AWS Quicksight Athena Import Error with Encrypted S3 Data

Question

I have an encrypted data lake stored in S3 that is not being properly imported using Athena in AWS Quicksight. The permissions for S3 HAVE been enabled (and for this particular bucket) before attempting this import. And this data import is being performed by an admin with root credentials to the AWS account. Both Quicksight and the S3 bucket are in the same region (NA-east-1).

I also want to note that I can properly query the data lake using Athena successfully from the AWS account.

Here is the specific error that occurs when attempting a data import the data using Athena.

Simba]AthenaJDBC An error has been thrown from the AWS Athena client. com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 71A7EB19AFD8F60D; S3 Extended Request ID: YBWXhPd9674G+Hmmfggp+QavpmFNF/0GjB2ODy0oN9zGDlQKSLfjwfQ4cLTyvCwRxMfR0GFHeyM=), S3 Extended Request ID: YBWXhPd9674G+Hmmfggp+QavpmFNF/0GjB2ODy0oN9zGDlQKSLfjwfQ4cLTyvCwRxMfR0GFHeyM= (Path: s3://data-storage-gamma-us-east-1/year=2020/month=12/day=21/DataSource-2-2020-12-21-05-45-56-9926f1e6-3569-4877-a798-ca10bfefa432) [Execution ID: e981d25b-148e-4d8e-881e-9d7ff0a461c5]

Answer 1

I was eventually able to resolve this issue. The root cause was that the data in the data lake was encrypted used a KMS key. Quicksight was able to access the data but not decrypt it... thus leading to the error message listed above. The solution was to give the Quicksight role access to the KMS key so that it could decrypt the data.

This can be done via the IAM console. The default Role (which should already be present in your account) for Quicksight is:

aws-quicksight-service-role-v0

Add a policy to this role that allows it to use the KMS key. You can also create a policy to do this through the IAM console.