Actions, resources, and condition keys for Amazon QuickSight
Amazon QuickSight (service prefix: quicksight) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon QuickSight
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| CancelIngestion | Grants permission to cancel a SPICE ingestions on a dataset | Write | |||
| CreateAccountCustomization | Grants permission to create an account customization for QuickSight account or namespace | Write | |||
| CreateAdmin [permission only] | Grants permission to provision Amazon QuickSight administrators, authors, and readers | Write | |||
| CreateAnalysis | Grants permission to create an analysis from a template | Write | |||
| CreateCustomPermissions [permission only] | Grants permission to create a custom permissions resource for restricting user access | Write | |||
| CreateDashboard | Grants permission to create a QuickSight Dashboard | Write | |||
| CreateDataSet | Grants permission to create a dataset | Write |
quicksight:PassDataSource |
||
| CreateDataSource | Grants permission to create a data source | Write | |||
| CreateGroup | Grants permission to create a QuickSight group | Write | |||
| CreateGroupMembership | Grants permission to add a QuickSight user to a QuickSight group | Write | |||
| CreateIAMPolicyAssignment | Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight | Write | |||
| CreateIngestion | Grants permission to start a SPICE ingestion on a dataset | Write | |||
| CreateNamespace | Grants permission to create an QuickSight namespace | Write | |||
| CreateReader [permission only] | Grants permission to provision Amazon QuickSight readers | Write | |||
| CreateTemplate | Grants permission to create a template | Write | |||
| CreateTemplateAlias | Grants permission to create a template alias | Write | |||
| CreateTheme | Grant permission to create a theme | Write | |||
| CreateThemeAlias | Grants permission to create an alias for a theme version | Write | |||
| CreateUser [permission only] | Grants permission to provision Amazon QuickSight authors and readers | Write | |||
| CreateVPCConnection [permission only] | Grants permission to create a VPC connection | Write | |||
| DeleteAccountCustomization | Grants permission to delete an account customization for QuickSight account or namespace | Write | |||
| DeleteAnalysis | Grants permissions to delete an analysis | Write | |||
| DeleteCustomPermissions [permission only] | Grants permission to delete a custom permissions resource | Write | |||
| DeleteDashboard | Grants permission to delete a QuickSight Dashboard | Write | |||
| DeleteDataSet | Grants permission to delete a dataset | Write | |||
| DeleteDataSource | Grants permission to delete a data source | Write | |||
| DeleteGroup | Grants permission to remove a user group from QuickSight | Write | |||
| DeleteGroupMembership | Grants permission to remove a user from a group so that he/she is no longer a member of the group | Write | |||
| DeleteIAMPolicyAssignment | Grants permission to update an existing assignment | Write | |||
| DeleteNamespace | Grants permission to delete a QuickSight namespace | Write | |||
| DeleteTemplate | Grants permission to delete a template | Write | |||
| DeleteTemplateAlias | Grants permission to delete a template alias | Write | |||
| DeleteTheme | Grants permission to delete a theme | Write | |||
| DeleteThemeAlias | Grants permission to delete the alias of a theme | Write | |||
| DeleteUser | Grants permission to delete a QuickSight user, given the user name | Write | |||
| DeleteUserByPrincipalId | Grants permission to deletes a user identified by its principal ID | Write | |||
| DeleteVPCConnection [permission only] | Grants permission to delete a VPC connection | Write | |||
| DescribeAccountCustomization | Grants permission to describe an account customization for QuickSight account or namespace | Read | |||
| DescribeAccountSettings | Grants permission to describe the administrative account settings for QuickSight account | Read | |||
| DescribeAnalysis | Grants permission to describe an analysis | Read | |||
| DescribeAnalysisPermissions | Grants permission to describe permissions for an analysis | Read | |||
| DescribeCustomPermissions [permission only] | Grants permission to describe a custom permissions resource in a QuickSight account | Write | |||
| DescribeDashboard | Grants permission to describe a QuickSight Dashboard | Read | |||
| DescribeDashboardPermissions | Grants permission to describe permissions for a QuickSight Dashboard | Read | |||
| DescribeDataSet | Grants permission to describe a dataset | Read | |||
| DescribeDataSetPermissions | Grants permission to describe the resource policy of a dataset | Permissions management | |||
| DescribeDataSource | Grants permission to describe a data source | Read | |||
| DescribeDataSourcePermissions | Grants permission to describe the resource policy of a data source | Permissions management | |||
| DescribeGroup | Grants permission to describe a QuickSight group | Read | |||
| DescribeIAMPolicyAssignment | Grants permission to describe an existing assignment | Read | |||
| DescribeIngestion | Grants permission to describe a SPICE ingestion on a dataset | Read | |||
| DescribeNamespace | Grants permission to describe a QuickSight namespace | Read | |||
| DescribeTemplate | Grants permission to describe a template | Read | |||
| DescribeTemplateAlias | Grants permission to describe a template alias | Read | |||
| DescribeTemplatePermissions | Grants permission to describe permissions for a template | Read | |||
| DescribeTheme | Grants permission to describe a theme | Read | |||
| DescribeThemeAlias | Grants permission to describe a theme alias | Read | |||
| DescribeThemePermissions | Grants permission to describe permissions for a theme | Read | |||
| DescribeUser | Grants permission to describe a QuickSight user given the user name | Read | |||
| GetAuthCode [permission only] | Grants permission to get an auth code representing a QuickSight user | Read | |||
| GetDashboardEmbedUrl | Grants permission to get a URL used to embed a QuickSight Dashboard | Read | |||
| GetGroupMapping [permission only] | Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight | Read | |||
| GetSessionEmbedUrl | Grants permission to get a URL to embed QuickSight console experience | Read | |||
| ListAnalyses | Grants permission to list all analyses in an account | List | |||
| ListCustomPermissions [permission only] | Grants permission to list custom permissions resources in QuickSight account | Write | |||
