"Type": "string"
   					},
   					{
   						"Name": "day",
   						"Type": "string"
   					}
   				],
   				"LastAccessTime": 1513804142.0,
   				"Owner": "owner",
   				"Name": "table_missing_table_type",
   				"Parameters": {
   					"delimiter": ",",
   					"compressionType": "none",
   					"skip.header.line.count": "1",
   					"sizeKey": "75",
   					"averageRecordSize": "7",
   					"classification": "csv",
   					"objectCount": "1",
   					"typeOfData": "file",
   					"CrawlerSchemaDeserializerVersion": "1.0",
   					"CrawlerSchemaSerializerVersion": "1.0",
   					"UPDATED_BY_CRAWLER": "crawl_date_table",
   					"recordCount": "9",
   					"columnsOrdered": "true"
   				},
   				"StorageDescriptor": {
   					"OutputFormat": "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat",
   					"SortColumns": [],
   					"StoredAsSubDirectories": false,
   					"Columns": [
   						{
   							"Name": "col1",
   							"Type": "string"
   						},
   						{
   							"Name": "col2",
   							"Type": "bigint"
   						}
   					],
   					"Location": "s3://myAthenatest/test_dataset/",
   					"NumberOfBuckets": -1,
   					"Parameters": {
   						"delimiter": ",",
   						"compressionType": "none",
   						"skip.header.line.count": "1",
   						"columnsOrdered": "true",
   						"sizeKey": "75",
   						"averageRecordSize": "7",
   						"classification": "csv",
   						"objectCount": "1",
   						"typeOfData": "file",
   						"CrawlerSchemaDeserializerVersion": "1.0",
   						"CrawlerSchemaSerializerVersion": "1.0",
   						"UPDATED_BY_CRAWLER": "crawl_date_table",
   						"recordCount": "9"
   					},
   					"Compressed": false,
   					"BucketColumns": [],
   					"InputFormat": "org.apache.hadoop.mapred.TextInputFormat",
   					"SerdeInfo": {
   						"Parameters": {
   						"field.delim": ","
   						},
   						"SerializationLibrary": "org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe"
   					}
   				}
   			}
   		]
   	}
   ```

1. Edit the table definition in your editor to add `"TableType": "EXTERNAL_TABLE"` to the table definition, as shown in the following example.

   ```
   {
   	"Table": {
   		"Retention": 0,
   		"TableType": "EXTERNAL_TABLE",
   		"PartitionKeys": [
   			{
   				"Name": "year",
   				"Type": "string"
   			},
   			{
   				"Name": "month",
   				"Type": "string"
   			},
   			{
   				"Name": "day",
   				"Type": "string"
   			}
   		],
   		"UpdateTime": 1522368588.0,
   		"Name": "table_missing_table_type",
   		"StorageDescriptor": {
   			"BucketColumns": [],
   			"SortColumns": [],
   			"StoredAsSubDirectories": false,
   			"OutputFormat": "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat",
   			"SerdeInfo": {
   				"SerializationLibrary": "org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe",
   				"Parameters": {
   					"field.delim": ","
   				}
   			},
   			"Parameters": {
   				"classification": "csv",
   				"CrawlerSchemaSerializerVersion": "1.0",
   				"UPDATED_BY_CRAWLER": "crawl_date_table",
   				"columnsOrdered": "true",
   				"averageRecordSize": "7",
   				"objectCount": "1",
   				"sizeKey": "75",
   				"delimiter": ",",
   				"compressionType": "none",
   				"recordCount": "9",
   				"CrawlerSchemaDeserializerVersion": "1.0",
   				"typeOfData": "file",
   				"skip.header.line.count": "1"
   			},
   			"Columns": [
   				{
   					"Name": "col1",
   					"Type": "string"
   				},
   				{
   					"Name": "col2",
   					"Type": "bigint"
   				}
   			],
   			"Compressed": false,
   			"InputFormat": "org.apache.hadoop.mapred.TextInputFormat",
   			"NumberOfBuckets": -1,
   			"Location": "s3://myAthenatest/test_date_part/"
   		},
   		"Owner": "owner",
   		"Parameters": {
   			"classification": "csv",
   			"CrawlerSchemaSerializerVersion": "1.0",
   			"UPDATED_BY_CRAWLER": "crawl_date_table",
   			"columnsOrdered": "true",
   			"averageRecordSize": "7",
   			"objectCount": "1",
   			"sizeKey": "75",
   			"delimiter": ",",
   			"compressionType": "none",
   			"recordCount": "9",
   			"CrawlerSchemaDeserializerVersion": "1.0",
   			"typeOfData": "file",
   			"skip.header.line.count": "1"
   		},
   		"LastAccessTime": 1513804142.0
   	}
   	}
   ```

1. You can adapt the following script to update the table input, so that it includes the `TableType` attribute.

   ```
   aws glue update-table --database-name <your_datebase_name> --table-input <updated_table_input>
   ```

   The following shows an example. 

   ```
   aws glue update-table --database-name test_database --table-input '
   	{
   			"Retention": 0,
   			"TableType": "EXTERNAL_TABLE",
   			"PartitionKeys": [
   				{
   					"Name": "year",
   					"Type": "string"
   				},
   				{
   					"Name": "month",
   					"Type": "string"
   				},
   				{
   					"Name": "day",
   					"Type": "string"
   				}
   			],
   			"Name": "table_missing_table_type",
   			"StorageDescriptor": {
   				"BucketColumns": [],
   				"SortColumns": [],
   				"StoredAsSubDirectories": false,
   				"OutputFormat": "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat",
   				"SerdeInfo": {
   					"SerializationLibrary": "org.apache.hadoop.hive.serde2.lazy.LazySimpleSerDe",
   					"Parameters": {
   						"field.delim": ","
   					}
   				},
   				"Parameters": {
   					"classification": "csv",
   					"CrawlerSchemaSerializerVersion": "1.0",
   					"UPDATED_BY_CRAWLER": "crawl_date_table",
   					"columnsOrdered": "true",
   					"averageRecordSize": "7",
   					"objectCount": "1",
   					"sizeKey": "75",
   					"delimiter": ",",
   					"compressionType": "none",
   					"recordCount": "9",
   					"CrawlerSchemaDeserializerVersion": "1.0",
   					"typeOfData": "file",
   					"skip.header.line.count": "1"
   				},
   				"Columns": [
   					{
   						"Name": "col1",
   						"Type": "string"
   					},
   					{
   						"Name": "col2",
   						"Type": "bigint"
   					}
   				],
   				"Compressed": false,
   				"InputFormat": "org.apache.hadoop.mapred.TextInputFormat",
   				"NumberOfBuckets": -1,
   				"Location": "s3://myAthenatest/test_date_part/"
   			},
   			"Owner": "owner",
   			"Parameters": {
   				"classification": "csv",
   				"CrawlerSchemaSerializerVersion": "1.0",
   				"UPDATED_BY_CRAWLER": "crawl_date_table",
   				"columnsOrdered": "true",
   				"averageRecordSize": "7",
   				"objectCount": "1",
   				"sizeKey": "75",
   				"delimiter": ",",
   				"compressionType": "none",
   				"recordCount": "9",
   				"CrawlerSchemaDeserializerVersion": "1.0",
   				"typeOfData": "file",
   				"skip.header.line.count": "1"
   			},
   			"LastAccessTime": 1513804142.0
   		}'
   ```

# Table not found when using Athena with Amazon Quick Sight
<a name="troubleshoot-athena-table-not-found"></a>

You can receive a "`table not found`" error if the tables in an analysis are missing from the Athena data source. 

In the Athena console ([https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home)), check for your table under the corresponding schema. You can recreate the table in Athena and then create a new dataset in Amazon Quick Sight on that table. To investigate how the table was lost in the first place, you can use the Athena console to check the query history. Doing this helps you find the queries that dropped the table.

If this error happened when you were editing a custom SQL query in preview, verify that the name of the table in the query, and check for any other syntax errors. Amazon Quick Sight can't infer the schema from the query. The schema must be specified in the query. 

For example, the following statement works.

