Actions, resources, and condition keys for Amazon QuickSight - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon QuickSight

Amazon QuickSight (service prefix: quicksight) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon QuickSight

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AccountConfigurations [permission only] Grants permission to enable setting default access to Amazon resources Write
BatchCreateTopicReviewedAnswer Grants permission to create reviewed answers for a topic Write

topic*

aws:RequestTag/${TagKey}

aws:TagKeys

BatchDeleteTopicReviewedAnswer Grants permission to delete reviewed answers for a topic Write

topic*

aws:RequestTag/${TagKey}

aws:TagKeys

CancelIngestion Grants permission to cancel a SPICE ingestions on a dataset Write

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAccountCustomization Grants permission to create an account customization for QuickSight account or namespace Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAccountSubscription Grants permission to subscribe to QuickSight Write

quicksight:Edition

quicksight:DirectoryType

CreateAdmin [permission only] Grants permission to provision Amazon QuickSight administrators, authors, and readers Write

user*

CreateAnalysis Grants permission to create an analysis from a template Write

analysis*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBrand Grants permission to create an Amazon QuickSight brand Write

brand*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCustomPermissions Grants permission to create a QuickSight custom permissions resource Write

custompermissions*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDashboard Grants permission to create a QuickSight Dashboard Write

dashboard*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSet Grants permission to create a dataset Write

datasource*

quicksight:PassDataSource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSource Grants permission to create a data source Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:PassRole

CreateEmailCustomizationTemplate [permission only] Grants permission to create a QuickSight email customization template Write

emailCustomizationTemplate*

CreateFolder Grants permission to create a QuickSight folder Write

folder*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFolderMembership Grants permission to add a QuickSight Dashboard, Analysis or Dataset to a QuickSight Folder Write

folder*

analysis

dashboard

dataset

CreateGroup Grants permission to create a QuickSight group Write

group*

CreateGroupMembership Grants permission to add a QuickSight user to a QuickSight group Write

group*

quicksight:UserName

aws:TagKeys

aws:RequestTag/${TagKey}

CreateIAMPolicyAssignment Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight Write

assignment*

CreateIngestion Grants permission to start a SPICE ingestion on a dataset Write

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNamespace Grants permission to create an QuickSight namespace Write

namespace*

ds:CreateIdentityPoolDirectory

CreateReader [permission only] Grants permission to provision Amazon QuickSight readers Write

user*

CreateRefreshSchedule Grants permission to create a refresh schedule for a dataset Write

refreshschedule*

CreateRoleMembership Grants permission to add a group member to a role Write

quicksight:Group

identitystore:GroupId

CreateTemplate Grants permission to create a template Write

template*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTemplateAlias Grants permission to create a template alias Write

template*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTheme Grants permission to create a theme Write

theme*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThemeAlias Grants permission to create an alias for a theme version Write

theme*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTopic Grants permission to create a topic Write

dataset*

quicksight:PassDataSet

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTopicRefreshSchedule Grants permission to create a refresh schedule for a topic Write

topic*

CreateUser [permission only] Grants permission to provision Amazon QuickSight authors and readers Write

user*

CreateVPCConnection Grants permission to create a vpc connection Write

aws:RequestTag/${TagKey}

aws:TagKeys

iam:PassRole

DeleteAccountCustomization Grants permission to delete an account customization for QuickSight account or namespace Write

customization*

DeleteAccountSubscription Grants permission to delete a QuickSight account Write

account*

DeleteAnalysis Grants permission to delete an analysis Write

analysis*

DeleteBrand Grants permission to delete an Amazon QuickSight brand Write

brand*

DeleteBrandAssignment Grants permission to delete a brand assignment Write
DeleteCustomPermissions Grants permission to delete a QuickSight custom permissions resource Write
DeleteDashboard Grants permission to delete a QuickSight Dashboard Write

dashboard*

DeleteDataSet Grants permission to delete a dataset Write

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDataSetRefreshProperties Grants permission to delete dataset refresh properties for a dataset Write

dataset*

DeleteDataSource Grants permission to delete a data source Write

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteEmailCustomizationTemplate [permission only] Grants permission to delete a QuickSight email customization template Write

emailCustomizationTemplate*

DeleteFolder Grants permission to delete a QuickSight Folder Write

folder*

DeleteFolderMembership Grants permission to remove a QuickSight Dashboard, Analysis or Dataset from a QuickSight Folder Write

folder*

analysis

dashboard

dataset

DeleteGroup Grants permission to remove a user group from QuickSight Write

group*

DeleteGroupMembership Grants permission to remove a user from a group so that he/she is no longer a member of the group Write

group*

quicksight:UserName

DeleteIAMPolicyAssignment Grants permission to update an existing assignment Write

assignment*

DeleteIdentityPropagationConfig Grants permission to remove Amazon services for trusted identity propagation in QuickSight Write
DeleteNamespace Grants permission to delete a QuickSight namespace Write

namespace*

ds:DeleteDirectory

DeleteRefreshSchedule Grants permission to delete a refresh schedule for a dataset Write

refreshschedule*

DeleteRoleCustomPermission Grants permission to remove the custom permission associated with a role Write
DeleteRoleMembership Grants permission to remove a group member from a role Write

quicksight:Group

identitystore:GroupId

DeleteTemplate Grants permission to delete a template Write

template*

DeleteTemplateAlias Grants permission to delete a template alias Write

template*

DeleteTheme Grants permission to delete a theme Write

theme*

DeleteThemeAlias Grants permission to delete the alias of a theme Write

theme*

DeleteTopic Grants permission to delete a topic Write

topic*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteTopicRefreshSchedule Grants permission to delete a refresh schedule for a topic Write

topic*

DeleteUser Grants permission to delete a QuickSight user, given the user name Write

user*

DeleteUserByPrincipalId Grants permission to deletes a user identified by its principal ID Write

user*

DeleteUserCustomPermission Grants permission to remove the custom permission associated with a user Write

user*

DeleteVPCConnection Grants permission to delete a vpc connection Write

vpcconnection*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeAccountCustomization Grants permission to describe an account customization for QuickSight account or namespace Read

customization*

DescribeAccountSettings Grants permission to describe the administrative account settings for QuickSight account Read
DescribeAccountSubscription Grants permission to describe a QuickSight account Read

account*

DescribeAnalysis Grants permission to describe an analysis Read

analysis*

DescribeAnalysisPermissions Grants permission to describe permissions for an analysis Read

analysis*

DescribeAssetBundleExportJob Grants permission to describe an asset bundle export job Read

assetBundleExportJob*

DescribeAssetBundleImportJob Grants permission to describe an asset bundle import job Read

assetBundleImportJob*

DescribeBrand Grants permission to describe a brand Read

brand*

DescribeBrandAssignment Grants permission to describe a brand assignment Read
DescribeBrandPublishedVersion Grants permission to describes the published version of the brand Read

brand*

DescribeCustomPermissions Grants permission to describe a custom permissions resource in a QuickSight account Read

custompermissions*

DescribeDashboard Grants permission to describe a QuickSight Dashboard Read

dashboard*

DescribeDashboardPermissions Grants permission to describe permissions for a QuickSight Dashboard Read

dashboard*

DescribeDashboardSnapshotJob Grants permission to describe a dashboard snapshot job Read

dashboardSnapshotJob*

DescribeDashboardSnapshotJobResult Grants permission to describe result of a dashboard snapshot job Read

dashboardSnapshotJob*

DescribeDashboardsQAConfiguration Grants permission to describe dashboards qa configuration Read
DescribeDataSet Grants permission to describe a dataset Read

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSetPermissions Grants permission to describe the resource policy of a dataset Permissions management

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSetRefreshProperties Grants permission to describe refresh properties for a dataset Read

dataset*

DescribeDataSource Grants permission to describe a data source Read

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSourcePermissions Grants permission to describe the resource policy of a data source Permissions management