| ListDashboardVersions | Grants permission to list all versions of a QuickSight Dashboard | List | |||
| ListDashboards | Grants permission to list all Dashboards in a QuickSight Account | List | |||
| ListDataSets | Grants permission to list all datasets | List | |||
| ListDataSources | Grants permission to list all data sources | List | |||
| ListGroupMemberships | Grants permission to list member users in a group | List | |||
| ListGroups | Grants permission to list all user groups in QuickSight | List | |||
| ListIAMPolicyAssignments | Grants permission to list all assignments in the current Amazon QuickSight account | List | |||
| ListIAMPolicyAssignmentsForUser | Grants permission to list all assignments assigned to a user and the groups it belongs | List | |||
| ListIngestions | Grants permission to list all SPICE ingestions on a dataset | Read | |||
| ListNamespaces | Grants permission to lists all namespaces in a QuickSight account | Write | |||
| ListTagsForResource | Grants permission to list tags of a QuickSight resource | List | |||
| ListTemplateAliases | Grants permission to list all aliases for a template | List | |||
| ListTemplateVersions | Grants permission to list all versions of a template | List | |||
| ListTemplates | Grants permission to list all templates in a QuickSight account | List | |||
| ListThemeAliases | Grants permission to list all aliases of a theme | List | |||
| ListThemeVersions | Grants permission to list all versions of a theme | List | |||
| ListThemes | Grants permission to list all themes in an account | List | |||
| ListUserGroups | Grants permission to list groups that a given user is a member of | List | |||
| ListUsers | Grants permission to list all of the QuickSight users belonging to this account | List | |||
| PassDataSet [permission only] | Grants permission to use a dataset for a template | Read | |||
| PassDataSource [permission only] | Grants permission to use a data source for a data set | Read | |||
| RegisterUser | Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request | Write | |||
| RestoreAnalysis | Grants permission to restore a deleted analysis | Write | |||
| SearchAnalyses | Grants permission to search for a sub-set of analyses | List | |||
| SearchDashboards | Grants permission to search for a sub-set of QuickSight Dashboards | List | |||
| SearchDirectoryGroups [permission only] | Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight | Write | |||
| SetGroupMapping [permission only] | Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight | Write | |||
| Subscribe [permission only] | Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition | Write | |||
| TagResource | Grants permission to add tags to a QuickSight resource | Tagging | |||
| Unsubscribe [permission only] | Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight | Write | |||
| UntagResource | Grants permission to remove tags from a QuickSight resource | Tagging | |||
| UpdateAccountCustomization | Grants permission to update an account customization for QuickSight account or namespace | Write | |||
| UpdateAccountSettings | Grants permission to update the administrative account settings for QuickSight account | Write | |||
| UpdateAnalysis | Grants permission to update an analysis | Write | |||
| UpdateAnalysisPermissions | Grants permission to update permissions for an analysis | Write | |||
| UpdateCustomPermissions [permission only] | Grants permission to update a custom permissions resource | Write | |||
| UpdateDashboard | Grants permission to update a QuickSight Dashboard | Write | |||
| UpdateDashboardPermissions | Grants permission to update permissions for a QuickSight Dashboard | Write | |||
| UpdateDashboardPublishedVersion | Grants permission to update a QuickSight Dashboard’s Published Version | Write | |||
| UpdateDataSet | Grants permission to update a dataset | Write |
quicksight:PassDataSource |
||
| UpdateDataSetPermissions | Grants permission to update the resource policy of a dataset | Permissions management | |||
| UpdateDataSource | Grants permission to update a data source | Write | |||
| UpdateDataSourcePermissions | Grants permission to update the resource policy of a data source | Permissions management | |||
| UpdateGroup | Grants permission to change group description | Write | |||
| UpdateIAMPolicyAssignment | Grants permission to update an existing assignment | Write | |||
| UpdateTemplate | Grants permission to update a template | Write | |||
| UpdateTemplateAlias | Grants permission to update a template alias | Write | |||
| UpdateTemplatePermissions | Grants permission to update permissions for a template | Write | |||
| UpdateTheme | Grants permission to update a theme | Write | |||
| UpdateThemeAlias | Grants permission to update the alias of a theme | Write | |||
| UpdateThemePermissions | Grants permission to update permissions for a theme | Write | |||
| UpdateUser | Grants permission to update an Amazon QuickSight user | Write |
Resource types defined by Amazon QuickSight
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see The resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| user |
arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}
|
|
| group |
arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}
|
|
| analysis |
arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}
|
|
| dashboard |
arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}
|
|
| template |
arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}
|
|
| datasource |
arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}
|
|
| dataset |
arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}
|
|
| ingestion |
arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}
|
|
| theme |
arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}
|
|
| assignment |
arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}
|
|
| customization |
arn:${Partition}:quicksight::${Account}:customization/${ResourceId}
|
|
| namespace |
arn:${Partition}:quicksight::${Account}:namespace/${ResourceId}
|
Condition keys for Amazon QuickSight
Amazon QuickSight defines the following condition keys that can be used in the
Condition element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see The condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by tag keys | String |
| quicksight:IamArn | Filters access by IAM user or role ARN | String |
| quicksight:SessionName | Filters access by session name | String |
| quicksight:UserName | Filters access by user name | String |
