Pass IAM roles to Quicksight - Enable different user creation depending on IAM group

0

Hi everyone,

We are setting up an application for our clients which includes a Quicksight dashboard. External users to the dashboard should be invited through Quicksight, but all users of the client who will have some administrative tasks in the operation of the application, and thus also have IAM users, should access Quicksight through their IAM user.

I tried to follow the steps in your documentation on Quicksight and IAM, but I am not sure I understood everything.

What I want is that users within a certain IAM group for readers will only be able to create Reader accounts when first signing in to Quicksight, while those in another group for Quicksight admins will create admin or author accounts.

But when I select "Manage QuickSight access to AWS services" and choose "IAM / Use existing role" I only see the option to select one role. So how would I best design this to get a different treatment for different users? Variables in the policy? Or did I misunderstand and the steps outlined in the documentation on passing the IAM role with Quicksight permissions to Quicksight apply only for the administrator role, but not the users who should only be readers?

Did I understand correctly that at first at least one "normal" login and user creation (with email registration) in Quicksight via the managed service role is needed as one can only change to the use of IAM roles there?

Many thanks for your help!

Best regards

1 Answer
2

Hi.

I understand that you want an IAM user to be able to self-provision their own QuickSight user with the QuickSight role (ADMIN/AUTHOR/READER) determined by the IAM group they belong to.

First, QuickSight role when self-provisioning is determined by having one of the following in the applied IAM policy:

  • quicksight: Create Admin
  • quicksight: Create User
  • quicksight: Create Reader

So you should set IAM policy to allow any of the above actions for IAM group.

https://dev.classmethod.jp/articles/quicksight-iam-provisioning/ (Sorry for Japanese, please translate)


But when I select "Manage QuickSight access to AWS services" and choose "IAM / Use existing role" I only see the option to select one role. So how would I best design this to get a different treatment for different users?

This role you're seeing is from the QuickSight admin screen, right?

This is a QuickSight service role. For example, this IAM role is used when QuickSight accesses Athena or S3 to retrieve data.

It has nothing to do with logged-in QuickSight users.

profile picture
EXPERT
iwasa
answered 2 years ago
  • Faced the same issue and this answer helped.

    Adding the IAM policy for a reader user in case the link doesn't work in the future

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "quicksight:CreateReader", "Resource": "*" } ] }

    Change the action based on the user type required:

    User - quicksight:CreateUser Reader - quicksight:CreateReader Admin - quicksight:CreateAdmin

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions