Step 1: Set up permissions - Amazon QuickSight

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Step 1: Set up permissions

In the following section, you can find out how to set up permissions for the backend application or web server. This task requires administrative access to IAM.

Each user who accesses a dashboard assumes a role that gives them Amazon QuickSight access and permissions to the dashboard. To make this possible, create an IAM role in your AWS account. Associate an IAM policy with the role to provide permissions to any user who assumes it. The IAM role needs to provide permissions to retrieve embedding URLs for a specific user pool. With the help of the wildcard character *, you can grant the permissions to generate a URL for all users in a specific namespace, or for a subset of users in specific namespaces. For this, you add quicksight:GenerateEmbedUrlForRegisteredUser.

You can create a condition in your IAM policy that limits the domains that developers can list in the AllowedDomains parameter of a GenerateEmbedUrlForRegisteredUser API operation. The AllowedDomains parameter is an optional parameter. It grants you as a developer the option to override the static domains that are configured in the Manage QuickSight menu. Instead, you can list up to three domains or subdomains that can access the generated URL. This URL is then embedded in the website that you create. Only the domains that are listed in the parameter can access the embedded visual. Without this condition, you can list any domain on the internet in the AllowedDomains parameter.

To limit the domains that developers can use with this parameter, add an AllowedEmbeddingDomains condition to your IAM policy. For more information about the AllowedDomains parameter, see GenerateEmbedUrlForRegisteredUser in the Amazon QuickSight API Reference.

The following sample policy provides these permissions.

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "quicksight:GenerateEmbedUrlForRegisteredUser"
                ],
                "Resource": "arn:partition:quicksight:region:accountId:user/namespace/userName",
                "Condition": {
                    "ForAllValues:StringEquals": {
                        "quicksight:AllowedEmbeddingDomains": [
                            "https://my.static.domain1.com",
                            "https://*.my.static.domain2.com"
                    ]
                }
            }
            }
        ]
    }

Additionally, if you are creating first-time users who will be Amazon QuickSight readers, make sure to add the quicksight:RegisterUser permission in the policy.

The following sample policy provides permission to retrieve an embedding URL for first-time users who are to be QuickSight readers.

{
        "Version": "2012-10-17",
        "Statement": [
            {
            "Action": "quicksight:RegisterUser",
            "Resource": "*",
            "Effect": "Allow"
            },
            {
            "Effect": "Allow",
            "Action": [
                "quicksight:GenerateEmbedUrlForRegisteredUser"
            ],
            "Resource": [
                "arn:{{partition}}:quicksight:{{region}}:{{accountId}}:namespace/{{namespace}}",
                "arn:{{partition}}:quicksight:{{region}}:{{accountId}}:dashboard/{{dashboardId-1}}",
                "arn:{{partition}}:quicksight:{{region}}:{{accountId}}:dashboard/{{dashboardId-2}}"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "quicksight:AllowedEmbeddingDomains": [
                        "https://my.static.domain1.com",
                        "https://*.my.static.domain2.com"
                    ]
                }
            }
            }
        ]
    }

Finally, your application's IAM identity must have a trust policy associated with it to allow access to the role that you just created. This means that when a user accesses your application, your application can assume the role on the user's behalf and provision the user in QuickSight. The following example shows a sample trust policy. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowLambdaFunctionsToAssumeThisRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Sid": "AllowEC2InstancesToAssumeThisRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

For more information regarding trust policies for OpenID Connect or SAML authentication, see the following sections of the IAM User Guide: