Insufficient permissions when using Athena with Amazon Quick Sight

To resolve an insufficient permissions error

1. Make sure that Amazon Quick Sight can access the Amazon S3 buckets used by Athena:

   1. To do this, choose your profile name (upper right). Choose Manage Quick Sight, and then scroll down to the Custom permissions section.

   2. Choose AWS resources then choose Add or remove.

   3. Locate Athena in the list. Clear the check box by Athena, then select it again to enable Athena.

      Choose Connect both.

   4. Choose the buckets that you want to access from Amazon Quick Sight.

      The settings for S3 buckets that you access here are the same ones that you access by choosing Amazon S3 from the list of AWS services. Be careful that you don't inadvertently disable a bucket that someone else uses.

   5. Choose Select to save your S3 buckets.

   6. Choose Update to save your new settings for Amazon Quick Sight access to AWS services. Or choose Cancel to exit without making any changes.

2. If your data file is encrypted with an AWS KMS key, grant permissions to the Amazon Quick Sight IAM role to decrypt the key. The easiest way to do this is to use the AWS CLI.

   You can run the create-grant command in AWS CLI to do this.

   aws kms create-grant --key-id <AWS KMS key ARN> --grantee-principal <Your Amazon Quick Sight Role ARN> --operations Decrypt
   		

   The Amazon Resource Name (ARN) for the Amazon Quick Sight role has the format arn:aws:iam::<account id>:role/service-role/aws-quicksight-service-role-v<version number> and can be accessed from the IAM console. To find your AWS KMS key ARN, use the S3 console. Go to the bucket that contains your data file and choose the Overview tab. The key is located near KMS key ID.