Actions, resources, and condition keys for Amazon QuickSight - Service Authorization Reference

Actions, resources, and condition keys for Amazon QuickSight

Amazon QuickSight (service prefix: quicksight) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon QuickSight

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CancelIngestion Grants permission to cancel a SPICE ingestions on a dataset Write

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAccountCustomization Grants permission to create an account customization for QuickSight account or namespace Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAdmin [permission only] Grants permission to provision Amazon QuickSight administrators, authors, and readers Write

user*

CreateAnalysis Grants permission to create an analysis from a template Write

analysis*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCustomPermissions [permission only] Grants permission to create a custom permissions resource for restricting user access Write
CreateDashboard Grants permission to create a QuickSight Dashboard Write

dashboard*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSet Grants permission to create a dataset Write

datasource*

quicksight:PassDataSource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSource Grants permission to create a data source Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGroup Grants permission to create a QuickSight group Write

group*

CreateGroupMembership Grants permission to add a QuickSight user to a QuickSight group Write

group*

quicksight:UserName

CreateIAMPolicyAssignment Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight Write

assignment*

CreateIngestion Grants permission to start a SPICE ingestion on a dataset Write

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNamespace Grants permission to create an QuickSight namespace Write

namespace*

CreateReader [permission only] Grants permission to provision Amazon QuickSight readers Write

user*

CreateTemplate Grants permission to create a template Write

template*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTemplateAlias Grants permission to create a template alias Write

template*

CreateTheme Grant permission to create a theme Write

theme*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThemeAlias Grants permission to create an alias for a theme version Write

theme*

CreateUser [permission only] Grants permission to provision Amazon QuickSight authors and readers Write

user*

CreateVPCConnection [permission only] Grants permission to create a VPC connection Write
DeleteAccountCustomization Grants permission to delete an account customization for QuickSight account or namespace Write

customization*

DeleteAnalysis Grants permissions to delete an analysis Write

analysis*

DeleteCustomPermissions [permission only] Grants permission to delete a custom permissions resource Write
DeleteDashboard Grants permission to delete a QuickSight Dashboard Write

dashboard*

DeleteDataSet Grants permission to delete a dataset Write

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDataSource Grants permission to delete a data source Write

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteGroup Grants permission to remove a user group from QuickSight Write

group*

DeleteGroupMembership Grants permission to remove a user from a group so that he/she is no longer a member of the group Write

group*

quicksight:UserName

DeleteIAMPolicyAssignment Grants permission to update an existing assignment Write

assignment*

DeleteNamespace Grants permission to delete a QuickSight namespace Write

namespace*

DeleteTemplate Grants permission to delete a template Write

template*

DeleteTemplateAlias Grants permission to delete a template alias Write

template*

DeleteTheme Grants permission to delete a theme Write

theme*

DeleteThemeAlias Grants permission to delete the alias of a theme Write

theme*

DeleteUser Grants permission to delete a QuickSight user, given the user name Write

user*

DeleteUserByPrincipalId Grants permission to deletes a user identified by its principal ID Write

user*

DeleteVPCConnection [permission only] Grants permission to delete a VPC connection Write
DescribeAccountCustomization Grants permission to describe an account customization for QuickSight account or namespace Read

customization*

DescribeAccountSettings Grants permission to describe the administrative account settings for QuickSight account Read
DescribeAnalysis Grants permission to describe an analysis Read

analysis*

DescribeAnalysisPermissions Grants permission to describe permissions for an analysis Read

analysis*

DescribeCustomPermissions [permission only] Grants permission to describe a custom permissions resource in a QuickSight account Write
DescribeDashboard Grants permission to describe a QuickSight Dashboard Read

dashboard*

DescribeDashboardPermissions Grants permission to describe permissions for a QuickSight Dashboard Read

dashboard*

DescribeDataSet Grants permission to describe a dataset Read

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSetPermissions Grants permission to describe the resource policy of a dataset Permissions management

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSource Grants permission to describe a data source Read

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSourcePermissions Grants permission to describe the resource policy of a data source Permissions management

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeGroup Grants permission to describe a QuickSight group Read

group*

DescribeIAMPolicyAssignment Grants permission to describe an existing assignment Read

assignment*

DescribeIngestion Grants permission to describe a SPICE ingestion on a dataset Read

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeNamespace Grants permission to describe a QuickSight namespace Read

namespace*

DescribeTemplate Grants permission to describe a template Read

template*

DescribeTemplateAlias Grants permission to describe a template alias Read

template*

DescribeTemplatePermissions Grants permission to describe permissions for a template Read

template*

DescribeTheme Grants permission to describe a theme Read

theme*

DescribeThemeAlias Grants permission to describe a theme alias Read

theme*

DescribeThemePermissions Grants permission to describe permissions for a theme Read

theme*

DescribeUser Grants permission to describe a QuickSight user given the user name Read

user*

GetAuthCode [permission only] Grants permission to get an auth code representing a QuickSight user Read

user*

GetDashboardEmbedUrl Grants permission to get a URL used to embed a QuickSight Dashboard Read

dashboard*

GetGroupMapping [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight Read
GetSessionEmbedUrl Grants permission to get a URL to embed QuickSight console experience Read
ListAnalyses Grants permission to list all analyses in an account List

