Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Creating or updating a data source with secret credentials using the QuickSight API

PDF
RSS
Focus mode
Creating or updating a data source with secret credentials using the QuickSight API - Amazon QuickSight

After the QuickSight administrator has granted QuickSight read-only access to Secrets Manager, you can create and update data sources in the API using a secret the administrator selected as credentials.

Following is an example API call to create a data source in QuickSight. This example uses the create-data-source API operation. You can also use the update-data-source operation. For more information, see CreateDataSource and UpdateDataSource in the Amazon QuickSight API Reference.

The user specified in the permissions in the following API call example can delete, view, and edit data sources for the specified MySQL data source in QuickSight. They can also view and update the data source permissions. Instead of a QuickSight username and password, a secret ARN is used as credentials for the data source.

aws quicksight create-data-source 
    --aws-account-id AWSACCOUNTID \ 
    --data-source-id DATASOURCEID \
    --name NAME \
    --type MYSQL \
    --permissions '[{"Principal": "arn:aws:quicksight:region:accountID:user/namespace/username", "Actions": ["quicksight:DeleteDataSource", "quicksight:DescribeDataSource", "quicksight:DescribeDataSourcePermissions", "quicksight:PassDataSource", "quicksight:UpdateDataSource", "quicksight:UpdateDataSourcePermissions"]}]' \
    --data-source-parameters='{"MySQLParameters":{"Database": "database", "Host":"hostURL", "Port":"port"}}' \
    --credentials='{"SecretArn":"arn:aws:secretsmanager:region:accountID:secret:secretname"}' \
    --region us-west-2

In this call, QuickSight authorizes secretsmanager:GetSecretValue access to the secret based on the API caller's IAM policy, not the IAM service role's policy. The IAM service role acts on the account level and is used when an analysis or dashboard is viewed by a user. It cannot be used to authorize secret access when a user creates or updates the data source.

When they edit a data source in the QuickSight UI, users can view the secret ARN for data sources that use AWS Secrets Manager as the credential type. However, they can't edit the secret, or select a different secret. If they need to make changes, for example to the database server or port, users first need to choose Credential pair and enter their QuickSight account username and password.

Secrets are automatically removed from a data source when the data source is altered in the UI. To restore the secret to the data source, use the update-data-source API operation.

Related resources

Amazon QuickSight 
Technical support 
Amazon QuickSight user forum 

Related resources

Amazon QuickSight 
Technical support 
Amazon QuickSight user forum 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.