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeEmailCustomizationTemplate [permission only] Grants permission to describe a QuickSight email customization template Read

emailCustomizationTemplate*

DescribeFolder Grants permission to describe a QuickSight Folder Read

folder*

DescribeFolderPermissions Grants permission to describe permissions for a QuickSight Folder Read

folder*

DescribeFolderResolvedPermissions Grants permission to describe resolved permissions for a QuickSight Folder Read

folder*

DescribeGroup Grants permission to describe a QuickSight group Read

group*

DescribeGroupMembership Grants permission to describe a QuickSight group member Read

group*

quicksight:UserName

DescribeIAMPolicyAssignment Grants permission to describe an existing assignment Read

assignment*

DescribeIngestion Grants permission to describe a SPICE ingestion on a dataset Read

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeIpRestriction Grants permission to describe the IP restrictions for QuickSight account Read
DescribeKeyRegistration Grants permission to describe QuickSight key registration Read
DescribeNamespace Grants permission to describe a QuickSight namespace Read

namespace*

DescribeQPersonalizationConfiguration Grants permission to describe a personalization configuration Read
DescribeRefreshSchedule Grants permission to describe a refresh schedule for a dataset Read

refreshschedule*

DescribeRoleCustomPermission Grants permission to describe the custom permission associated with a role Read
DescribeTemplate Grants permission to describe a template Read

template*

DescribeTemplateAlias Grants permission to describe a template alias Read

template*

DescribeTemplatePermissions Grants permission to describe permissions for a template Read

template*

DescribeTheme Grants permission to describe a theme Read

theme*

DescribeThemeAlias Grants permission to describe a theme alias Read

theme*

DescribeThemePermissions Grants permission to describe permissions for a theme Read

theme*

DescribeTopic Grants permission to describe a topic Read

topic*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeTopicPermissions Grants permission to describe the resource policy of a topic Permissions management

topic*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeTopicRefresh Grants permission to describe the refresh status of a topic Read

topic*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeTopicRefreshSchedule Grants permission to describe a refresh schedule for a topic Read

topic*

DescribeUser Grants permission to describe a QuickSight user given the user name Read

user*

DescribeVPCConnection Grants permission to describe a vpc connection Read

vpcconnection*

aws:RequestTag/${TagKey}

aws:TagKeys

GenerateEmbedUrlForAnonymousUser Grants permission to generate a URL used to embed a QuickSight Dashboard or Q Topic for a user not registered with QuickSight Write

namespace*

dashboard

theme

topic

aws:TagKeys

aws:RequestTag/${TagKey}

quicksight:AllowedEmbeddingDomains

GenerateEmbedUrlForRegisteredUser Grants permission to generate a URL used to embed a QuickSight Dashboard for a user registered with QuickSight Write

user*

quicksight:AllowedEmbeddingDomains

GetAnonymousUserEmbedUrl [permission only] Grants permission to get a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight Read
GetAuthCode [permission only] Grants permission to get an auth code representing a QuickSight user Read

user*

GetDashboardEmbedUrl Grants permission to get a URL used to embed a QuickSight Dashboard Read

dashboard*

GetGroupMapping [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight Read
GetSessionEmbedUrl Grants permission to get a URL to embed QuickSight console experience Read
ListAnalyses Grants permission to list all analyses in an account List

analysis*

ListAssetBundleExportJobs Grants permission to list all asset bundle export jobs List

assetBundleExportJob*

ListAssetBundleImportJobs Grants permission to list all asset bundle import jobs List

assetBundleImportJob*

ListBrands Grants permission to lists all brands in an Amazon QuickSight account List
ListCustomPermissions Grants permission to list custom permissions resources in QuickSight account List
ListCustomerManagedKeys [permission only] Grants permission to list all registered customer managed keys List
ListDashboardVersions Grants permission to list all versions of a QuickSight Dashboard List

