Granting anyone on the internet access to an Amazon Quick Sight dashboard using the Quick Sight API - Amazon Quick Suite
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting anyone on the internet access to an Amazon Quick Sight dashboard using the Quick Sight API

Alternatively, you can grant anyone on the internet access to the dashboard with the Amazon Quick Sight API using the UpdateDashboardPermissions operation.

Before you begin, make sure to grant everyone in your account access to the dashboard. For more information, see Granting everyone in your Amazon Quick Suite account access to a dashboard with the Quick Sight API.

The following example API request illustrates how to grant anyone on the internet access to a dashboard using an Amazon CLI command. It grants link permissions on the dashboard in your account, and allows the following operations: DescribeDashboard, QueryDashboard and ListDashboardVersions.

aws quicksight update-dashboard-permissions 
--aws-account-id account-id 
--region aws-directory-region
--dashboard-id dashboard-id
--grant-link-permissions 
Principal="arn:aws-cn:quicksight:::publicAnonymousUser/*",
Actions="quicksight:DescribeDashboard, quicksight:QueryDashboard, 
quicksight:ListDashboardVersions"

The response for the preceding request looks similar to the following.

{
    "Status": 200,
    "DashboardArn": "arn:aws-cn:quicksight:AWSDIRECTORYREGION:ACCOUNTID:dashboard/
    DASHBOARDID",
    "DashboardId": "DASHBOARDID",
    "LinkSharingConfiguration": {
        "Permissions": [
            {
                "Actions": [
                    "quicksight:DescribeDashboard",
                    "quicksight:ListDashboardVersions",
                    "quicksight:QueryDashboard"
                ],
                "Principal": "arn:aws-cn:quicksight:AWSDIRECTORYREGION:ACCOUNTID:namespace/default"
            },
                "Principal": "arn:aws-cn:quicksight:::publicAnonymousUser/*",
                "Actions": [
                    "quicksight:DescribeDashboard",
                    "quicksight:ListDashboardVersions",
                    "quicksight:QueryDashboard"
                ]
            }
        ]
    },
    "Permissions": [
        // other dashboard permissions here
    ],
    "RequestId": "REQUESTID"
}

You can also prevent anyone on the internet from accessing the dashboard using the same API operation. The following example request illustrates how by using a CLI command.

aws quicksight update-dashboard-permissions \
--aws-account-id account-id \
--region aws-directory-region \
--dashboard-id dashboard-id \
--revoke-link-permissions 
Principal="arn:aws-cn:quicksight:::publicAnonymousUser/*",
Actions="quicksight:DescribeDashboard, quicksight:QueryDashboard, 
quicksight:ListDashboardVersions"

For more information, see UpdateDashboardPermissions in the Amazon Quick Suite API Reference.

When anyone on the internet is granted access to the dashboard, the following snippet is added to Amazon CloudTrail log as part of the eventName UpdateDashboardAccess, and the eventCategory Management.

"linkPermissionPolicies": 
	[
		{
			"principal": "arn:aws-cn:quicksight:::publicAnonymousUser/*",
			"actions": 
			[
				"quicksight:DescribeDashboard",
				"quicksight:ListDashboardVersions",
				"quicksight:QueryDashboard"
			]
		}
	]