Menu
Amazon QuickSight
User Guide

Sign Up for Amazon QuickSight With an Existing AWS Account

If you have an existing AWS account and want to integrate your AWS resources (such as data sources or active directories) with Amazon QuickSight, or if you want to use IAM user credentials to create your Amazon QuickSight account, use this topic to prepare your AWS resources and then create an Amazon QuickSight account.

If you are creating an account as an IAM user, you must have a password associated with your IAM credentials.

Note

At this time, Amazon QuickSight does not support the following.

  • Role based logins

  • Federated IAM user logins

Set Your IAM Policy

You can use AWS root credentials or IAM user credentials to create an Amazon QuickSight account. AWS root credentials already have all of the required permissions for managing Amazon QuickSight access to AWS resources. If you choose to use IAM user credentials, that IAM user needs to have a permissions policy attached that includes appropriate statements for the Amazon QuickSight administrative tasks you need to perform, as described in the following table.

Task Permissions for Standard edition Permissions for Enterprise edition For more information

Sign up for Amazon QuickSight without setting Amazon QuickSight permissions to AWS resources

  • ds:AuthorizeApplication

  • ds:CheckAlias 

  • ds:CreateAlias

  • ds:CreateIdentityPoolDirectory

  • ds:DeleteDirectory

  • ds:DescribeDirectories

  • ds:DescribeTrusts

  • ds:UnauthorizeApplication

  • iam:ListAccountAliases

  • quicksight:Subscribe

  • ds:AuthorizeApplication

  • ds:CheckAlias 

  • ds:CreateAlias

  • ds:DescribeDirectories

  • ds:DescribeTrusts

  • ds:UnauthorizeApplication

  • iam:ListAccountAliases

  • quicksight:GetGroupMapping

  • quicksight:SetGroupMapping

  • quicksight:Subscribe

Sign up for Amazon QuickSight and set Amazon QuickSight permissions to AWS resources

  • ds:AuthorizeApplication

  • ds:CheckAlias 

  • ds:CreateAlias

  • ds:CreateIdentityPoolDirectory

  • ds:DeleteDirectory

  • ds:DescribeDirectories

  • ds:DescribeTrusts

  • ds:UnauthorizeApplication

  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAccountAliases

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • quicksight:Subscribe

  • s3:ListAllMyBuckets

  • ds:AuthorizeApplication

  • ds:CheckAlias 

  • ds:CreateAlias

  • ds:DescribeDirectories

  • ds:DescribeTrusts

  • ds:UnauthorizeApplication

  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAccountAliases

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • quicksight:GetGroupMapping

  • quicksight:SetGroupMapping

  • quicksight:Subscribe

  • s3:ListAllMyBuckets

Managing Amazon QuickSight Permissions to AWS Resources

Associating active directory groups with Amazon QuickSight during sign up, and managing group association going forward. This is only needed for Enterprise edition accounts.
  • ds:DescribeTrusts

  • quicksight:GetGroupMapping

  • quicksight:SearchDirectoryGroups

  • quicksight:SetGroupMapping

Managing User Accounts in Amazon QuickSight Enterprise Edition

Set Amazon QuickSight permissions to AWS resources
  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • s3:ListAllMyBuckets

  • iam:AttachRolePolicy

  • iam:CreatePolicy

  • iam:CreatePolicyVersion

  • iam:CreateRole

  • iam:DeletePolicyVersion

  • iam:DeleteRole

  • iam:DetachRolePolicy

  • iam:GetPolicy

  • iam:GetPolicyVersion

  • iam:GetRole

  • iam:ListAttachedRolePolicies

  • iam:ListEntitiesForPolicy

  • iam:ListPolicyVersions

  • iam:ListRoles

  • s3:ListAllMyBuckets

Managing Amazon QuickSight Permissions to AWS Resources

Unsubscribe from Amazon QuickSight
  • ds:DeleteDirectory

  • ds:UnauthorizeApplication

  • quicksight:Unsubscribe

  • ds:UnauthorizeApplication

  • quicksight:Unsubscribe

Closing Your Amazon QuickSight Account

The following example illustrates a policy that enables active directory group management for an Amazon QuickSight Enterprise edition account.