```
select from my_schema.my_table
```

The following statement fails because it's missing the schema.

```
select from my_table
```

If you still have the issue, verify that your tables, columns, and queries comply with Athena requirements. For more information, see [Names for Tables, Databases, and Columns](https://docs.aws.amazon.com/athena/latest/ug/tables-databases-columns-names.html) and [Troubleshooting](https://docs.aws.amazon.com/athena/latest/ug/troubleshooting.html) in the *Athena User Guide*.

# Workgroup and output errors when using Athena with Quick Sight
<a name="troubleshoot-athena-workgroup"></a>

To verify that workgroups are set up properly, check the following settings:
+ **The Athena workgroup that's associated with the data source must exist. **

  To fix this, you can return to the Athena data source settings and choose a different workgroup. For more information, see [Setting Up Workgroups](https://docs.aws.amazon.com/athena/latest/ug/workgroups-procedure.html) in the *Athena User Guide*.

  Another solution is to have the AWS account administrator recreate the workgroup in the Athena console. 
+ **The Athena workgroup that's associated with the data source must be enabled. **

  An AWS account administrator needs to enable the workgroup in the Athena console. Open the Athena console by using this direct link: [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home). Then choose the appropriate workgroup in the **Workgroup** panel and view its settings. Choose **Enable workgroup**. 
+ **Make sure that you have access to the Amazon S3 output location that's associated with the Athena workgroup. **

  To grant Amazon Quick Sight permissions to access the S3 output location, the Amazon Quick Sight administrator can edit **Security & Permissions** in the **Manage QuickSight** screen. 
+ **The Athena workgroup must have an associated S3 output location. **

  An AWS account administrator needs to associate an S3 bucket with the workgroup in the Athena console. Open the Athena console by using this direct link: [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home). Then choose the appropriate workgroup in the **Workgroup** panel and view its settings. Set **Query result location**. 

# Data source connectivity issues for Amazon Quick Sight
<a name="troubleshoot-connect-to-datasources"></a>

Use the following section to help you troubleshoot connections to data sources. Before you continue, verify that your database is currently available. Also, verify that you have the correct connection information and valid credentials. 

**Topics**
+ [

# I can't connect although my data source connection options look right (SSL)
](troubleshoot-connect-SSL.md)
+ [

# I can't connect to Amazon Athena
](troubleshoot-connect-athena.md)
+ [

# I can't connect to Amazon S3
](troubleshoot-connect-S3.md)
+ [

# I can't create or refresh a dataset from an existing Adobe Analytics data source
](troubleshoot-connect-adobe-analytics.md)
+ [

# I need to validate the connection to my data source, or change data source settings
](troubleshoot-connect-validate.md)
+ [

# I can't connect to MySQL (issues with SSL and authorization)
](troubleshoot-connect-mysql.md)
+ [

# I can't connect to RDS
](troubleshoot-connect-RDS.md)

# I can't connect although my data source connection options look right (SSL)
<a name="troubleshoot-connect-SSL"></a>

Problems connecting can occur when Secure Sockets Layer (SSL) is incorrectly configured. The symptoms can include the following:
+ You can connect to your database in other ways or from other locations but not in this case.
+ You can connect to a similar database but not this one.

Before continuing, rule out the following circumstances: 
+ Permissions issues
+ Availability issues
+ An expired or invalid certificate
+ A self-signed certificate
+ Certificate chain in the wrong order
+ Ports not enabled
+ Firewall blocking an IP address
+ Web Sockets are blocked
+ A virtual private cloud (VPC) or security group not configured correctly.

To help find issues with SSL, you can use an online SSL checker, or a tool like OpenSSL. 

 The following steps walk through troubleshooting a connection where SSL is suspect. The administrator in this example has already installed OpenSSL.

**Example**  

1. The user finds an issue connecting to the database. The user verifies that they can connect a different database in another AWS Region. They check other versions of the same database and can connect easily. 

1. The administrator reviews the issue and decides to verify that the certificates are working correctly. The administrator searches online for an article on using OpenSSL to troubleshoot or debug SSL connections.

1. Using OpenSSL, the administrator verifies the SSL configuration in the terminal.

   ```
   echo quit
   openssl s_client –connect <host>:port
   ```

   The result shows that the certificate is not working.

   ```
   ...
   ...
   ...
   CONNECTED(00000003)
   012345678901234:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
   ---
   no peer certificate available
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 7 bytes and written 278 bytes
   ---
   New, (NONE), Cipher is (NONE)
   Secure Renegotiation IS NOT supported
   SSL-Session:
       Protocol  : TLSv1.2
       Cipher    : 0000
       Session-ID:
       Session-ID-ctx:
       Master-Key:
       Key-Arg   : None
       PSK identity: None
       PSK identity hint: None
       Start Time: 1497569068
       Timeout   : 300 (sec)
       Verify return code: 0 (ok)
   ---
   ```

1. The administrator corrects the problem by installing the SSL certificate on the user's database server. 

For more detail on the solution in this example, see [Using SSL to Encrypt a Connection to a DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) in the* Amazon RDS User Guide.*

# I can't connect to Amazon Athena
<a name="troubleshoot-connect-athena"></a>


|  | 
| --- |
|    Intended audience:  Amazon Quick administrators  | 

Use this section to help troubleshoot connecting to Athena. 

If you can't connect to Amazon Athena, you might get an insufficient permissions error when you run a query, showing that the permissions aren't configured. To verify that you can connect Amazon Quick Sight to Athena, check the following settings: 
+ AWS resource permissions inside of Amazon Quick Sight
+ AWS Identity and Access Management (IAM) policies
+ Amazon S3 location
+ Query results location
+ AWS KMS key policy (for encrypted datasets only)

For details, see following. For information about troubleshooting other Athena issues, see [Connectivity issues when using Amazon Athena with Amazon Quick Sight](troubleshoot-athena.md).

## Make sure that you authorized Amazon Quick Sight to use Athena
<a name="troubleshoot-connect-athena-authorizing"></a>


|  | 
| --- |
|    Intended audience:  Amazon Quick administrators  | 

Use the following procedure to make sure that you successfully authorized Amazon Quick Sight to use Athena. Permissions to AWS resources apply to all Amazon Quick Sight users.

To perform this action, you must be an Amazon Quick Sight administrator. To check if you have access, verify that you see the **Manage QuickSight** option when you open the menu from your profile at upper right.

**To authorize Amazon Quick Sight to access Athena**

1. Choose your profile name (upper right). Choose **Manage Quick Sight**, and then scroll down to the **Custom permissions** section.

1. Choose **AWS resources** then choose **Add or remove**. 

1. Find Athena in the list. Clear the box by Athena, then select it again to enable Athena. 

   Then choose **Connect both**. 

1. Choose the buckets that you want to access from Amazon Quick Sight. 

   The settings for S3 buckets that you access here are the same ones that you access by choosing Amazon S3 from the list of AWS services. Be careful that you don't inadvertently disable a bucket that someone else uses.

1. Choose **Finish** to confirm your selection. Or choose **Cancel** to exit without saving.

   

1. Choose **Update** to save your new settings for Amazon Quick Sight access to AWS services. Or choose **Cancel** to exit without making any changes.

1. Make sure that you are using the correct AWS Region when you are finished.

   If you had to change your AWS Region as part of the first step of this process, change it back to the AWS Region that you were using before. 

## Make sure that your IAM policies grant the right permissions
<a name="troubleshoot-connect-athena-perms"></a>


|  | 
| --- |
|    Intended audience:  System administrators  | 

Your AWS Identity and Access Management (IAM) policies must grant permissions to specific actions. Your IAM user or role must be able to read and write both the input and the output of the S3 buckets that Athena uses for your query.

If the dataset is encrypted, the IAM user needs to be a key user in the specified AWS KMS key's policy.

**To verify that your IAM policies have permission to use S3 buckets for your query**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Locate the IAM user or role that you are using. Choose the user or role name to see the associated policies.

1. Verify that your policy has the correct permissions. Choose a policy that you want to verify, and then choose **Edit policy**. Use the visual editor, which opens by default. If you have the JSON editor open instead, choose the **Visual editor** tab. 

1. Choose the S3 entry in the list to see its contents. The policy needs to grant permissions to list, read, and write. If S3 is not in the list, or it doesn't have the correct permissions, you can add them here. 

For examples of IAM policies that work with Quick Sight, see [IAM policy examples for Quick](iam-policy-examples.md).

## Make sure that the IAM user has read/write access to your S3 location
<a name="troubleshoot-connect-athena-read-write-access"></a>


|  | 
| --- |
|    Intended audience:  Amazon Quick administrators  | 

To access Athena data from Quick Sight, first make sure that Athena and its S3 location are authorized in **Manage QuickSight** screen. For more information, see [Make sure that you authorized Amazon Quick Sight to use Athena](#troubleshoot-connect-athena-authorizing). 

Next, verify the relevant IAM permissions. The IAM user for your Athena connection needs read/write access to the location where your results go in S3. Start by verifying that the IAM user has an attached policy that [allows access to Athena](https://docs.aws.amazon.com/athena/latest/ug/setting-up.html#attach-managed-policies-for-using-ate), such as `AmazonAthenaFullAccess`. Let Athena create the bucket using the name that it requires, and then add this bucket to the list of buckets that QuickSight can access. If you change the default location of the results bucket (`aws-athena-query-results-*`), be sure that the IAM user has permission to read and write to the new location.

Verify that you don't include the AWS Region code in the S3 URL. For example, use `s3://awsexamplebucket/path` and not `s3://us-east-1.amazonaws.com/awsexamplebucket/path`. Using the wrong S3 URL causes an `Access Denied` error. 

Also verify that the bucket policies and object access control lists (ACLs) [allow the IAM user to access the objects in the buckets](https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html). If the IAM user is in a different AWS account, see [Cross-account Access](https://docs.aws.amazon.com/athena/latest/ug/cross-account-permissions.html) in the *Amazon Athena User Guide*.

If the dataset is encrypted, verify that the IAM user is a key user in the specified AWS KMS key's policy. You can do this in the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

**To set permissions to your Athena query results location**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. Verify that you have selected the workgroup you want to use:
   + Examine the **Workgroup** option at the top. It has the format **Workgroup: *group-name***. If the group name is the one that you want to use, skip to the next step.
   + To choose a different workgroup, chose **Workgroup** at the top. Choose the workgroup that you want to use, and choose **Switch workgroup**.

1. Choose **Settings** at upper right. 

   (Not common) If you get an error that your workgroup is not found, use these steps to fix it:

   1.  Ignore the error message for now, and instead find **Workgroup: *group-name*** on the **Settings** page. Your workgroup's name is a hyperlink. Open it.

   1. On the **Workgroup: *<groupname>*** page, choose **Edit workgroup** at left. Now close the error message. 

   1. Near **Query result location**, open the S3 location selector by choosing the **Select** button that has the file folder icon.

   1. Choose the small arrow at the end of the name of the S3 location for Athena. The name must begin with `aws-athena-query-results`. 

   1. (Optional) Encrypt query results by selecting the **Encrypt results stored in S3** check box.

   1. Choose **Save** to confirm your choices.

   1. If the error doesn't reappear, return to **Settings**.

      Occasionally, the error might appear again. If so, take the following steps:

      1. Choose the workgroup and then choose **View details**. 

      1. (Optional) To preserve your settings, take notes or a screenshot of the workgroup configuration. 

      1. Choose **Create workgroup**.

      1. Replace the workgroup with a new one. Configure the correct S3 location and encryption options. Note the S3 location because you need it later.

      1. Choose **Save** to proceed.

      1. When you no longer need the original workgroup, disable it. Make sure to carefully read the warning that appears, because it tells you what you lose if you choose to disable it. 

1. If you didn't get this by troubleshooting in the previous step, choose **Settings** at upper right and get the S3 location value shown as **Query result location**. 

1. If **Encrypt query results** is enabled, check whether it uses SSE-KMS or CSE-KMS. Note the key. 

1. Open the S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/), open the correct bucket, and then choose the **Permissions** tab.

1. Check that your IAM user has access by viewing **Bucket Policy**.

   If you manage access with ACLs, make sure that the access control lists (ACLs) are set up by viewing **Access Control List**.

1. If your dataset is encrypted (**Encrypt query results** is selected in the workgroup settings), make sure that the IAM user or role is added as a key user in that AWS KMS key's policy. You can access AWS KMS settings at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

**To grant access to the S3 bucket used by Athena**

1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. Choose the S3 bucket used by Athena in the **Query result location**. 

1. On the **Permissions** tab, verify the permissions.

For more information, see the AWS Support article [When I run an Athena query, I get an "Access Denied" error](https://aws.amazon.com/premiumsupport/knowledge-center/access-denied-athena/).

# I can't connect to Amazon S3
<a name="troubleshoot-connect-S3"></a>

To successfully connect to Amazon S3, make sure that you configure authentication and create a valid manifest file inside the bucket you are trying to access. Also, make sure that the file described by the manifest is available.

To verify authentication, make sure that you authorized Amazon Quick Sight to access the S3 account. It's not enough that you, the user, are authorized. Amazon Quick Sight must be authorized separately. 

**To authorize Amazon Quick Sight to access your Amazon S3 bucket**

1. In the AWS Region list at upper right, choose the US East (N. Virginia) Region. You use this AWS Region temporarily while you edit your account permissions. 

1. Inside Amazon Quick Sight, choose your profile name (upper right). Choose **Manage Quick Sight**, and then scroll down to the **Custom permissions** section. 

1. Choose **AWS resources** then choose **Add or remove**. 

1. Locate Amazon S3 in the list. Choose one of the following actions to open the screen where you can choose S3 buckets:
   + If the check box is clear, select the check box next to Amazon S3. 
   + If the check box is selected, choose **Details**, and then choose **Select S3 buckets**. 

1. Choose the buckets that you want to access from Amazon Quick Sight. Then choose **Select**.

1. Choose **Update**.

1. If you changed your AWS Region during the first step of this process, change it back to the AWS Region that you want to use.

We strongly recommend that you make sure that your manifest file is valid. If Amazon Quick Sight can't parse your file, it gives you an error message. That might be something like "We can't parse the manifest file as valid JSON" or "We can't connect to the S3 bucket."

**To verify your manifest file**

1. Open your manifest file. You can do this directly from the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). Go to your manifest file and choose **Open**.

1. Make sure that the URI or URLs provided inside the manifest file indicate the file or files that you want connect to.

1. Make sure that your manifest file is formed correctly, if you use a link to the manifest file rather than uploading the file. The link shouldn't have any additional phrases after the word `.json`. You can get the correct link to an S3 file by viewing its **Link** value in the details on the S3 console.

1. Make sure that the content of the manifest file is valid by using a JSON validator, like the one at [https://jsonlint.com](https://jsonlint.com). 

1. Verify permissions on your bucket or file. In the [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/), navigate to your Amazon S3 bucket, choose the **Permissions** tab, and add the appropriate permissions. Make sure that the permissions are at the right level, either on the bucket or on the file or files. 

1. If you are using the `s3://` protocol, rather than `https://`, make sure that you reference your bucket directly. For example, use *s3://awsexamplebucket/myfile.csv* instead of *s3://s3-us-west-2.amazonaws.com/awsexamplebucket/myfile.csv*. Doubly specifying Amazon S3, by using `s3://` and also `s3-us-west-2.amazonaws.com`, causes an error.

   For more information about manifest files and connecting to Amazon S3, see [Supported formats for Amazon S3 manifest files](supported-manifest-file-format.md).

In addition, verify that your Amazon S3 dataset was created according to the steps in [Creating a dataset using Amazon S3 files](create-a-data-set-s3.md).

If you use Athena to connect to Amazon S3, see [I can't connect to Amazon Athena](troubleshoot-connect-athena.md).

# I can't create or refresh a dataset from an existing Adobe Analytics data source
<a name="troubleshoot-connect-adobe-analytics"></a>

As of May 1, 2022, Quick Sight no longer supports legacy OAuth and version 1.3 and SOAP API operations in Adobe Analytics. If you experience failures while trying to create or refresh a dataset from an existing Adobe Analytics data source, you might have a stale access token.

**To troubleshoot failures while creating or refreshing a dataset from an existing Adobe Analytics data source**

1. Open Quick Sight and choose **Data** at left.

1. Choose **New** then **Dataset**.

1. On the **Create a dataset** page, choose the Adobe Analytics data source that you want to update from the list of existing data sources.

1. Choose **Edit data source**.

1. On the **Edit Adobe Analytics data source** page that opens, choose **Update data source** to reauthorize the Adobe Analytics connection.

1. Try recreating or refreshing the dataset again. The dataset creation or refresh should succeed.

# I need to validate the connection to my data source, or change data source settings
<a name="troubleshoot-connect-validate"></a>

In some cases, you might need to update your data source, or you got a connection error and need to check your settings. If so, take the following steps.

**To validate your connection to the data source**

1. From the Quick Sight homepage, choose **Data** at left.

1. Choose **New** then **Dataset**.

1. You will see a list of existing data sources.

1. Choose the data source that you want to test or change.

1. If the option is offered, choose **Edit/Preview data**.

1. Choose **Validate connection**.

1. Make any changes that you want to make, then choose **Update data source**.

# I can't connect to MySQL (issues with SSL and authorization)
<a name="troubleshoot-connect-mysql"></a>

To check on some common connection issues in MySQL, use the following steps. This procedure helps you find out if you have enabled SSL and granted usage rights.

**To find solutions for some common connection issues in MySQL**

1. Check `/etc/my.cnf` to make sure SSL is enabled for MySQL.

1. In MySQL, run the following command.

   ```
   show status like 'Ssl%';
   ```

   If SSL is working, you see results like the following.

   ```
   +--------------------------------+----------------------+
   | Variable_name                  | Value                |
   +--------------------------------+----------------------+
   | Ssl_accept_renegotiates        | 0                    |
   | Ssl_accepts                    | 1                    |
