Step 2: Set Up Permissions for Dashboard Viewers - Amazon QuickSight

Step 2: Set Up Permissions for Dashboard Viewers

In the following section, you can find out how to set up permissions for embedded viewers by using IAM. This task requires administrative access to IAM.

Each user who accesses a dashboard assumes a role that gives them Amazon QuickSight access and permissions to the dashboard. To make this possible, create an IAM role in your AWS account. Associate an IAM policy with the role to provide permissions to any user who assumes it. Add quicksight:RegisterUser permissions to ensure that the reader can access Amazon QuickSight in a read-only fashion, and not have access to any other data or creation capability. The IAM role also needs to provide permissions to retrieve dashboards by using quicksight:GetDashboardEmbedUrl.

The following sample policy provides these permissions.

{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:RegisterUser", "Resource": "*", "Effect": "Allow" }, { "Action": "quicksight:GetDashboardEmbedUrl", "Resource": "arn:aws:quicksight:us-west-2:11112222333:dashboard/22a7dcbd-7890-3456-9f87-ffd9876ab432", "Effect": "Allow" } ] }

If you use QUICKSIGHT as your identityType and provide the user's Amazon Resource Name (ARN), you also need to allow the quicksight:GetAuthCode action in your policy. The following sample policy provides this permission.

{ "Version": "2012-10-17", "Statement": [ { "Action": "quicksight:GetAuthCode", "Resource": " arn:aws:quicksight:us-east-1:111122223333:user/default/dashboard_viewer", "Effect": "Allow" } ] }

Your application's IAM identity must have a trust policy associated with it to allow access to the role that you just created. This means that when a user accesses your application, your application can assume the role on the user's behalf and provision the user in Amazon QuickSight. The following example shows a role called embedding_quicksight_dashboard_role, which has the sample policy preceding as its resource.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::11112222333:role/embedding_quicksight_dashboard_role" } }

For more information regarding trust policies for OpenID Connect or SAML authentication, see the following sections of the IAM User Guide: