Actions, resources, and condition keys for Amazon QuickSight - Service Authorization Reference

Actions, resources, and condition keys for Amazon QuickSight

Amazon QuickSight (service prefix: quicksight) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon QuickSight

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AccountConfigurations [permission only] Grants permission to enable setting default access to AWS resources Write
CancelIngestion Grants permission to cancel a SPICE ingestions on a dataset Write

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAccountCustomization Grants permission to create an account customization for QuickSight account or namespace Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAccountSubscription Grants permission to subscribe to QuickSight Write
CreateAdmin [permission only] Grants permission to provision Amazon QuickSight administrators, authors, and readers Write

user*

CreateAnalysis Grants permission to create an analysis from a template Write

analysis*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCustomPermissions [permission only] Grants permission to create a custom permissions resource for restricting user access Permissions management

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDashboard Grants permission to create a QuickSight Dashboard Write

dashboard*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSet Grants permission to create a dataset Write

datasource*

quicksight:PassDataSource

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataSource Grants permission to create a data source Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEmailCustomizationTemplate [permission only] Grants permission to create a QuickSight email customization template Write

emailCustomizationTemplate*

CreateFolder Grants permission to create a QuickSight folder Write

folder*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFolderMembership Grants permission to add a QuickSight Dashboard, Analysis or Dataset to a QuickSight Folder Write

folder*

analysis

dashboard

dataset

CreateGroup Grants permission to create a QuickSight group Write

group*

CreateGroupMembership Grants permission to add a QuickSight user to a QuickSight group Write

group*

quicksight:UserName

aws:TagKeys

aws:RequestTag/${TagKey}

CreateIAMPolicyAssignment Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight Write

assignment*

CreateIngestion Grants permission to start a SPICE ingestion on a dataset Write

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNamespace Grants permission to create an QuickSight namespace Write

namespace*

ds:CreateIdentityPoolDirectory

CreateReader [permission only] Grants permission to provision Amazon QuickSight readers Write

user*

CreateTemplate Grants permission to create a template Write

template*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTemplateAlias Grants permission to create a template alias Write

template*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTheme Grants permission to create a theme Write

theme*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateThemeAlias Grants permission to create an alias for a theme version Write

theme*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUser [permission only] Grants permission to provision Amazon QuickSight authors and readers Write

user*

CreateVPCConnection [permission only] Grants permission to create a VPC connection Write
DeleteAccountCustomization Grants permission to delete an account customization for QuickSight account or namespace Write

customization*

DeleteAnalysis Grants permission to delete an analysis Write

analysis*

DeleteCustomPermissions [permission only] Grants permission to delete a custom permissions resource Permissions management
DeleteDashboard Grants permission to delete a QuickSight Dashboard Write

dashboard*

DeleteDataSet Grants permission to delete a dataset Write

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteDataSource Grants permission to delete a data source Write

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteEmailCustomizationTemplate [permission only] Grants permission to delete a QuickSight email customization template Write

emailCustomizationTemplate*

DeleteFolder Grants permission to delete a QuickSight Folder Write

folder*

DeleteFolderMembership Grants permission to remove a QuickSight Dashboard, Analysis or Dataset from a QuickSight Folder Write

folder*

analysis

dashboard

dataset

DeleteGroup Grants permission to remove a user group from QuickSight Write

group*

DeleteGroupMembership Grants permission to remove a user from a group so that he/she is no longer a member of the group Write

group*

quicksight:UserName

DeleteIAMPolicyAssignment Grants permission to update an existing assignment Write

assignment*

DeleteNamespace Grants permission to delete a QuickSight namespace Write

namespace*

ds:DeleteDirectory

DeleteTemplate Grants permission to delete a template Write

template*

DeleteTemplateAlias Grants permission to delete a template alias Write

template*

DeleteTheme Grants permission to delete a theme Write

theme*

DeleteThemeAlias Grants permission to delete the alias of a theme Write

theme*

DeleteUser Grants permission to delete a QuickSight user, given the user name Write

user*

DeleteUserByPrincipalId Grants permission to deletes a user identified by its principal ID Write

user*

DeleteVPCConnection [permission only] Grants permission to delete a VPC connection Write
DescribeAccountCustomization Grants permission to describe an account customization for QuickSight account or namespace Read

customization*

DescribeAccountSettings Grants permission to describe the administrative account settings for QuickSight account Read
DescribeAccountSubscription Grants permission to describe a QuickSight account Read

account*

DescribeAnalysis Grants permission to describe an analysis Read

analysis*

DescribeAnalysisPermissions Grants permission to describe permissions for an analysis Read

analysis*

DescribeCustomPermissions [permission only] Grants permission to describe a custom permissions resource in a QuickSight account Write
DescribeDashboard Grants permission to describe a QuickSight Dashboard Read

dashboard*

DescribeDashboardPermissions Grants permission to describe permissions for a QuickSight Dashboard Read

dashboard*

DescribeDataSet Grants permission to describe a dataset Read

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSetPermissions Grants permission to describe the resource policy of a dataset Permissions management

