Prerequisites

For your users to pass IAM roles to QuickSight, your administrator needs to complete the following tasks:

Create an IAM role. For more information about creating IAM roles, see Creating IAM roles in the IAM User Guide.
Attach a trust policy to your IAM role that allows QuickSight to assume the role. Use the following example to create a trust policy for the role. The following example trust policy allows the Amazon QuickSight principal to assume the IAM role that it's attached to.

For more information about creating IAM trust policies and attaching them to roles, see Modifying a Role (Console) in the IAM User Guide.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "quicksight.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```
Assign the following IAM permissions to your administrator (IAM users or roles):
- quicksight:UpdateResourcePermissions – This grants IAM users who are QuickSight administrators the permission to update resource-level permissions in QuickSight. For more information about resource types defined by QuickSight, see Actions, resources, and condition keys for Amazon QuickSight in the IAM User Guide.
- iam:PassRole – This grants users permission to pass roles to QuickSight. For more information, see Granting a user permissions to pass a role to an AWS service in the IAM User Guide.
- iam:ListRoles – (Optional) This grants users permission to see a list of existing roles in QuickSight. If this permission is not provided, they can use an ARN to use existing IAM roles.
Following is an example IAM permissions policy that allows managing resource-level permissions, listing IAM roles, and passing IAM roles in Amazon QuickSight.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "arn:aws:iam::account-id:role:*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::account-id:role/path/role-name",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "quicksight.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "quicksight:UpdateResourcePermissions",
            "Resource": "*"
        }
    ]
}
```
For more examples of IAM policies that you can use with QuickSight, see IAM policy examples for Amazon QuickSight.

For more information about assigning permissions policies to users or user groups, see Changing permissions for an IAM user in the IAM User Guide.

After your administrator completes the prerequisites, your IAM users can pass IAM roles to QuickSight. They do so by choosing an IAM role when they sign up for QuickSight, or by switching to an IAM role on their QuickSight Security and Permissions page. To learn how to switch to an existing IAM role in QuickSight, see the following section.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Passing IAM roles to QuickSight

Attaching additional policies