dashboard*

ListDashboards Grants permission to list all Dashboards in a QuickSight Account List

dashboard*

ListDataSets Grants permission to list all datasets List

aws:RequestTag/${TagKey}

aws:TagKeys

ListDataSources Grants permission to list all data sources List

aws:RequestTag/${TagKey}

aws:TagKeys

ListFolderMembers Grants permission to list all members in a folder Read

folder*

ListFolders Grants permission to list all Folders in a QuickSight Account List

folder*

ListFoldersForResource Grants permission to list all Folders in which a QuickSight resource is a member List

analysis

dashboard

dataset

datasource

topic

ListGroupMemberships Grants permission to list member users in a group List

group*

ListGroups Grants permission to list all user groups in QuickSight List

group*

ListIAMPolicyAssignments Grants permission to list all assignments in the current Amazon QuickSight account List

assignment*

ListIAMPolicyAssignmentsForUser Grants permission to list all assignments assigned to a user and the groups it belongs List

assignment*

ListIdentityPropagationConfigs Grants permission to list Amazon services enabled for trusted identity propagation in QuickSight List
ListIngestions Grants permission to list all SPICE ingestions on a dataset List

aws:RequestTag/${TagKey}

aws:TagKeys

ListKMSKeysForUser [permission only] Grants permission to list a user's KMS keys List
ListNamespaces Grants permission to lists all namespaces in a QuickSight account List
ListRefreshSchedules Grants permission to list all refresh schedules on a dataset List
ListRoleMemberships Grants permission to list the members of a role List
ListTagsForResource Grants permission to list tags of a QuickSight resource Read

customization

dashboard

folder

template

theme

topic

ListTemplateAliases Grants permission to list all aliases for a template List

template*

ListTemplateVersions Grants permission to list all versions of a template List

template*

ListTemplates Grants permission to list all templates in a QuickSight account List

template*

ListThemeAliases Grants permission to list all aliases of a theme List

theme*

ListThemeVersions Grants permission to list all versions of a theme List

theme*

ListThemes Grants permission to list all themes in an account List

theme*

ListTopicRefreshSchedules Grants permission to list all refresh schedules on a topic List
ListTopicReviewedAnswers Grants permission to list all reviewed answers for topic List

aws:RequestTag/${TagKey}

aws:TagKeys

ListTopics Grants permission to list all topics List

aws:RequestTag/${TagKey}

aws:TagKeys

ListUserGroups Grants permission to list groups that a given user is a member of List

user*

ListUsers Grants permission to list all of the QuickSight users belonging to this account List

user*

ListVPCConnections Grants permission to list all vpc connections List

aws:RequestTag/${TagKey}

aws:TagKeys

PassDataSet [permission only] Grants permission to use a dataset for a template Read

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

PassDataSource [permission only] Grants permission to use a data source for a data set Read

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

PutDataSetRefreshProperties Grants permission to put dataset refresh properties for a dataset Write

dataset*

RegisterCustomerManagedKey [permission only] Grants permission to register a customer managed key Write
RegisterUser Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request Write

user*

quicksight:IamArn

quicksight:SessionName

RemoveCustomerManagedKey [permission only] Grants permission to remove a customer managed key Write
RestoreAnalysis Grants permission to restore a deleted analysis Write

analysis*

ScopeDownPolicy [permission only] Grants permission to manage scoping policies for permissions to Amazon resources Write
SearchAnalyses Grants permission to search for a sub-set of analyses List

analysis*

SearchDashboards Grants permission to search for a sub-set of QuickSight Dashboards List

dashboard*

SearchDataSets Grants permission to search for a sub-set of QuickSight DatSets List

dataset*

SearchDataSources Grants permission to search for a sub-set of QuickSight Data Sources List

datasource*

SearchDirectoryGroups [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight List
SearchFolders Grants permission to search for a sub-set of QuickSight Folders Read