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSource Grants permission to describe a data source Read

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeDataSourcePermissions Grants permission to describe the resource policy of a data source Permissions management

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeEmailCustomizationTemplate [permission only] Grants permission to describe a QuickSight email customization template Read

emailCustomizationTemplate*

DescribeFolder Grants permission to describe a QuickSight Folder Read

folder*

DescribeFolderPermissions Grants permission to describe permissions for a QuickSight Folder Read

folder*

DescribeFolderResolvedPermissions Grants permission to describe resolved permissions for a QuickSight Folder Read

folder*

DescribeGroup Grants permission to describe a QuickSight group Read

group*

DescribeGroupMembership Grants permission to describe a QuickSight group member Read

group*

quicksight:UserName

DescribeIAMPolicyAssignment Grants permission to describe an existing assignment Read

assignment*

DescribeIngestion Grants permission to describe a SPICE ingestion on a dataset Read

ingestion*

aws:RequestTag/${TagKey}

aws:TagKeys

DescribeIpRestriction Grants permission to describe the IP restrictions for QuickSight account Read
DescribeNamespace Grants permission to describe a QuickSight namespace Read

namespace*

DescribeTemplate Grants permission to describe a template Read

template*

DescribeTemplateAlias Grants permission to describe a template alias Read

template*

DescribeTemplatePermissions Grants permission to describe permissions for a template Read

template*

DescribeTheme Grants permission to describe a theme Read

theme*

DescribeThemeAlias Grants permission to describe a theme alias Read

theme*

DescribeThemePermissions Grants permission to describe permissions for a theme Read

theme*

DescribeUser Grants permission to describe a QuickSight user given the user name Read

user*

GenerateEmbedUrlForAnonymousUser Grants permission to generate a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight Write

dashboard*

namespace*

aws:TagKeys

aws:RequestTag/${TagKey}

quicksight:AllowedEmbeddingDomains

GenerateEmbedUrlForRegisteredUser Grants permission to generate a URL used to embed a QuickSight Dashboard for a user registered with QuickSight Write

user*

quicksight:AllowedEmbeddingDomains

GetAnonymousUserEmbedUrl [permission only] Grants permission to get a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight Read
GetAuthCode [permission only] Grants permission to get an auth code representing a QuickSight user Read

user*

GetDashboardEmbedUrl Grants permission to get a URL used to embed a QuickSight Dashboard Read

dashboard*

GetGroupMapping [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight Read
GetSessionEmbedUrl Grants permission to get a URL to embed QuickSight console experience Read
ListAnalyses Grants permission to list all analyses in an account List

analysis*

ListCustomPermissions [permission only] Grants permission to list custom permissions resources in QuickSight account Write
ListDashboardVersions Grants permission to list all versions of a QuickSight Dashboard List

dashboard*

ListDashboards Grants permission to list all Dashboards in a QuickSight Account List

dashboard*

ListDataSets Grants permission to list all datasets List

aws:RequestTag/${TagKey}

aws:TagKeys

ListDataSources Grants permission to list all data sources List

aws:RequestTag/${TagKey}

aws:TagKeys

ListFolderMembers Grants permission to list all members in a folder Read

folder*

ListFolders Grants permission to list all Folders in a QuickSight Account List

folder*

ListGroupMemberships Grants permission to list member users in a group List

group*

ListGroups Grants permission to list all user groups in QuickSight List

group*

ListIAMPolicyAssignments Grants permission to list all assignments in the current Amazon QuickSight account List

assignment*

ListIAMPolicyAssignmentsForUser Grants permission to list all assignments assigned to a user and the groups it belongs List

assignment*

ListIngestions Grants permission to list all SPICE ingestions on a dataset List

aws:RequestTag/${TagKey}

aws:TagKeys

ListNamespaces Grants permission to lists all namespaces in a QuickSight account List
ListTagsForResource Grants permission to list tags of a QuickSight resource Read

customization

dashboard

folder

template

theme

ListTemplateAliases Grants permission to list all aliases for a template List

template*

ListTemplateVersions Grants permission to list all versions of a template List

template*

ListTemplates Grants permission to list all templates in a QuickSight account List

template*

ListThemeAliases Grants permission to list all aliases of a theme List

theme*

ListThemeVersions Grants permission to list all versions of a theme List

theme*

ListThemes Grants permission to list all themes in an account List

theme*

ListUserGroups Grants permission to list groups that a given user is a member of List

user*

ListUsers Grants permission to list all of the QuickSight users belonging to this account List

user*

PassDataSet [permission only] Grants permission to use a dataset for a template Read

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

PassDataSource [permission only] Grants permission to use a data source for a data set Read

