Step 1: Set up permissions - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: Set up permissions

 Applies to: Enterprise Edition 
   Intended audience: Amazon QuickSight developers 

In the following section, you can find out how to set up permissions for the backend application or web server. This task requires administrative access to IAM.

Each user who accesses a dashboard assumes a role that gives them Amazon QuickSight access and permissions to the dashboard. To make this possible, create an IAM role in your Amazon Web Services account. Associate an IAM policy with the role to provide permissions to any user who assumes it.

You can create a condition in your IAM policy that limits the domains that developers can list in the AllowedDomains parameter of a GenerateEmbedUrlForAnonymousUser API operation. The AllowedDomains parameter is an optional parameter. It grants you as a developer the option to override the static domains that are configured in the Manage QuickSight menu. Instead, you can list up to three domains or subdomains that can access a generated URL. This URL is then embedded in the website that you create. Only the domains that are listed in the parameter can access the embedded dashboard. Without this condition, you can list any domain on the internet in the AllowedDomains parameter.

To limit the domains that developers can use with this parameter, add an AllowedEmbeddingDomains condition to your IAM policy. For more information about the AllowedDomains parameter, see GenerateEmbedUrlForAnonymousUser in the Amazon QuickSight API Reference.

The following sample policy provides these permissions for use with GenerateEmbedUrlForAnonymousUser. For this approach to work, you also need a session pack, or session capacity pricing, for your Amazon Web Services account. Otherwise, when a user tries to access the dashboard, the error UnsupportedPricingPlanException is returned. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "quicksight:GenerateEmbedUrlForAnonymousUser"
            ],
            "Resource": [
                "arn:{{partition}}:quicksight:{{region}}:{{accountId}}:namespace/{{namespace}}",
                "arn:{{partition}}:quicksight:{{region}}:{{accountId}}:dashboard/{{dashboardId-1}}",
                "arn:{{partition}}:quicksight:{{region}}:{{accountId}}:dashboard/{{dashboardId-2}}"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "quicksight:AllowedEmbeddingDomains": [
                        "https://my.static.domain1.com",
                        "https://*.my.static.domain2.com"
                    ]
            }
        }
}

Your application's IAM identity must have a trust policy associated with it to allow access to the role that you just created. This means that when a user accesses your application, your application can assume the role on the user's behalf to open the dashboard. The following example shows a sample trust policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowLambdaFunctionsToAssumeThisRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Sid": "AllowEC2InstancesToAssumeThisRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

For more information regarding trust policies, see Temporary security credentials in IAM in the IAM User Guide.