analysis*

ListCustomPermissions [permission only] Grants permission to list custom permissions resources in QuickSight account Write
ListDashboardVersions Grants permission to list all versions of a QuickSight Dashboard List

dashboard*

ListDashboards Grants permission to list all Dashboards in a QuickSight Account List

dashboard*

ListDataSets Grants permission to list all datasets List

aws:RequestTag/${TagKey}

aws:TagKeys

ListDataSources Grants permission to list all data sources List

aws:RequestTag/${TagKey}

aws:TagKeys

ListGroupMemberships Grants permission to list member users in a group List

group*

ListGroups Grants permission to list all user groups in QuickSight List

group*

ListIAMPolicyAssignments Grants permission to list all assignments in the current Amazon QuickSight account List

assignment*

ListIAMPolicyAssignmentsForUser Grants permission to list all assignments assigned to a user and the groups it belongs List

assignment*

ListIngestions Grants permission to list all SPICE ingestions on a dataset Read

aws:RequestTag/${TagKey}

aws:TagKeys

ListNamespaces Grants permission to lists all namespaces in a QuickSight account Write
ListTagsForResource Grants permission to list tags of a QuickSight resource List

customization

dashboard

template

theme

ListTemplateAliases Grants permission to list all aliases for a template List

template*

ListTemplateVersions Grants permission to list all versions of a template List

template*

ListTemplates Grants permission to list all templates in a QuickSight account List

template*

ListThemeAliases Grants permission to list all aliases of a theme List

theme*

ListThemeVersions Grants permission to list all versions of a theme List

theme*

ListThemes Grants permission to list all themes in an account List

theme*

ListUserGroups Grants permission to list groups that a given user is a member of List

user*

ListUsers Grants permission to list all of the QuickSight users belonging to this account List

user*

PassDataSet [permission only] Grants permission to use a dataset for a template Read

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

PassDataSource [permission only] Grants permission to use a data source for a data set Read

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterUser Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request Write

user*

quicksight:IamArn

quicksight:SessionName

RestoreAnalysis Grants permission to restore a deleted analysis Write

analysis*

SearchAnalyses Grants permission to search for a sub-set of analyses List

analysis*

SearchDashboards Grants permission to search for a sub-set of QuickSight Dashboards List

dashboard*

SearchDirectoryGroups [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight Write
SetGroupMapping [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight Write
Subscribe [permission only] Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition Write
TagResource Grants permission to add tags to a QuickSight resource Tagging

customization

dashboard

template

theme

aws:TagKeys

aws:RequestTag/${TagKey}

Unsubscribe [permission only] Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight Write
UntagResource Grants permission to remove tags from a QuickSight resource Tagging

customization

dashboard

template

theme

aws:TagKeys

UpdateAccountCustomization Grants permission to update an account customization for QuickSight account or namespace Write

customization*

UpdateAccountSettings Grants permission to update the administrative account settings for QuickSight account Write
UpdateAnalysis Grants permission to update an analysis Write

analysis*

UpdateAnalysisPermissions Grants permission to update permissions for an analysis Write

analysis*

UpdateCustomPermissions [permission only] Grants permission to update a custom permissions resource Write
UpdateDashboard Grants permission to update a QuickSight Dashboard Write

dashboard*

UpdateDashboardPermissions Grants permission to update permissions for a QuickSight Dashboard Write

dashboard*

UpdateDashboardPublishedVersion Grants permission to update a QuickSight Dashboard’s Published Version Write

dashboard*

UpdateDataSet Grants permission to update a dataset Write

dataset*

quicksight:PassDataSource

datasource

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSetPermissions Grants permission to update the resource policy of a dataset Permissions management

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSource Grants permission to update a data source Write

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSourcePermissions Grants permission to update the resource policy of a data source Permissions management

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateGroup Grants permission to change group description Write

group*

UpdateIAMPolicyAssignment Grants permission to update an existing assignment Write

assignment*

UpdateTemplate Grants permission to update a template Write

template*

UpdateTemplateAlias Grants permission to update a template alias Write

template*

UpdateTemplatePermissions Grants permission to update permissions for a template Write

template*

UpdateTheme Grants permission to update a theme Write

theme*

UpdateThemeAlias Grants permission to update the alias of a theme Write

theme*

UpdateThemePermissions Grants permission to update permissions for a theme Write

theme*

UpdateUser Grants permission to update an Amazon QuickSight user Write

user*

Resource types defined by Amazon QuickSight

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
user arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}
group arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}
analysis arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}

aws:ResourceTag/${TagKey}

dashboard arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}

aws:ResourceTag/${TagKey}

template arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}

aws:ResourceTag/${TagKey}

datasource arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}

aws:ResourceTag/${TagKey}

dataset arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}

aws:ResourceTag/${TagKey}

ingestion arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}

aws:ResourceTag/${TagKey}

theme arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}

aws:ResourceTag/${TagKey}

assignment arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}
customization arn:${Partition}:quicksight::${Account}:customization/${ResourceId}

aws:ResourceTag/${TagKey}

namespace arn:${Partition}:quicksight::${Account}:namespace/${ResourceId}

Condition keys for Amazon QuickSight

Amazon QuickSight defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by tag keys String
quicksight:IamArn Filters access by IAM user or role ARN String
quicksight:SessionName Filters access by session name String
quicksight:UserName Filters access by user name String