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

RegisterUser Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request Write

user*

quicksight:IamArn

quicksight:SessionName

RestoreAnalysis Grants permission to restore a deleted analysis Write

analysis*

ScopeDownPolicy [permission only] Grants permission to manage scoping policies for permissions to AWS resources Write
SearchAnalyses Grants permission to search for a sub-set of analyses List

analysis*

SearchDashboards Grants permission to search for a sub-set of QuickSight Dashboards List

dashboard*

SearchDirectoryGroups [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight List
SearchFolders Grants permission to search for a sub-set of QuickSight Folders Read

folder*

SearchGroups Grants permission to search for a sub-set of QuickSight groups List

group*

SetGroupMapping [permission only] Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight Write
Subscribe [permission only] Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition Write

quicksight:Edition

quicksight:DirectoryType

TagResource Grants permission to add tags to a QuickSight resource Tagging

analysis

customization

dashboard

dataset

datasource

folder

ingestion

template

theme

aws:TagKeys

aws:RequestTag/${TagKey}

Unsubscribe [permission only] Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight Write
UntagResource Grants permission to remove tags from a QuickSight resource Tagging

analysis

customization

dashboard

dataset

datasource

folder

ingestion

template

theme

aws:TagKeys

UpdateAccountCustomization Grants permission to update an account customization for QuickSight account or namespace Write

customization*

UpdateAccountSettings Grants permission to update the administrative account settings for QuickSight account Write
UpdateAnalysis Grants permission to update an analysis Write

analysis*

UpdateAnalysisPermissions Grants permission to update permissions for an analysis Permissions management

analysis*

UpdateCustomPermissions [permission only] Grants permission to update a custom permissions resource Permissions management
UpdateDashboard Grants permission to update a QuickSight Dashboard Write

dashboard*

UpdateDashboardPermissions Grants permission to update permissions for a QuickSight Dashboard Permissions management

dashboard*

UpdateDashboardPublishedVersion Grants permission to update a QuickSight Dashboard’s Published Version Write

dashboard*

UpdateDataSet Grants permission to update a dataset Write

dataset*

quicksight:PassDataSource

datasource

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSetPermissions Grants permission to update the resource policy of a dataset Permissions management

dataset*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSource Grants permission to update a data source Write

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateDataSourcePermissions Grants permission to update the resource policy of a data source Permissions management

datasource*

aws:RequestTag/${TagKey}

aws:TagKeys

UpdateEmailCustomizationTemplate [permission only] Grants permission to update a QuickSight email customization template Write

emailCustomizationTemplate*

UpdateFolder Grants permission to update a QuickSight Folder Write

folder*

UpdateFolderPermissions Grants permission to update permissions for a QuickSight Folder Permissions management

folder*

UpdateGroup Grants permission to change group description Write

group*

UpdateIAMPolicyAssignment Grants permission to update an existing assignment Write

assignment*

UpdateIpRestriction Grants permission to update the IP restrictions for QuickSight account Write
UpdatePublicSharingSettings Grants permission to enable or disable public sharing on an account Write
UpdateResourcePermissions [permission only] Grants permission to update resource-level permissions in QuickSight Write
UpdateTemplate Grants permission to update a template Write

template*

UpdateTemplateAlias Grants permission to update a template alias Write

template*

UpdateTemplatePermissions Grants permission to update permissions for a template Permissions management

template*

UpdateTheme Grants permission to update a theme Write

theme*

UpdateThemeAlias Grants permission to update the alias of a theme Write

theme*

UpdateThemePermissions Grants permission to update permissions for a theme Permissions management

theme*

UpdateUser Grants permission to update an Amazon QuickSight user Write

user*

Resource types defined by Amazon QuickSight

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
account arn:${Partition}:quicksight:${Region}:${Account}:account/${ResourceId}
user arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}
group arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}
analysis arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}

aws:ResourceTag/${TagKey}

dashboard arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}

aws:ResourceTag/${TagKey}

template arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}

aws:ResourceTag/${TagKey}

datasource arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}

aws:ResourceTag/${TagKey}

dataset arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}

aws:ResourceTag/${TagKey}

ingestion arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}

aws:ResourceTag/${TagKey}

theme arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}

aws:ResourceTag/${TagKey}

assignment arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}
customization arn:${Partition}:quicksight:${Region}:${Account}:customization/${ResourceId}

aws:ResourceTag/${TagKey}

namespace arn:${Partition}:quicksight:${Region}:${Account}:namespace/${ResourceId}
folder arn:${Partition}:quicksight:${Region}:${Account}:folder/${ResourceId}

aws:ResourceTag/${TagKey}

emailCustomizationTemplate arn:${Partition}:quicksight:${Region}:${Account}:email-customization-template/${ResourceId}

Condition keys for Amazon QuickSight

Amazon QuickSight defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by tag keys ArrayOfString
quicksight:AllowedEmbeddingDomains Filters access by the allowed embedding domains ArrayOfString
quicksight:DirectoryType Filters access by the user management options String
quicksight:Edition Filters access by the edition of QuickSight String
quicksight:IamArn Filters access by IAM user or role ARN String
quicksight:SessionName Filters access by session name String
quicksight:UserName Filters access by user name String