folder*

SearchGroups Grants permission to search for a sub-set of QuickSight groups List

group*

SearchTopics Grants permission to search for a sub-set of topics List

topic*

SearchUsers [permission only] Grants permission to search the QuickSight users belonging to this account List

user*

SetGroupMapping [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight Write
StartAssetBundleExportJob Grants permission to start an asset bundle export job Write

assetBundleExportJob*

StartAssetBundleImportJob Grants permission to start an asset bundle import job Write

assetBundleImportJob*

StartDashboardSnapshotJob Grants permission to start a dashboard snapshot job Write

dashboardSnapshotJob*

StartDashboardSnapshotJobSchedule Grants permission to start a dashboard snapshot job schedule Write
Subscribe [permission only] Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition Write

quicksight:Edition

quicksight:DirectoryType

TagResource Grants permission to add tags to a QuickSight resource Tagging

analysis

brand

customization

custompermissions

dashboard

dataset

datasource

folder

ingestion

template

theme

topic

vpcconnection

aws:TagKeys

aws:RequestTag/${TagKey}

Unsubscribe [permission only] Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight Write
UntagResource Grants permission to remove tags from a QuickSight resource Tagging

analysis

brand

customization

custompermissions

dashboard

dataset

datasource

folder

ingestion

template

theme

topic

vpcconnection

aws:TagKeys

UpdateAccountCustomization Grants permission to update an account customization for QuickSight account or namespace Write

customization*

UpdateAccountSettings Grants permission to update the administrative account settings for QuickSight account Write
UpdateAnalysis Grants permission to update an analysis Write

analysis*

UpdateAnalysisPermissions Grants permission to update permissions for an analysis Permissions management

analysis*

UpdateBrand Grants permission to update a brand Write

brand*

UpdateBrandAssignment Grants permission to update a brand assignment Write
UpdateBrandPublishedVersion Grants permission to update the published version of a brand Write

brand*

UpdateCustomPermissions Grants permission to update a QuickSight custom permissions resource Write

custompermissions*

UpdateDashboard Grants permission to update a QuickSight Dashboard Write

dashboard*

Grants permission to update a QuickSight Dashboard's links Write

dashboard*

UpdateDashboardPermissions Grants permission to update permissions for a QuickSight Dashboard Permissions management

dashboard*

UpdateDashboardPublishedVersion Grants permission to update a QuickSight Dashboard's Published Version Write

dashboard*

UpdateDashboardsQAConfiguration Grants permission to update dashboards qa configuration Write
UpdateDataSet Grants permission to update a dataset Write

dataset*

quicksight:PassDataSource

datasource

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSetPermissions Grants permission to update the resource policy of a dataset Permissions management

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSource Grants permission to update a data source Write

datasource*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSourcePermissions Grants permission to update the resource policy of a data source Permissions management

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateEmailCustomizationTemplate [permission only] Grants permission to update a QuickSight email customization template Write

emailCustomizationTemplate*

UpdateFolder Grants permission to update a QuickSight Folder Write

folder*

UpdateFolderPermissions Grants permission to update permissions for a QuickSight Folder Permissions management

folder*

UpdateGroup Grants permission to change group description Write

group*

UpdateIAMPolicyAssignment Grants permission to update an existing assignment Write

assignment*

UpdateIdentityPropagationConfig Grants permission to add and update Amazon services for trusted identity propagation in QuickSight Write
UpdateIpRestriction Grants permission to update the IP restrictions for QuickSight account Write
UpdateKeyRegistration Grants permission to update QuickSight key registration Write
UpdatePublicSharingSettings Grants permission to enable or disable public sharing on an account Write
UpdateQPersonalizationConfiguration Grants permission to update a personalization configuration Write
UpdateRefreshSchedule Grants permission to update a refresh schedule for a dataset Write

refreshschedule*

UpdateResourcePermissions [permission only] Grants permission to update resource-level permissions in QuickSight Write
UpdateRoleCustomPermission Grants permission to update the custom permission associated with a role Write
UpdateSPICECapacityConfiguration Grants permission to update QuickSight SPICE capacity configuration Write
UpdateTemplate Grants permission to update a template Write

