Linking an existing QuickSight account

If you have an existing QuickSight account that uses AWS IAM Identity Center for authentication, you can authorize Amazon Q Business to communicate with Amazon QuickSight in the console or with the Amazon Q Business API. Then end users can start getting insights from new and existing Amazon QuickSight topics and dashboards.

Using the console

If you have an existing QuickSight account that uses AWS IAM Identity Center for authentication, you can start getting insights after you authorize Amazon Q Business to communicate with Amazon QuickSight. To authorize Amazon Q Business, you use the Amazon Q Business console to assign IAM Identity Center groups the Admin Pro role. Then you specify a service role that grants Amazon Q Business access.

To link an existing QuickSight account

1. Log in to the Amazon Q Business console.

2. Choose your application.

3. In the navigation pane, choose Amazon QuickSight.

4. Choose Authorize QuickSight answers.

5. In Assign QuickSight Admin Pro role, choose the IAM Identity Center groups to assign the Admin Pro role. The QuickSight Admin Pro role includes additional costs. For more information, see Amazon QuickSight pricing.

6. In Service access, create a new service role or use an existing one. This role authorizes Amazon Q Business to communicate with Amazon QuickSight. For more information, see Service access role.

7. Choose Authorize. After you authorize the connection, end users start getting insights from existing QuickSight resources.

8. To get insights from additional structured data resources, choose Go to QuickSight to go to your QuickSight account. There you can create additional datasets, topics, and dashboards.

Using the console

If you have an existing QuickSight account that uses AWS IAM Identity Center for authentication, you can start getting insights after you authorize Amazon Q Business to communicate with Amazon QuickSight. To authorize Amazon Q Business, you use the Amazon Q Business console to assign IAM Identity Center groups the Admin Pro role. Then you specify a service role that grants Amazon Q Business access.

To link an existing QuickSight account

1. Log in to the Amazon Q Business console.

2. Choose your application.

3. In the navigation pane, choose Amazon QuickSight.

4. Choose Authorize QuickSight answers.

5. In Assign QuickSight Admin Pro role, choose the IAM Identity Center groups to assign the Admin Pro role. The QuickSight Admin Pro role includes additional costs. For more information, see Amazon QuickSight pricing.

6. In Service access, create a new service role or use an existing one. This role authorizes Amazon Q Business to communicate with Amazon QuickSight. For more information, see Service access role.

7. Choose Authorize. After you authorize the connection, end users start getting insights from existing QuickSight resources.

8. To get insights from additional structured data resources, choose Go to QuickSight to go to your QuickSight account. There you can create additional datasets, topics, and dashboards.

Using the API

To authorize Amazon Q Business with the API, you first use IAM Identity Center to assign groups the Admin Pro role. Also, if your QuickSight account was created before November 25, 2024 and uses IdC authentication, use the UpdateApplicationWithTokenExchangeGrant API to update your subscription to allow integration with Amazon Q Business Then you use the CreatePlugin API operation to create a QuickSight plugin for an Amazon Q Business application.

The following code shows how to create a QuickSight plugin. For idcApplicationArn, specify the Amazon Resource Name (ARN) of your application in IAM Identity Center. For roleArn, specify an AWS Identity and Access Management (IAM) role that authorizes Amazon Q Business to communicate with Amazon QuickSight. For more information about this role, see Service access role.

aws qbusiness create-plugin \
--application-id application-id \
--display-name display-name \
--type QUICKSIGHT \
--auth-configuration idcAuthConfiguration="{idcApplicationArn=arn:aws:sso::<account-id>:application/<application-id>,roleArn=arn:aws:iam::<account-id>:role/AmazonQServiceRole}"

Using the API

To authorize Amazon Q Business with the API, you first use IAM Identity Center to assign groups the Admin Pro role. Also, if your QuickSight account was created before November 25, 2024 and uses IdC authentication, use the UpdateApplicationWithTokenExchangeGrant API to update your subscription to allow integration with Amazon Q Business Then you use the CreatePlugin API operation to create a QuickSight plugin for an Amazon Q Business application.

The following code shows how to create a QuickSight plugin. For idcApplicationArn, specify the Amazon Resource Name (ARN) of your application in IAM Identity Center. For roleArn, specify an AWS Identity and Access Management (IAM) role that authorizes Amazon Q Business to communicate with Amazon QuickSight. For more information about this role, see Service access role.

aws qbusiness create-plugin \
--application-id application-id \
--display-name display-name \
--type QUICKSIGHT \
--auth-configuration idcAuthConfiguration="{idcApplicationArn=arn:aws:sso::<account-id>:application/<application-id>,roleArn=arn:aws:iam::<account-id>:role/AmazonQServiceRole}"