   | Ssl_callback_cache_hits        | 0                    |
   | Ssl_cipher                     |                      |
   | Ssl_cipher_list                |                      |
   | Ssl_client_connects            | 0                    |
   | Ssl_connect_renegotiates       | 0                    |
   | Ssl_ctx_verify_depth           | 18446744073709551615 |
   | Ssl_ctx_verify_mode            | 5                    |
   | Ssl_default_timeout            | 0                    |
   | Ssl_finished_accepts           | 0                    |
   | Ssl_finished_connects          | 0                    |
   | Ssl_session_cache_hits         | 0                    |
   | Ssl_session_cache_misses       | 0                    |
   | Ssl_session_cache_mode         | SERVER               |
   | Ssl_session_cache_overflows    | 0                    |
   | Ssl_session_cache_size         | 128                  |
   | Ssl_session_cache_timeouts     | 0                    |
   | Ssl_sessions_reused            | 0                    |
   | Ssl_used_session_cache_entries | 0                    |
   | Ssl_verify_depth               | 0                    |
   | Ssl_verify_mode                | 0                    |
   | Ssl_version                    |                      |
   +--------------------------------+----------------------+
   ```

   If SSL is disabled, you see results like the following.

   ```
   +--------------------------------+-------+
   | Variable_name                  | Value |
   +--------------------------------+-------+
   | Ssl_accept_renegotiates        | 0     |
   | Ssl_accepts                    | 0     |
   | Ssl_callback_cache_hits        | 0     |
   | Ssl_cipher                     |       |
   | Ssl_cipher_list                |       |
   | Ssl_client_connects            | 0     |
   | Ssl_connect_renegotiates       | 0     |
   | Ssl_ctx_verify_depth           | 0     |
   | Ssl_ctx_verify_mode            | 0     |
   | Ssl_default_timeout            | 0     |
   | Ssl_finished_accepts           | 0     |
   | Ssl_finished_connects          | 0     |
   | Ssl_session_cache_hits         | 0     |
   | Ssl_session_cache_misses       | 0     |
   | Ssl_session_cache_mode         | NONE  |
   | Ssl_session_cache_overflows    | 0     |
   | Ssl_session_cache_size         | 0     |
   | Ssl_session_cache_timeouts     | 0     |
   | Ssl_sessions_reused            | 0     |
   | Ssl_used_session_cache_entries | 0     |
   | Ssl_verify_depth               | 0     |
   | Ssl_verify_mode                | 0     |
   | Ssl_version                    |       |
   +--------------------------------+-------+
   ```

1. Make sure that you have installed a supported SSL certificate on the database server. 

1. Grant usage for the specific user to connect using SSL.

   ```
   GRANT USAGE ON *.* TO 'encrypted_user'@'%' REQUIRE SSL;                        
   ```

**Note**  
TLS 1.2 for MySQL connections requires MySQL version 5.7.28 or higher. If your MySQL server enforces TLS 1.2 only (for example, `tls_version = TLSv1.2`) and the server version is below 5.7.28, the SSL handshake fails with a `Communications link failure` error. To resolve this, upgrade your MySQL or Aurora MySQL database to version 5.7.28 or higher.

For more detail on the solution in this example, see the following:
+ [SSL Support for MySQL DB Instances](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport.html) in the *Amazon RDS User Guide*.
+ [Using SSL to Encrypt a Connection to a DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) in the *Amazon RDS User Guide*.
+ [MySQL documentation](https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html)

# I can't connect to RDS
<a name="troubleshoot-connect-RDS"></a>

For details on troubleshooting connections to Amazon RDS, see [Creating a dataset from a database](create-a-database-data-set.md). 

You can also refer to the Amazon RDS documentation on troubleshooting connections, [Cannot Connect to Amazon RDS DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html#CHAP_Troubleshooting.Connecting)*.*

# Login issues with Quick Sight
<a name="troubleshoot-login"></a>

Use the following section to help you troubleshoot login and access issues with the Quick Sight console.

**Topics**
+ [

# Insufficient permissions when using Athena with Amazon Quick Sight
](troubleshoot-athena-insufficient-permissions.md)
+ [

# Amazon Quick Sight isn't working in my browser
](troubleshoot-browser.md)
+ [

# How do I delete my Amazon Quick Sight account?
](troubleshoot-delete-quicksight-account.md)
+ [

# Individuals in my organization get an "External Login is Unauthorized" message when they try to access Quick Sight
](troubleshoot-webidentity-federation.md)
+ [

# My email sign-in stopped working
](troubleshoot-email-login.md)

# Insufficient permissions when using Athena with Amazon Quick Sight
<a name="troubleshoot-athena-insufficient-permissions"></a>

If you receive an error message that says you have insufficient permissions, try the following steps to resolve your problem.

You need administrator permissions to troubleshoot this issue.

**To resolve an insufficient permissions error**

1. Make sure that Amazon Quick Sight can access the Amazon S3 buckets used by Athena: 

   1. To do this, choose your profile name (upper right). Choose **Manage Quick Sight**, and then scroll down to the **Custom permissions** section.

   1. Choose **AWS resources** then choose **Add or remove**. 

   1. Locate Athena in the list. Clear the check box by Athena, then select it again to enable Athena. 

      Choose **Connect both**.

   1. Choose the buckets that you want to access from Amazon Quick Sight. 

      The settings for S3 buckets that you access here are the same ones that you access by choosing Amazon S3 from the list of AWS services. Be careful that you don't inadvertently disable a bucket that someone else uses.

   1. Choose **Select** to save your S3 buckets.

   1. Choose **Update** to save your new settings for Amazon Quick Sight access to AWS services. Or choose **Cancel** to exit without making any changes. 

1. If your data file is encrypted with an AWS KMS key, grant permissions to the Amazon Quick Sight IAM role to decrypt the key. The easiest way to do this is to use the AWS CLI. 

   You can run the [create-grant](https://docs.aws.amazon.com/cli/latest/reference/kms/create-grant.html) command in AWS CLI to do this. 

   ```
   aws kms create-grant --key-id <AWS KMS key ARN> --grantee-principal <Your Amazon Quick Sight Role ARN> --operations Decrypt
   ```

   The Amazon Resource Name (ARN) for the Amazon Quick Sight role has the format `arn:aws:iam::<account id>:role/service-role/aws-quicksight-service-role-v<version number>` and can be accessed from the IAM console. To find your AWS KMS key ARN, use the S3 console. Go to the bucket that contains your data file and choose the **Overview** tab. The key is located near **KMS key ID**.

For Amazon Athena, Amazon S3, and Athena Query Federation connections, Quick Sight uses the following IAM role by default: 

