Actions, resources, and condition keys for Amazon QuickSight - AWS Identity and Access Management

Actions, resources, and condition keys for Amazon QuickSight

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html.

Amazon QuickSight (service prefix: quicksight) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon QuickSight

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateAccountCustomization Grants permission to create an account customization for QuickSight account or namespace Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAdmin [permission only] CreateAdmin enables the user to provision Amazon QuickSight administrators, authors, and readers. Write

user*

CreateCustomPermissions [permission only] Grants permission to create a custom permissions resource for restricting user access Write
CreateDashboard Creates a dashboard from a template Write

dashboard*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGroup Create a QuickSight group. Write

group*

CreateGroupMembership Add a QuickSight user to a QuickSight group. Write

group*

quicksight:UserName

CreateIAMPolicyAssignment Creates an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight. Write

assignment*

CreateNamespace Grants permission to create an QuickSight namespace Write

namespace*

CreateReader [permission only] CreateReader enables the user to provision Amazon QuickSight readers. Write

user*

CreateTemplate Creates a template from an existing QuickSight analysis or template Write

template*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTemplateAlias Creates a template alias for a template Write

template*

CreateTheme Creates a QuickSight theme Write

theme*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThemeAlias Creates a theme alias for a theme Write

theme*

CreateUser [permission only] CreateUser enables the user to provision Amazon QuickSight authors and readers. Write

user*

DeleteAccountCustomization Grants permission to delete an account customization for QuickSight account or namespace Write

customization*

DeleteDashboard Deletes a dashboard Write

dashboard*

DeleteGroup Remove a user group from QuickSight. Write

group*

DeleteGroupMembership Remove a user from a group so that he/she is no longer a member of the group. Write

group*

quicksight:UserName

DeleteIAMPolicyAssignment Update an existing assignment. Write

assignment*

DeleteNamespace Grants permission to delete a QuickSight namespace Write

namespace*

DeleteTemplate Deletes a template Write

template*

DeleteTemplateAlias Deletes the item that the specified template alias points to Write

template*

DeleteTheme Deletes a theme Write

theme*

DeleteThemeAlias Deletes the item that the specified theme alias points to Write

theme*

DeleteUser Delete the QuickSight user that is associated with the identity of the IAM user/role making the call. The IAM user is not deleted as a result of this call. Write

user*

DeleteUserByPrincipalId Deletes a user identified by its principal ID. Write

user*

DescribeAccountCustomization Grants permission to describe an account customization for QuickSight account or namespace Read

customization*

DescribeAccountSettings Grants permission to describe the administrative account settings for QuickSight account Read
DescribeCustomPermissions [permission only] Grants permission to describe a custom permissions resource in a QuickSight account Write
DescribeDashboard Provides a summary for a dashboard Read

dashboard*

DescribeDashboardPermissions Describes read and write permissions for a dashboard Read

dashboard*

DescribeGroup Return a QuickSight group’s description and ARN. Read

group*

DescribeIAMPolicyAssignment Describe an existing assignment. Read

assignment*

DescribeNamespace Grants permission to describe a QuickSight namespace Read

namespace*

DescribeTemplate Describes a template's metadata Read

template*

DescribeTemplateAlias Describes the template alias for a template Read

template*

DescribeTemplatePermissions Describes read and write permissions on a template Read

template*

DescribeTheme Describes a theme's metadata Read

theme*

DescribeThemeAlias Describes the theme alias for a theme Read

theme*

DescribeThemePermissions Describes read and write permissions on a theme Read

theme*

DescribeUser Return information about a user, given the user name. Read

user*

GetAuthCode [permission only] Return an auth code representing a QuickSight user. Read

user*

GetDashboardEmbedUrl Return a QuickSight dashboard embedding URL. Read

dashboard*

GetGroupMapping [permission only] GetGroupMapping is used only in Amazon QuickSight Enterprise edition accounts. It enables the user to use Amazon QuickSight to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight. Read
GetSessionEmbedUrl Grants permission to get a URL to embed QuickSight console experience. Read
ListCustomPermissions [permission only] Grants permission to list custom permissions resources in QuickSight account Write
ListDashboardVersions Lists all the versions of the dashboards in the QuickSight subscription List

