Granting QuickSight access to Secrets Manager and selected secrets - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting QuickSight access to Secrets Manager and selected secrets

If you're an administrator and you have secrets in Secrets Manager, you can grant Amazon QuickSight read-only access to selected secrets.

To grant QuickSight access to Secrets Manager and selected secrets
  1. In QuickSight, choose your user icon on the upper right, and then choose Manage QuickSight.

    Manage QuickSight menu.
  2. Choose Security & permissions on the left.

  3. Choose Manage in QuickSight access to Amazon resources.

    Manage security and permissions.
  4. In Allow access and autodiscovery for these resources, choose Amazon Secrets Manager, Select secrets.

    The Amazon Secrets Manager secrets page opens.

  5. Select the secrets that you want to grant QuickSight read-only access to.

    Secrets in your QuickSight sign-up Region are shown automatically. To select secrets outside your home Region, choose Secrets in Other Amazon Regions, and then enter the Amazon Resource Names (ARNs) for those secrets.

  6. When you're done, choose Finish.

    QuickSight creates an IAM role called aws-quicksight-secretsmanager-role-v0 in your account. It grants users in the account read-only access to the specified secrets and looks similar to the following:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws-cn:secretsmanager:region:accountId:secret:secret_name" ] } ] }

    When QuickSight users create analyses from or view dashboards that use a data source with secrets, QuickSight assumes this Secrets Manager IAM role. For more information about secret permissions policies, see Authentication and access control for Amazon Secrets Manager in the Amazon Secrets Manager User Guide.

    The specified secret in the QuickSight IAM role may have an additional resource policy that denies access. For more information, see Attach a permissions policy to a secret in the Amazon Secrets Manager User Guide.

    If you're using an Amazon managed Amazon KMS key to encrypt your secret, QuickSight doesn't require any additional permissions setup in Secrets Manager.

    If you're using a customer managed key to encrypt your secret, ensure that the QuickSight IAM role, aws-quicksight-secretsmanager-role-v0 has kms:Decrypt permissions. For more information, see Permissions for the KMS key in the Amazon Secrets Manager User Guide.

    For more information about the types of keys used in Amazon Key Management Service, see Customer keys and Amazon keys in the Amazon Key Management Service guide.