- Newest
- Most votes
- Most comments
Hi.
I understand that you want an IAM user to be able to self-provision their own QuickSight user with the QuickSight role (ADMIN/AUTHOR/READER) determined by the IAM group they belong to.
First, QuickSight role when self-provisioning is determined by having one of the following in the applied IAM policy:
- quicksight: Create Admin
- quicksight: Create User
- quicksight: Create Reader
So you should set IAM policy to allow any of the above actions for IAM group.
https://dev.classmethod.jp/articles/quicksight-iam-provisioning/ (Sorry for Japanese, please translate)
But when I select "Manage QuickSight access to AWS services" and choose "IAM / Use existing role" I only see the option to select one role. So how would I best design this to get a different treatment for different users?
This role you're seeing is from the QuickSight admin screen, right?
This is a QuickSight service role. For example, this IAM role is used when QuickSight accesses Athena or S3 to retrieve data.
It has nothing to do with logged-in QuickSight users.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
Faced the same issue and this answer helped.
Adding the IAM policy for a reader user in case the link doesn't work in the future
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "quicksight:CreateReader", "Resource": "*" } ] }
Change the action based on the user type required:
User - quicksight:CreateUser Reader - quicksight:CreateReader Admin - quicksight:CreateAdmin