Menu
Amazon QuickSight
User Guide

Setting Your IAM Policy

You can use AWS root credentials or IAM user credentials to create an Amazon QuickSight account. AWS root credentials already have all of the required permissions for managing Amazon QuickSight access to AWS resources.

We recommend that you protect your root credentials, and instead use IAM user credentials. To do this, create a policy and attach it to the IAM user and roles that you plan to use for Amazon QuickSight. The policy must include the appropriate statements for the Amazon QuickSight administrative tasks you need to perform, as described in the following table.

Task Permissions for Standard Edition Permissions for Enterprise Edition

Sign up for Amazon QuickSight and set Amazon QuickSight permissions to AWS resources.

For more information, see Managing Amazon QuickSight Permissions to AWS Resources.

  • ds:AuthorizeApplication

  • ds:CheckAlias 

  • ds:CreateAlias

  • ds:CreateIdentityPoolDirectory

  • ds:DeleteDirectory

  • ds:DescribeDirectories

  • ds:DescribeTrusts

  • ds:UnauthorizeApplication

  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAccountAliases

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • quicksight:Subscribe

  • s3:ListAllMyBuckets

  • ds:AuthorizeApplication

  • ds:CheckAlias 

  • ds:CreateAlias

  • ds:DescribeDirectories

  • ds:DescribeTrusts

  • ds:UnauthorizeApplication

  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAccountAliases

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • quicksight:GetGroupMapping

  • quicksight:SetGroupMapping

  • quicksight:Subscribe

  • s3:ListAllMyBuckets

Creating administrators and users inside of Amazon QuickSight.

For more information, see AWS Identity and Access Management (IAM) Users, Roles, and Policies.

  • quicksight:CreateUser

  • quicksight:CreateAdmin

  • quicksight:CreateUser

  • quicksight:CreateAdmin

Associating active directory groups with Amazon QuickSight during sign up, and managing group association going forward. This task is only required for Enterprise edition accounts.

For more information, see Managing User Accounts in Amazon QuickSight Enterprise Edition.

  • N/A

  • ds:DescribeTrusts

  • quicksight:GetGroupMapping

  • quicksight:SearchDirectoryGroups

  • quicksight:SetGroupMapping

Set Amazon QuickSight permissions to AWS resources.

For more information, see Managing Amazon QuickSight Permissions to AWS Resources.

  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • s3:ListAllMyBuckets

  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • s3:ListAllMyBuckets

Unsubscribe from Amazon QuickSight.

For more information, see Closing Your Amazon QuickSight Account.

  • ds:DeleteDirectory

  • ds:UnauthorizeApplication

  • quicksight:Unsubscribe

  • ds:UnauthorizeApplication

  • quicksight:Unsubscribe

The following example shows an IAM policy that enables active directory group management for an Amazon QuickSight Enterprise edition account.

Copy
{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": [ "arn:aws:quicksight::<YOUR_AWS_ACCOUNT_ID>:user/${aws:userid}" ] } ], "Version": "2012-10-17" }

The following example shows a policy that enables creating Amazon QuickSight users.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "quicksight:CreateUser" ], "Effect": "Allow", "Resource": "arn:aws:quicksight::<YOUR_AWS_ACCOUNT_ID>:user/${aws:userid}" } ] }

For information about Amazon QuickSight actions like quicksight:GetGroupMapping, see IAM Actions and Permissions for Amazon QuickSight users.

Note

Avoid modifying a policy that was created by Amazon QuickSight. When you modify it yourself, Amazon QuickSight won't be able to edit it. This can cause issues with the policy. To fix the issue, delete the previously modified policy.