Passing IAM roles to Quick Suite
| Applies to: Enterprise Edition |
When your IAM users sign up for Quick Suite, they can choose to use the Amazon Quick Suite-managed role (this is the default role). Or they can pass an existing IAM role to Amazon Quick Suite.
Use the sections below to pass existing IAM roles to Amazon Quick Suite
Prerequisites
For your users to pass IAM roles to Amazon Quick Suite, your administrator needs to complete the following tasks:
-
Create an IAM role. For more information about creating IAM roles, see Creating IAM roles in the IAM User Guide.
-
Attach a trust policy to your IAM role that allows Amazon Quick Suite to assume the role. Use the following example to create a trust policy for the role. The following example trust policy allows the Quick Suite principal to assume the IAM role that it's attached to.
For more information about creating IAM trust policies and attaching them to roles, see Modifying a Role (Console) in the IAM User Guide.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "quicksight.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Assign the following IAM permissions to your administrator (IAM users or roles):
-
quicksight:UpdateResourcePermissions– This grants IAM users who are Amazon Quick Suite administrators the permission to update resource-level permissions in Amazon Quick Suite. For more information about resource types defined by Amazon Quick Suite, see Actions, resources, and condition keys for Quick Suite in the IAM User Guide. -
iam:PassRole– This grants users permission to pass roles to Amazon Quick Suite. For more information, see Granting a user permissions to pass a role to an Amazon service in the IAM User Guide. -
iam:ListRoles– (Optional) This grants users permission to see a list of existing roles in Amazon Quick Suite. If this permission is not provided, they can use an ARN to use existing IAM roles.
Following is an example IAM permissions policy that allows managing resource-level permissions, listing IAM roles, and passing IAM roles in Quick Suite.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "arn:aws-cn:iam::account-id:role:*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws-cn:iam::account-id:role/path/role-name", "Condition": { "StringEquals": { "iam:PassedToService": [ "quicksight.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "quicksight:UpdateResourcePermissions", "Resource": "*" } ] }For more examples of IAM policies that you can use with Amazon Quick Suite, see IAM policy examples for Amazon Quick Suite.
-
For more information about assigning permissions policies to users or user groups, see Changing permissions for an IAM user in the IAM User Guide.
Attaching additional policies
If you're using another Amazon service, such as Amazon Athena or Amazon S3, you can create a permissions policy that grants Amazon Quick Suite permission to perform specific actions. You can then attach the policy to the IAM roles that you later pass to Amazon Quick Suite. The following are examples of how you can set up and attach additional permissions policies to your IAM roles.
For an example managed policy for Amazon Quick Suite in Athena, see AWSQuicksightAthenaAccess Managed Policy in the
Amazon Athena User Guide. IAM users can access this role in
Amazon Quick Suite using the following ARN:
arn:aws-cn:iam::aws:policy/service-role/AWSQuicksightAthenaAccess.
The following is an example of a permissions policy for Amazon Quick Suite in Amazon S3. For more information about using IAM with Amazon S3, see Identity and access management in Amazon S3 in the Amazon S3 User Guide.
For information on how to create cross-account access from Amazon Quick Suite to an Amazon S3
bucket in another account, see How do I set
up cross-account access from Quick Suite to an Amazon S3 bucket in another
account?
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-cn:s3:::*" }, { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:s3:::aws-athena-query-results-us-west-2-123456789" ] }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:s3:::aws-athena-query-results-us-west-2-123456789/*" ] }, { "Action": [ "s3:ListBucketMultipartUploads", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws-cn:s3:::aws-athena-query-results-us-west-2-123456789" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws-cn:s3:::aws-athena-query-results-us-west-2-123456789/*" ] } ] }
Using existing IAM roles in Quick Suite
If you're a Amazon Quick Suite administrator and have permissions to update Amazon Quick Suite resources and pass IAM roles, you can use existing IAM roles in Amazon Quick Suite. To learn more about the prerequisites for passing IAM roles in Amazon Quick Suite, see the Prerequisites outlined in the previous list.
Use the following procedure to learn how to pass IAM roles in Amazon Quick Suite.
To use an existing IAM role in Amazon Quick Suite
-
In Amazon Quick Suite, choose your account name in the navigation bar at top right and choose Manage QuickSight.
-
On the Manage Amazon Quick Suite page that opens, choose Security & Permissions in the menu at left.
-
In the Security & Permissions page that opens, under Amazon Quick Suite access to Amazon services, choose Manage.
-
For IAM role, choose Use an existing role, and then do one of the following:
-
Choose the role that you want to use from the list.
-
Or, if you don't see a list of existing IAM roles, you can enter the IAM ARN for the role in the following format:
arn:aws-cn:iam::.account-id:role/path/role-name
-
-
Choose Save.