```
arn:aws:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-s3-consumers-role-v0
```

If the `aws-quicksight-s3-consumers-role-v0` is not present, then Quick Sight uses:

```
arn:aws:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-service-role-v0
```

# Amazon Quick Sight isn't working in my browser
<a name="troubleshoot-browser"></a>

If you can't view Amazon Quick Sight correctly in your Google Chrome browser, take the following steps to fix the problem.

**To view Amazon Quick Sight in your Chrome browser**

1. Open Chrome and go to `chrome://flags/#touch-events`. 

1. If the option is set to **Automatic**, change it to **Disabled**. 

1. Close and reopen Chrome.

# How do I delete my Amazon Quick Sight account?
<a name="troubleshoot-delete-quicksight-account"></a>

In some cases, you might need to delete your Amazon Quick Sight account even when you can't access Amazon Quick Sight to unsubscribe. If so, sign in to AWS and use the following link to open [the unsubscribe screen](https://us-east-1.quicksight.aws.amazon.com/sn/console/unsubscribe): `https://us-east-1.quicksight.aws.amazon.com/sn/console/unsubscribe`. This approach works no matter what AWS Regions that you use. It deletes all data, analyses, Amazon Quick Sight users, and Amazon Quick Sight administrators. If you have further difficulty, contact support. 

# Individuals in my organization get an "External Login is Unauthorized" message when they try to access Quick Sight
<a name="troubleshoot-webidentity-federation"></a>


|  | 
| --- |
|    Intended audience:  Amazon Quick administrators  | 

When an individual in your organization is federating into Quick Sight using **AssumeRoleWithWebIdentity**, Quick Sight maps a single role-based user to a single external login. In some cases, that individual might be authenticated through an external login (such as Amazon Cognito) that's different from the originally mapped user. If so, they can't access Quick Sight and get the following unexpected error message.

The external login used for federation is unauthorized for the Quick Sight user.

To learn how to troubleshoot this issue, see the following sections:
+ [Why is this happening?](#troubleshoot-webidentity-federation-why)
+ [How can I fix it?](#troubleshoot-webidentity-federation-how)

## Why is this happening?
<a name="troubleshoot-webidentity-federation-why"></a>

### You are using a simplified Amazon Cognito flow
<a name="troubleshoot-webidentity-federation-why-Cognito-SSO-1"></a>

If you're using Amazon Cognito to federate into Quick Sight, the single sign-on (IAM Identity Center) setup might use the `CognitoIdentityCredentials` API operation to assume the Quick Sight role. This method maps all users in the Amazon Cognito identity pool to a single Quick Sight user and isn't supported by Quick Sight.

We recommend that you use the `AssumeRoleWithWebIdentity` API operation instead, which specifies the role session name.

### You're using unauthenticated Amazon Cognito users
<a name="troubleshoot-webidentity-federation-why-Cognito-SSO-2"></a>

Amazon Cognito IAM Identity Center is set up for unauthenticated users in the Amazon Cognito identity pool. The Quick Sight role trust policy is set up like the following example.

This setup allows a temporary Amazon Cognito user to assume a role session mapped to a unique Quick Sight user. Because unauthenticated identities are temporary, they aren't supported by Quick Sight.

We recommend that you don't use this setup, which setup isn't supported by Quick Sight. For Quick Sight, make sure that the Amazon Cognito IAM Identity Center uses authenticated users.

### You deleted and recreated an Amazon Cognito user with the same user name attributes
<a name="troubleshoot-webidentity-federation-why-Cognito-user-delete"></a>

In this case, the associated Amazon Cognito user that's mapped to the Quick Sight user was deleted and recreated. The newly created Amazon Cognito user has a different underlying subject. Depending on how the role session name is mapped to the Quick Sight user, the session name might correspond to the same Quick Sight role-based user.

We recommend that you remap the Quick Sight user to the updated Amazon Cognito user subject by using the `UpdateUser` API operation. For more information, see the following [UpdateUser API example](#troubleshoot-webidentity-federation-solutions-updateuser).

### You're mapping multiple Amazon Cognito user pools in different AWS accounts to one identity pool and with Quick Sight
<a name="troubleshoot-webidentity-federation-why-Cognito-multi-pools"></a>

Mapping multiple Amazon Cognito user pools in different AWS accounts to one identity pool and Quick Sight isn't supported by Quick Sight.

## How can I fix it?
<a name="troubleshoot-webidentity-federation-how"></a>

You can use Quick Sight public API operations to update the external login information for your users. Use the following options to learn how.

### Use RegisterUser to create users with external login information
<a name="troubleshoot-webidentity-federation-how-registeruser"></a>

If the external login provider is Amazon Cognito, use the following CLI code to create users.