dashboard*

ListDashboards Lists dashboards in an AWS account List

dashboard*

ListGroupMemberships Return a list of member users in a group. List

group*

ListGroups Get a list of all user groups in QuickSight. List

group*

ListIAMPolicyAssignments List all assignments in the current Amazon QuickSight account. List

assignment*

ListIAMPolicyAssignmentsForUser List all assignments assigned to a user and the groups it belongs List

assignment*

ListNamespaces Grants permission to lists all namespaces in a QuickSight account Write
ListTagsForResource List tags of a QuickSight resource. List

customization

dashboard

template

theme

ListTemplateAliases Lists all the aliases of a template List

template*

ListTemplateVersions Lists all the versions of the templates in the current Amazon QuickSight account List

template*

ListTemplates Lists all the templates in the current Amazon QuickSight account List

template*

ListThemeAliases Lists all the aliases of a theme List

theme*

ListThemeVersions Lists all the versions of a theme List

theme*

ListThemes Lists all the themes in the current Amazon QuickSight account List

theme*

ListUserGroups Return a list of groups that a given user is a member of. List

user*

ListUsers Return a list of all of the QuickSight users belonging to this account. List

user*

RegisterUser Create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request. Write

user*

quicksight:IamArn

quicksight:SessionName

SearchDirectoryGroups [permission only] SearchDirectoryGroups is used only in Amazon QuickSight Enterprise edition accounts. It enables the user to use Amazon QuickSight to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight. Write
SetGroupMapping [permission only] SearchDirectoryGroups is used only in Amazon QuickSight Enterprise edition accounts. It enables the user to use Amazon QuickSight to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight. Write
Subscribe [permission only] Subscribe enables the user to subscribe to Amazon QuickSight. Enabling this action also allows the user to upgrade the subscription to Enterprise edition. Write
TagResource Add tags to a QuickSight resource Tagging

customization

dashboard

template

theme

aws:TagKeys

aws:RequestTag/${TagKey}

Unsubscribe [permission only] Unsubscribe enables the user to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight. Write
UntagResource Remove tags from a QuickSight resource. Tagging

customization

dashboard

template

theme

aws:TagKeys

UpdateAccountCustomization Grants permission to update an account customization for QuickSight account or namespace Write

customization*

UpdateAccountSettings Grants permission to update the administrative account settings for QuickSight account Write
UpdateCustomPermissions [permission only] Grants permission to update a custom permissions resource Write
UpdateDashboard Updates a dashboard in an AWS account Write

dashboard*

UpdateDashboardPermissions Updates read and write permissions on a dashboard Write

dashboard*

UpdateDashboardPublishedVersion Updates the published version of a dashboard Write

dashboard*

UpdateGroup Change group description. Write

group*

UpdateIAMPolicyAssignment Update an existing assignment. Write

assignment*

UpdateTemplate Updates a template from an existing Amazon QuickSight analysis or another template Write

template*

UpdateTemplateAlias Updates the template alias of a template Write

template*

UpdateTemplatePermissions Updates the resource permissions for a template Write

template*

UpdateTheme Updates a theme Write

theme*

UpdateThemeAlias Updates the theme alias of a theme Write

theme*

UpdateThemePermissions Updates the resource permissions for a theme Write

theme*

UpdateUser Updates an Amazon QuickSight user. Write

user*

Resource types defined by Amazon QuickSight

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
user arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}
group arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}
dashboard arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}

aws:ResourceTag/${TagKey}

template arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}

aws:ResourceTag/${TagKey}

theme arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}

aws:ResourceTag/${TagKey}

assignment arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}
customization arn:${Partition}:quicksight::${Account}:customization/${ResourceId}

aws:ResourceTag/${TagKey}

namespace arn:${Partition}:quicksight::${Account}:namespace/${ResourceId}

Condition keys for Amazon QuickSight

Amazon QuickSight defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String
quicksight:IamArn IAM user ARN or role ARN. String
quicksight:SessionName The session name. String
quicksight:UserName The user name. String