Copy
{ "Statement": [ { "Action": [ "ds:DescribeTrusts", "quicksight:GetGroupMapping", "quicksight:SearchDirectoryGroups", "quicksight:SetGroupMapping" ], "Effect": "Allow", "Resource": [ "*" ] } ], "Version": "2012-10-17" }

For information about Amazon QuickSight actions like quicksight:GetGroupMapping, see IAM Actions for Amazon QuickSight.

Configure AWS Resources

Use the following sections to configure your AWS resources to work with Amazon QuickSight.

Configure Your AWS Data Sources for Amazon QuickSight Access

You can have Amazon QuickSight autodiscover Amazon RDS instances or Amazon Redshift clusters that are associated with your AWS account and are in the same region you specify for your Amazon QuickSight account. We recommend that you do this because it is the easiest way to make this data available in Amazon QuickSight. You can still manually create connections to a range of AWS resources from within Amazon QuickSight whether or not you choose to enable autodiscovery of Amazon RDS instances or Amazon Redshift clusters.

If you choose to enable autodiscovery, choose one of the following options to make the AWS resource accessible:

Confirm IAM Role Availability

If you choose to enable autodiscovery of AWS resources for your Amazon QuickSight account, Amazon QuickSight creates an IAM role in your AWS account that grants it permission to identify and retrieve data from your AWS data sources.

Because AWS limits you to 250 IAM roles, check to be sure you have at least one free role for Amazon QuickSight to use if you want Amazon QuickSight to autodiscover your AWS resources.

Create an Amazon QuickSight Account

After you have completed any needed configuration of your existing AWS resources as discussed above, use the following procedures to create an Amazon QuickSight account. Start with Sign in to Your AWS Account, then choose Create an Amazon QuickSight Standard Edition Account if you don't want to integrate user accounts from an active directory, or choose Create an Amazon QuickSight Enterprise Edition Account if you want to integrate user accounts from a Microsft AD directory in AWS Directory Service.

When you have finished signing up, you can proceed with connecting to data and creating analyses. For more information about creating your first analysis, see Getting Started. You can also invite other users to access Amazon QuickSight. For more information about managing users in Amazon QuickSight Standard edition, see Managing User Accounts in Amazon QuickSight Standard Edition. For more information about managing users in Amazon QuickSight Enterprise edition, see Managing User Accounts in Amazon QuickSight Enterprise Edition.

Sign in to Your AWS Account

Start the Amazon QuickSight sign up process and sign into your AWS account.

  1. Go to https://quicksight.aws and choose Try for free. For information about QuickSight pricing, including the limits for free tier and free trial usage, see Amazon QuickSight Pricing.

  2. On the Sign In or Create an AWS Account page, enter your email address, choose I am a returning user and my password is:, enter your password, and then choose Sign in using our secure server.

  3. Go to Create an Amazon QuickSight Standard Edition Account if you want to use Amazon QuickSight Standard edition or Create an Amazon QuickSight Enterprise Edition Account if you want to use Amazon QuickSight Enterprise edition.

Create an Amazon QuickSight Standard Edition Account

Create an Amazon QuickSight Standard edition account.

  1. Choose Standard edition and then choose Continue.

  2. For QuickSight account name, type a unique account name for your company or team. It should be representative of your organization if possible, for example examplecompany or examplecompany-finance. Note that account names are unique in Amazon QuickSight, so if you expect to have multiple Amazon QuickSight accounts within your company, you should plan ahead to avoid any conflict.

    Your account name can only contain characters (A-Za-z), digits (0-9), and dashes (-).

  3. For Notification email address, type the email address where Amazon QuickSight should send service and usage notifications.

  4. For QuickSight capacity region, choose the AWS Region where you want Amazon QuickSight to allocate the SPICE capacity associated with any user accounts you create. Typically, this is the region closest to your physical location. For more information about using AWS Regions with Amazon QuickSight, see AWS Regions and IP Address Ranges. For more information about how SPICE capacity is allocated, see Managing SPICE Capacity.