```
aws quicksight register-user --aws-account-id account-id --namespace namespace --email user-email --user-role user-role --identity-type IAM
--iam-arn arn:aws:iam::account-id:role/cognito-associated-iam-role 
--session-name cognito-username --external-login-federation-provider-type COGNITO 
--external-login-id cognito-identity-id --region identity-region
```

The `external-login-id` should be the identity ID for the Amazon Cognito user. The format is `<identity-region>:<cognito-user-sub>`, as shown in the following example.

```
aws quicksight register-user --aws-account-id 111222333 --namespace default --email cognito-user@amazon.com --user-role ADMIN --identity-type IAM
--iam-arn arn:aws:iam::111222333:role/CognitoQuickSightRole 
--session-name cognito-user --external-login-federation-provider-type COGNITO 
--external-login-id us-east-1:12345678-1234-1234-abc1-a1b1234567 --region us-east-1
```

If the external login provider is a custom OpenID Connect (OIDC) provider, use the following CLI code to create users.

```
aws quicksight register-user --aws-account-id account-id --namespace namespace
--email user-email --user-role user-role --identity-type IAM
--iam-arn arn:aws:iam::account-id:role/identity-provider-associated-iam-role 
--session-name identity-username --external-login-federation-provider-type CUSTOM_OIDC 
--custom-federation-provider-url custom-identity-provider-url 
--external-login-id custom-provider-identity-id --region identity-region
```

The following is an example.

```
aws quicksight register-user --aws-account-id 111222333 --namespace default 
--email identity-user@amazon.com --user-role ADMIN --identity-type IAM
--iam-arn arn:aws:iam::111222333:role/CustomIdentityQuickSightRole
--session-name identity-user --external-login-federation-provider-type CUSTOM_OIDC 
--custom-federation-provider-url idp.us-east-1.amazonaws.com/us-east-1_ABCDE 
--external-login-id 12345678-1234-1234-abc1-a1b1234567 --region us-east-1
```

To learn more about using `RegisterUser` in the CLI, see [RegisterUser](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_RegisterUser.html) in the *Amazon Quick API Reference*.

### Use DescribeUser to check external login information for users
<a name="troubleshoot-webidentity-federation-how-describeuser"></a>

If a user is a role-based federated user from an external login provider, use the `DescribeUser` API operation to check the external login information for it, as shown in the following code.

```
aws quicksight describe-user --aws-account-id account-id  --namespace namespace
--user-name identity-provider-associated-iam-role/identity-username 
--region identity-region
```

The following is an example.

```
aws quicksight describe-user --aws-account-id 111222333 --namespace default --user-name IdentityQuickSightRole/user --region us-west-2
```

The result contains the external login information fields if there are any. Following is an example.

```
{
    "Status": 200,
    "User": {
        "Arn": "arn:aws:quicksight:us-east-1:111222333:user-default-IdentityQuickSightRole-user",
        "UserName": "IdentityQuickSightRole-user",
        "Email": "user@amazon.com",
        "Role": "ADMIN",
        "IdentityType": "IAM",
        "Active": true,
        "PrincipalId": "federated-iam-AROAAAAAAAAAAAAAA:user",
        "ExternalLoginFederationProviderType": "COGNITO",
        "ExternalLoginFederationProviderUrl": "cognito-identity.amazonaws.com",
        "ExternalLoginId": "us-east-1:123abc-1234-123a-b123-12345678a"
    },
    "RequestId": "12345678-1234-1234-abc1-a1b1234567"
}
```

To learn more about using `DescribeUser` in the CLI, see [DescribeUser](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_DescribeUser.html) in the *Amazon Quick API Reference*.

### Use UpdateUser to update external login information for users
<a name="troubleshoot-webidentity-federation-solutions-updateuser"></a>

In some cases, you might find that the external login information saved for the user from the `DescribeUser` result isn't correct or the external login information is missing. If so, you can use the `UpdateUser` API operation to update it. Use the following examples.

For Amazon Cognito users, use the following.

```
aws quicksight update-user --aws-account-id account-id --namespace namespace 
--user-name cognito-associated-iam-role/cognito-username
 --email user-email --role user-role 
--external-login-federation-provider-type COGNITO 
--external-login-id cognito-identity-id --region identity-region
```

The following is an example.

```
aws quicksight update-user --aws-account-id 111222333 --namespace default 
--user-name CognitoQuickSightRole/cognito-user --email cognito-user@amazon.com 
--role ADMIN --external-login-federation-provider-type COGNITO 
--external-login-id us-east-1:12345678-1234-1234-abc1-a1b1234567 --region us-west-2
```

For custom OIDC provider users, use the following.

```
aws quicksight update-user --aws-account-id account-id --namespace namespace 
 --user-name identity-provider-associated-iam-role/identity-username 
--email user-email --role user-role 
--external-login-federation-provider-type CUSTOM_OIDC 
--custom-federation-provider-url custom-identity-provider-url 
--external-login-id custom-provider-identity-id --region identity-region
```

The following is an example.

```
aws quicksight update-user --aws-account-id 111222333 --namespace default 
--user-name IdentityQuickSightRole/user --email user@amazon.com --role ADMIN 
--external-login-federation-provider-type CUSTOM_OIDC 
--custom-federation-provider-url idp.us-east-1.amazonaws.com/us-east-1_ABCDE 
 --external-login-id 123abc-1234-123a-b123-12345678a --region us-west-2
```

If you want to delete the external login information for the user, use `NONE` `external login federation provider type`. Use the following CLI command to delete external login information.

```
aws quicksight update-user --aws-account-id account-id --namespace namespace 
 --user-name identity-provider-associated-iam-role/identity-username 
--email user-email --role user-role
--external-login-federation-provider-type NONE --region identity-region
```

The following is an example.

