Step 1: Set up permissions
In the following section, you can find out how to set up permissions for the backend application or web server. This task requires administrative access to IAM.
Each user who accesses a QuickSight assumes a role that gives them Amazon QuickSight access and
permissions to the console session. To make this possible, create an IAM role in your AWS
account. Associate an IAM policy with the role to provide permissions to any user who assumes
it. Add quicksight:RegisterUser permissions to ensure that the reader can access
QuickSight in a read-only fashion, and not have access to any other data or creation
capability. The IAM role also needs to provide permissions to retrieve console session URLs.
For this, you add quicksight:GenerateEmbedUrlForRegisteredUser.
You can create a condition in your IAM policy that limits the domains
that developers can list in the AllowedDomains parameter of a
GenerateEmbedUrlForAnonymousUser API operation. The
AllowedDomains parameter is an optional parameter. It
grants you as a developer the option to override the static domains that are
configured in the Manage QuickSight menu. Instead, you
can list up to three domains or subdomains that can access a generated URL.
This URL is then embedded in the website that you create. Only the domains
that are listed in the parameter can access the embedded dashboard. Without
this condition, you can list any domain on the internet in the
AllowedDomains parameter.
The following sample policy provides these permissions.
{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "quicksight:GenerateEmbedUrlForRegisteredUser" ], "Resource": [ "arn:partition:quicksight:region:accountId:user/namespace/userName" ], "Condition": { "ForAllValues:StringEquals": { "quicksight:AllowedEmbeddingDomains": [ "https://my.static.domain1.com", "https://*.my.static.domain2.com" ] } } } ] }
The following sample policy provides permission to retrieve a console session URL. You can use
the policy without quicksight:RegisterUser if you are creating users before they
access an embedded session.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "quicksight:GenerateEmbedUrlForRegisteredUser" ], "Resource": [ "arn:partition:quicksight:region:accountId:user/namespace/userName" ], "Condition": { "ForAllValues:StringEquals": { "quicksight:AllowedEmbeddingDomains": [ "https://my.static.domain1.com", "https://*.my.static.domain2.com" ] } } } ] }
Finally, your application's IAM identity must have a trust policy associated with it to allow access to the role that you just created. This means that when a user accesses your application, your application can assume the role on the user's behalf and provision the user in QuickSight. The following example shows a sample trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowLambdaFunctionsToAssumeThisRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "AllowEC2InstancesToAssumeThisRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
For more information regarding trust policies for OpenID Connect or SAML authentication, see the following sections of the IAM User Guide: