Configure your Amazon QuickSight account with IAM Identity Center

Applies to: Enterprise Edition

Intended audience: System administrators

IAM Identity Center helps you securely create or configure your existing workforce identities and manage their access across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type. To learn more about IAM Identity Center, see AWS IAM Identity Center.

Configure QuickSight and IAM Identity Center so that you can sign up for a new QuickSight account with an IAM Identity Center configured identity source. You can only sign up for QuickSight with IAM Identity Center using the same region as your IAM Identity Center instance. With IAM Identity Center, you can configure your external identity provider as an identity source. You can also use IAM Identity Center as an identity store if you don't want to use a third-party identity provider with QuickSight. Identity methods can't be changed after your account is created.

When you integrate your QuickSight account with IAM Identity Center, QuickSight account administrators can create a new QuickSight account that automatically has the identity provider's groups available. This simplifies asset sharing at scale in Amazon QuickSight.

Access to some sections of the QuickSight administration console is restricted by IAM permissions. The following table summarizes the admin actions that you can perform in QuickSight based on the access type that you choose.

To learn more how to sign up for an Amazon QuickSight account with IAM Identity Center, see Signing up for an Amazon QuickSight subscription.

Admin action	IAM permissions	QuickSight admin role permissions
Manage assets	Yes	No
Security & permissions	Yes	No
Manage VPC connections	Yes	No
KMS keys	Yes	No
Account settings	Yes	No
Account customization	No	Yes
Manage users	Yes (IAM Identity Center users)	Yes (QuickSight and IAM users)
Your subscriptions	No	Yes
Mobile settings	No	Yes
Domains and embedding	No	Yes
SPICE capacity	No	Yes

The Amazon QuickSight mobile app is not supported with QuickSight accounts that are integrated with IAM Identity Center.

Considerations

The following actions permanently remove the ability for QuickSight users to sign into QuickSight. QuickSight does not recommend that QuickSight users perform these actions.

Disabling or deleting the QuickSight application in the IAM Identity Center console. If you want to delete your QuickSight account, see Deleting your Amazon QuickSight subscription and closing the account.
Migrating the QuickSight account that contains your IAM Identity Center configuration to an AWS Organization that does not contain the IAM Identity Center instance that your QuickSight account is configured to.
Deleting the IAM Identity Center instance that is configured to your QuickSight account.
Editing IAM Identity Center application attributes, for example the requires assignment attribute.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity management

Other identity configurations