Configuring federated user access to Quick through IAM Identity Center - AWS Prescriptive Guidance
Configuring permissions by using permission setsConfiguring permissions by using IAM roles

Configuring federated user access to Quick through IAM Identity Center

If your enterprise is already using AWS IAM Identity Center, you might want to use this service to authenticate federated users. You can use SAML 2.0 federation or use the built-in service integration between IAM Identity Center. For more information about the built-in service integration, see IAM Identity Center integration in this guide.

When using SAML 2.0 federation with IAM Identity Center, there are two methods to configure federated user access to Quick:

  • Configuring permissions by using permission sets – You can use this approach only if the AWS accounts for IAM Identity Center and Quick are members of same organization in AWS Organizations. A permission set is a template that defines a collection of one or more AWS Identity and Access Management (IAM) policies. Permission sets can simplify permissions management in your organization.

  • Configuring permissions by using IAM roles – This approach is well suited if the AWS account for Quick is not part of the same organization as IAM Identity Center. In this approach, you create the IAM roles directly in the same account with Quick.

In both of these approaches, users can self-provision their own Quick access. If email synchronization is disabled, users can provide their preferred email address when they sign into Quick. If email synchronization is enabled, Quick uses the email address defined in the enterprise IdP. For more information, see Quick email synchronization for federated users in this guide.

Configuring permissions by using permission sets

Architecture diagram of a federated user gaining Quick access through a permission set in IAM Identity Center.

The following are the characteristics of this architecture and access approach:

  1. The AWS accounts for IAM Identity Center and Quick are in the same organization in AWS Organizations.

  2. The permission set that you define in IAM Identity Center manages and controls the IAM role.

  3. Users log in through IAM Identity Center.

  4. The Quick user record is linked to the IAM role managed by IAM Identity Center and the username, such as AWSReservedSSO_QuickSightReader_7oe58cd620501f23/DiegoRamirez@example.com.

Prerequisites

  • An active Quick account

  • The following permissions:

    • Administrator access to the AWS account where Quick is subscribed

    • Access to the IAM Identity Center console and permissions to create permissions sets

Configuring access

Before subscribing to Quick, make sure that you have already set up and configured IAM Identity Center. For instructions, see Enabling AWS IAM Identity Center and Getting started tutorials in the IAM Identity Center documentation. After you have configured IAM Identity Center in your organization, create a custom permission set in IAM Identity Center that allows federated users to access Quick. For instructions, see Create a permission set in the IAM Identity Center documentation. For more information about configuring the policies that you include in the permission set, see Configuring IAM policies in this guide.

After you create the permission set, provision it to the target AWS account where Quick is subscribed, and then apply it to the users and groups who require Quick access. For more information about assigning permission sets, see Assign user access to AWS accounts in the IAM Identity Center documentation.

Configuring permissions by using IAM roles

Architecture diagram of a federated user gaining Quick access through an IAM role.

The following are the characteristics of this architecture and access approach:

  1. The AWS accounts for IAM Identity Center and Quick are not in the same organization in AWS Organizations.

  2. Users log in through IAM Identity Center or through the external IdP that you configured as an identity source in IAM Identity Center.

  3. The IAM role contains a trust policy that allows only federated users from IAM Identity Center to assume the role.

  4. The Quick user record is linked to an IAM role and the username in the IdP, such as QuickSightReader/DiegoRamirez@example.com.

Prerequisites

  • An active Quick account.

  • The following permissions:

    • Administrator access to the AWS account where Quick is subscribed.

    • Access to the IAM Identity Center console and permissions to manage applications.

  • You have set up and configured IAM Identity Center. For instructions, see Enabling AWS IAM Identity Center and Getting started tutorials in the IAM Identity Center documentation.

  • You have configured IAM Identity Center as a trusted IdP in IAM. For instructions, see Creating IAM identity providers in the IAM documentation.

Configuring access

For instructions, see the AWS IAM Identity Center Integration Guide for Amazon Quick. After you have configured IAM Identity Center as a trusted identity provider for the AWS account, create an IAM role that federated users can assume in order to access Quick. For instructions, see Creating IAM roles in the IAM documentation. For more information about configuring the policies for Quick, see Configuring IAM policies in this guide.