```
aws quicksight update-user --aws-account-id 111222333 --namespace default 
--user-name CognitoQuickSightRole/cognito-user --email cognito-user@amazon.com --role ADMIN --external-login-federation-provider-type NONE --region us-west-2
```

To learn more about using `UpdateUser` in the CLI, see the [UpdateUser](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_UpdateUser.html) in the *Amazon Quick API Reference*.

# My email sign-in stopped working
<a name="troubleshoot-email-login"></a>

Currently, emails are case-sensitive. If yours isn't working, ask your administrator to check it for a mix of upper and lowercase letters. Use your email as it was entered.

# Visual issues with Quick Sight
<a name="visual-issues"></a>

Use the following section to help you troubleshoot problems with visuals and their formatting.

**Topics**
+ [

# I can't see my visuals
](troubleshoot-adding-visuals.md)
+ [

# I get a feedback bar across my printed documents
](troubleshoot-printing-docs.md)
+ [

# My map charts don't show locations
](troubleshoot-geocoding.md)
+ [

# My pivot table stops working
](troubleshoot-pivot-tables.md)
+ [

# My visual can’t find missing columns
](troubleshooting-dataset-changed-columns.md)
+ [

# My visual can’t find the query table
](troubleshooting-dataset-changed-tables.md)
+ [

# My visual doesn't update after I change a calculated field
](troubleshooting-visual-refresh.md)
+ [

# Values in a Microsoft Excel file with scientific notation don't format correctly in Quick Sight
](troubleshooting-number-formatting.md)

# I can't see my visuals
<a name="troubleshoot-adding-visuals"></a>

Use the following section to help you troubleshoot missing visuals. Before you continue, check to make sure you can still access your data source. If you can't connect to your data source, see [Data source connectivity issues for Amazon Quick Sight](troubleshoot-connect-to-datasources.md).
+ If you are having trouble adding a visual to an analysis, try the following:
  + Check your connectivity and confirm that you have access to all domains that Quick Sight uses for access. To see a list of all URLs Quick Sight uses, see [Domains accessed by Quick Sight](https://docs.aws.amazon.com//quicksight/latest/developerguide/vpc-interface-endpoints.html#vpc-interface-endpoints-restrictvpc-interface-endpoints-supported-domains).
  + Check that you aren't trying to add more objects than the quota allows. Amazon Quick Sight supports up to 30 datasets in a single analysis, up to 30 visuals in a single sheet, and a limit of 20 sheets per analysis.
  + Suppose that you are editing an analysis for a selected data source and the connection to the data source ends unexpectedly. The resulting error state can prevent further changes to the analysis. In this case, you can't add more visuals to the analysis. Check for this state.
+ If your visuals don't load, try the following:
  + If you are using a corporate network, seek out help from your network administrator and verify that the network's firewall settings permit traffic from `*.aws.amazon.com`, `amazonaws.com`, `wss://*.aws.amazon.com`, and `cloudfront.net`.
  + Add exceptions to your ad blocker for `*.aws.amazon.com`, `amazonaws.com`, `wss://*.aws.amazon.com`, and `cloudfront.net`.
  + If you are using a proxy server, verify that `*.quicksight.aws.amazon.com` and `cloudfront.net` are added to the list of approved domains (the allow list).

# I get a feedback bar across my printed documents
<a name="troubleshoot-printing-docs"></a>

The browser sometimes prints the document feedback bar across the page, blocking some printed content.

To avoid this problem, use the twirl-down icon on the bottom left of the screen (shown following) to minimize the feedback bar. Then print your document.

![\[\]](http://docs.aws.amazon.com/quick/latest/userguide/images/printing-docs.png)


# My map charts don't show locations
<a name="troubleshoot-geocoding"></a>

For automatic mapping, called geocoding, to work on map charts, make sure that your data is prepared following specific rules. For help with geospatial issues, see [Geospatial troubleshooting](geospatial-troubleshooting.md). For help with preparing data for geospatial charts, see [Adding geospatial data](geospatial-data-prep.md).

# My pivot table stops working
<a name="troubleshoot-pivot-tables"></a>

If your pivot table exceeds the computational limitations of the underlying database, this is usually caused by the combination of items in the field wells. That is, it's caused by a combination of rows, columns, metrics, and table calculations. To reduce the level of complexity and the potential for errors, simplify your pivot table. For more information, see [Pivot table best practices](pivot-table-best-practices.md).

# My visual can’t find missing columns
<a name="troubleshooting-dataset-changed-columns"></a>

The visuals in my analysis aren't working as expected. The error message says `"The column(s) used in this visual do not exist."`

The most common cause of this error is that your data source schema changed. For example, it's possible a column name changed from `a_column` to `b_column`.

Depending on how your dataset accesses the data source, choose one of the following.
+ If the dataset is based on custom SQL, do one or more of the following:
  + Edit the dataset. 
  + Edit the SQL statement.

    For example, if the table name changed from `a_column` to `b_column`, you can update the SQL statement to create an alias: `SELECT b_column as a_column`. By using the alias to maintain the same field name in the dataset, you avoid having to add the column to your visuals as a new entity.

  When you're done, choose **Save & visualize**.
+ If the dataset isn't based on custom SQL, do one or more of the following:
  + Edit the dataset. 
  + For fields that now have different names, rename them in the dataset. You can use the field names from your original dataset. Then open your analysis and add the renamed fields to the affected visuals.

  When you're done, choose **Save & visualize**.

# My visual can’t find the query table
<a name="troubleshooting-dataset-changed-tables"></a>

In this case, the visuals in your analysis aren't working as expected. The error message says `"Amazon Quick Sight can’t find the query table."`

The most common cause of this error is that your data source schema changed. For example, it's possible a table name changed from `x_table` to `y_table`.

Depending on how the dataset accesses the data source, choose one of the following.
+ If the dataset is based on custom SQL, do one or more of the following:
  + Edit the dataset. 
  + Edit the SQL statement.

    For example, if the table name changed from `x_table` to `y_table`, you can update the FROM clause in the SQL statement to refer to the new table instead. 

  When you're done, choose **Save & visualize**, then choose each visual and readd the fields as needed.
+ If the dataset isn't based on custom SQL, do the following:

  1. Create a new dataset using the new table, `y_table` for example. 

  1. Open your analysis. 

  1. Replace the original dataset with the newly created dataset. If there are no column changes, all the visuals should work after you replace the dataset. For more information, see [Replacing datasets](replacing-data-sets.md). 

# My visual doesn't update after I change a calculated field
<a name="troubleshooting-visual-refresh"></a>

When you update a calculated field that many other fields depend on, the consuming entities might not update as expected. For example, when you update a calculated field that's used by a field being visualized, the visual doesn't update as expected.

To resolve this issue, refresh your internet browser.

# Values in a Microsoft Excel file with scientific notation don't format correctly in Quick Sight
<a name="troubleshooting-number-formatting"></a>

When you connect to a Microsoft Excel file that has a number column that contains values with scientific notation, they might not format correctly in Quick Sight. For example, the value 1.59964E\$111, which is actually 159964032802, formats as 159964000000 in Quick Sight. This can lead to an incorrect analysis.

To resolve this issue, format the column as `Text` in Microsoft Excel, and then upload the file to Quick Sight.