Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Add timestream as a data source to quicksight from a different account

0

EDIT: posted solution i found in the answers

I'm trying to add a timestream DB from account A to a quicksight in account B.

I created a role in account A for account B to assume, with a Custom trust policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "quicksight.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "ID_ACCOUNT_B"
        }
      }
    }
  ]
}

and a policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "timestream:DescribeEndpoints",
        "timestream:SelectValues",
        "timestream:Select",
        "timestream:ListTables",
        "timestream:ListDatabases"
      ],
      "Resource": "*"
    }
  ]
}

I also tried with "timestream:*"

But I am unable to get to the data.

I searched in the quicksight configuration for an option to add but didn't find anything. Also added manually a custom policy in the quicksight role to assume the role in account A.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::<ID_ACCOUNT_A>:role/QuickSightCrossAccountAccessRole"
    }
  ]
}

Supposedly in Manage QuickSight > Security & permissions, should be an option to manage cross account options, but I find none.

Is this posible? I miss something?

Thanks.

Topics
AnalyticsBusiness ApplicationsMachine Learning & AIDatabaseSecurity, Identity, & Compliance
Tags
Amazon Quick SightAmazon TimestreamIAM Policies
Language
English
asked 9 months ago136 views
2 Answers
0
Accepted Answer

Cross-Account Access to Timestream via Athena Federated Queries

I managed to do this using the following approach:

In Account A (where Timestream resides):

  1. Set up Lambda connector to Timestream

    • Navigate to: Lambda → Applications → AthenaTimestreamConnector
    • Make sure to check the box to visualize the connector:

      "Show apps that create custom IAM roles or resource policies"

  2. Add the connector to Athena

    • Go to Athena Data Sources
    • Choose Connect data source → custom or shared connector → select the deployed Lambda

In Account B (consumer account):

  1. Use Athena Federated Queries

    • Follow AWS doc: Cross-Account Federated Queries in Athena

      Set up permissions & trust relationships

    • Configure trust policy between accounts

    • Set up appropriate IAM policies and Lambda resource policies in account A

    • Ensure S3 bucket policy allows access from account B

  2. Update QuickSight permissions

    • Add permissions to the QuickSight role in Account B to:
      • Access the S3 bucket in Account A
      • Invoke the Lambda in Account A

Final Step in Account A:

  • In the Athena console, share the Lambda connector with Account B

You should now be able to see and query the data from the Timestream in Account A from Account B using Athena and adding it to Quicksight.

answered 8 months ago
0

To set up cross-account access for Amazon Timestream data in QuickSight, you need to follow a specific process:

First, ensure that QuickSight in Account B is authorized to connect to Amazon Timestream. A QuickSight administrator needs to:

  1. Open the menu by clicking on the profile icon at the top right
  2. Choose "Manage QuickSight"
  3. Select "Security & permissions"
  4. Click "Add or remove"
  5. Enable the checkbox for Amazon Timestream
  6. Choose "Update" to confirm

For your cross-account setup, your approach with IAM roles is on the right track, but requires some adjustments:

In Account A (where Timestream is located):

  • Your trust policy should allow QuickSight from Account B to assume the role
  • The permissions policy looks good with the necessary Timestream permissions

In Account B (where QuickSight is located):

  • QuickSight needs permission to assume the role in Account A
  • This is typically handled through the QuickSight service role

One key element you might be missing is that after setting up the IAM roles correctly, you need to:

  1. Go to QuickSight in Account B
  2. Create a new dataset
  3. Select Timestream as the data source
  4. When configuring the connection, you'll need to specify the role ARN from Account A that QuickSight should assume

If you're not seeing cross-account options in the QuickSight interface, it could be because:

  • You might not have administrator privileges in QuickSight
  • The QuickSight edition you're using might not support this feature
  • The IAM permissions for your QuickSight service role might need additional configuration

Try reviewing your QuickSight service role permissions in Account B to ensure it has the necessary permissions to assume roles in other accounts.
Sources
Using Amazon Timestream data with Amazon QuickSight - Amazon QuickSight
TimeStream Cross account | AWS re:Post
Cross account access to QuickSight (password-less way) | AWS re:Post
How to access resources in a multi account setup for a Managed Grafana Workspace | AWS re:Post
Amazon QuickSight - Amazon Timestream

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content