  5. Leave Enable autodiscovery of your data and users in your AWS Redshift, RDS, and IAM services selected to allow Amazon QuickSight to autodiscover any of these types of resources associated with your AWS account, or expand this section and unselect the individual options for the resources that you don't want to use with Amazon QuickSight.

  6. If you have Amazon S3 buckets, choose Amazon S3 (all buckets) to allow Amazon QuickSight to access all of them, or choose Choose S3 buckets to select specific buckets.

  7. If you have Amazon Athena databases, choose Athena to allow Amazon QuickSight to access them. If you choose to use Athena as a data source, make sure that in the prior step you have enabled Amazon QuickSight access to the Amazon S3 buckets in which your Athena data resides.

  8. Choose Finish.

    Note

    When you create an Amazon QuickSight account, an AWS Directory Service directory is created in the US East (N. Virginia) (us-east-1) Region, which Amazon QuickSight uses for account management. You are not charged for this directory, and it is automatically deleted if you unsubscribe from Amazon QuickSight.

  9. Choose Go to Amazon QuickSight.

Create an Amazon QuickSight Enterprise Edition Account

Create an Amazon QuickSight Enterprise edition account.

  1. Choose Enterprise edition and then choose Continue.

  2. Under Active directory, choose Select a directory, and then choose the Microsoft AD that contains the user accounts you want to integrate with Amazon QuickSight. If you don't see that directory, choose Refresh list. If you want to create a new directory rather than using an existing one, choose Create directory to go to the AWS Directory Service console.

    Currently, Amazon QuickSight Enterprise edition is available only in the US East (N. Virginia) AWS Region, so the Microsoft AD you select must reside in that region. The US East (N. Virginia) region is also where default SPICE capacity for your account is allocated if you choose to use Enterprise edition.

  3. Choose Authorize to grant Amazon QuickSight administrative permissions to the directory you selected. Authorization allows Amazon QuickSight to list, add, and remove users and groups from this directory.

  4. If there is a default alias for the active directory you selected, it is used as your Amazon QuickSight account name. If not, type an account name in QuickSight account name. The account name should be representative of your organization if possible, for example examplecompany or examplecompany-finance. Note that account names are unique in Amazon QuickSight, so if you expect to have multiple Amazon QuickSight accounts within your company, you should plan ahead to avoid any conflict.

    Your account name can only contain characters (A-Za-z), digits (0-9), and dashes (-).

  5. For Admin group, type the name of administrator group you want to use.

    All users in this group have Amazon QuickSight user accounts with administrative privileges created for them. You are charged for each user that activates their Amazon QuickSight account.

    If you want to add another administrator group, choose Add another admin group, and then type an administrator group into the new field that displays.

    Repeat until you have added all of the administrator groups you want to use.

  6. For User group, type the name of the user group you want to use.

    All users in this group have Amazon QuickSight user accounts with user privileges created for them. You are charged for each user that activates their Amazon QuickSight account.

    If you want to add another user group, choose Add another user group, and then type a user group into the new field that displays.

    Repeat until you have added all of the user groups you want to use.

  7. Leave Enable autodiscovery of your data and users in your AWS Redshift, RDS, and IAM services selected to allow Amazon QuickSight to autodiscover any of these types of resources associated with your AWS account, or expand this section and unselect the individual options for the resources that you don't want to use with Amazon QuickSight.

  8. If you have Amazon S3 buckets, choose Amazon S3 (all buckets) to allow Amazon QuickSight to access all of them, or choose Choose S3 buckets to select specific buckets.

  9. If you have Amazon Athena databases, choose Athena to allow Amazon QuickSight to access them. If you choose to use Athena as a data source, make sure that in the prior step you have enabled Amazon QuickSight access to the Amazon S3 buckets in which your Athena data resides.

  10. Choose Finish.

  11. Choose Go to Amazon QuickSight.