template*

UpdateTemplateAlias Grants permission to update a template alias Write

template*

UpdateTemplatePermissions Grants permission to update permissions for a template Permissions management

template*

UpdateTheme Grants permission to update a theme Write

theme*

UpdateThemeAlias Grants permission to update the alias of a theme Write

theme*

UpdateThemePermissions Grants permission to update permissions for a theme Permissions management

theme*

UpdateTopic Grants permission to update a topic Write

topic*

quicksight:PassDataSet

dataset

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateTopicPermissions Grants permission to update the resource policy of a topic Permissions management

topic*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateTopicRefreshSchedule Grants permission to update a refresh schedule for a topic Write

topic*

UpdateUser Grants permission to update an Amazon QuickSight user Write

user*

UpdateUserCustomPermission Grants permission to update the custom permission associated with a user Write

user*

UpdateVPCConnection Grants permission to update a vpc connection Write

vpcconnection*

iam:PassRole

aws:RequestTag/${TagKey}

aws:TagKeys

Resource types defined by Amazon QuickSight

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
account arn:${Partition}:quicksight:${Region}:${Account}:account/${ResourceId}
user arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}
group arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}
analysis arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}

aws:ResourceTag/${TagKey}

dashboard arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}

aws:ResourceTag/${TagKey}

template arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}

aws:ResourceTag/${TagKey}

vpcconnection arn:${Partition}:quicksight:${Region}:${Account}:vpcConnection/${ResourceId}

aws:ResourceTag/${TagKey}

assetBundleExportJob arn:${Partition}:quicksight:${Region}:${Account}:asset-bundle-export-job/${ResourceId}
assetBundleImportJob arn:${Partition}:quicksight:${Region}:${Account}:asset-bundle-import-job/${ResourceId}
datasource arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}

aws:ResourceTag/${TagKey}

dataset arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}

aws:ResourceTag/${TagKey}

ingestion arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}

aws:ResourceTag/${TagKey}

refreshschedule arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/refresh-schedule/${ResourceId}
theme arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}

aws:ResourceTag/${TagKey}

assignment arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}
customization arn:${Partition}:quicksight:${Region}:${Account}:customization/${ResourceId}

aws:ResourceTag/${TagKey}

namespace arn:${Partition}:quicksight:${Region}:${Account}:namespace/${ResourceId}
folder arn:${Partition}:quicksight:${Region}:${Account}:folder/${ResourceId}

aws:ResourceTag/${TagKey}

emailCustomizationTemplate arn:${Partition}:quicksight:${Region}:${Account}:email-customization-template/${ResourceId}
topic arn:${Partition}:quicksight:${Region}:${Account}:topic/${ResourceId}

aws:ResourceTag/${TagKey}

dashboardSnapshotJob arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${DashboardId}/snapshot-job/${ResourceId}

aws:ResourceTag/${TagKey}

brand arn:${Partition}:quicksight:${Region}:${Account}:brand/${ResourceId}

aws:ResourceTag/${TagKey}

custompermissions arn:${Partition}:quicksight:${Region}:${Account}:custompermissions/${ResourceId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon QuickSight

Amazon QuickSight defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by tag keys ArrayOfString
identitystore:GroupId Filters access by IdentityStore group ARN ARN
quicksight:AllowedEmbeddingDomains Filters access by the allowed embedding domains ArrayOfString
quicksight:DirectoryType Filters access by the user management options String
quicksight:Edition Filters access by the edition of QuickSight String
quicksight:Group Filters access by QuickSight group ARN ARN
quicksight:IamArn Filters access by IAM user or role ARN ARN
quicksight:KmsKeyArns Filters access by KMS key ARNs ArrayOfARN
quicksight:SessionName Filters access by session name String
quicksight:UserName Filters access by user name String