Configuring federated user access to QuickSight through IAM Identity Center - AWS Prescriptive Guidance

Configuring federated user access to QuickSight through IAM Identity Center

If your enterprise is already using AWS IAM Identity Center, you might want to use this service to authenticate federated users. You can use SAML 2.0 federation or use the built-in service integration between IAM Identity Center. For more information about the built-in service integration, see IAM Identity Center integration in this guide.

When using SAML 2.0 federation with IAM Identity Center, there are two methods to configure federated user access to QuickSight:

  • Configuring permissions by using permission sets – You can use this approach only if the AWS accounts for IAM Identity Center and QuickSight are members of same organization in AWS Organizations. A permission set is a template that defines a collection of one or more AWS Identity and Access Management (IAM) policies. Permission sets can simplify permissions management in your organization.

  • Configuring permissions by using IAM roles – This approach is well suited if the AWS account for QuickSight is not part of the same organization as IAM Identity Center. In this approach, you create the IAM roles directly in the same account with QuickSight.

In both of these approaches, users can self-provision their own QuickSight access. If email synchronization is disabled, users can provide their preferred email address when they sign into QuickSight. If email synchronization is enabled, QuickSight uses the email address defined in the enterprise IdP. For more information, see QuickSight email synchronization for federated users in this guide.

Configuring permissions by using permission sets

Architecture diagram of a federated user gaining QuickSight access through a permission set in IAM Identity Center

The following are the characteristics of this architecture and access approach:

  1. The AWS accounts for IAM Identity Center and QuickSight are in the same organization in AWS Organizations.

  2. The permission set that you define in IAM Identity Center manages and controls the IAM role.

  3. Users log in through IAM Identity Center.

  4. The QuickSight user record is linked to the IAM role managed by IAM Identity Center and the username, such as AWSReservedSSO_QuickSightReader_7oe58cd620501f23/DiegoRamirez@example.com.

Prerequisites

  • An active QuickSight account

  • The following permissions:

    • Administrator access to the AWS account where QuickSight is subscribed

    • Access to the IAM Identity Center console and permissions to create permissions sets

Configuring access

Before subscribing to QuickSight, make sure that you have already set up and configured IAM Identity Center. For instructions, see Enabling AWS IAM Identity Center and Getting started tutorials in the IAM Identity Center documentation. After you have configured IAM Identity Center in your organization, create a custom permission set in IAM Identity Center that allows federated users to access QuickSight. For instructions, see Create a permission set in the IAM Identity Center documentation. For more information about configuring the policies that you include in the permission set, see Configuring IAM policies in this guide.

After you create the permission set, provision it to the target AWS account where QuickSight is subscribed, and then apply it to the users and groups who require QuickSight access. For more information about assigning permission sets, see Assign user access to AWS accounts in the IAM Identity Center documentation.

Configuring permissions by using IAM roles

Architecture diagram of a federated user gaining QuickSight access through an IAM role

The following are the characteristics of this architecture and access approach:

  1. The AWS accounts for IAM Identity Center and QuickSight are not in the same organization in AWS Organizations.

  2. Users log in through IAM Identity Center or through the external IdP that you configured as an identity source in IAM Identity Center.

  3. The IAM role contains a trust policy that allows only federated users from IAM Identity Center to assume the role.

  4. The QuickSight user record is linked to an IAM role and the username in the IdP, such as QuickSightReader/DiegoRamirez@example.com.

Prerequisites

  • An active QuickSight account.

  • The following permissions:

    • Administrator access to the AWS account where QuickSight is subscribed.

    • Access to the IAM Identity Center console and permissions to manage applications.

  • You have set up and configured IAM Identity Center. For instructions, see Enabling AWS IAM Identity Center and Getting started tutorials in the IAM Identity Center documentation.

  • You have configured IAM Identity Center as a trusted IdP in IAM. For instructions, see Creating IAM identity providers in the IAM documentation.

Configuring access

For instructions, see the AWS IAM Identity Center Integration Guide for Amazon QuickSight. After you have configured IAM Identity Center as a trusted identity provider for the AWS account, create an IAM role that federated users can assume in order to access QuickSight. For instructions, see Creating IAM roles in the IAM documentation. For more information about configuring the policies for QuickSight, see Configuring IAM policies in this guide.