Actions, resources, and condition keys for Amazon QuickSight
Amazon QuickSight (service prefix: quicksight) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon QuickSight
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AccountConfigurations [permission only] | Grants permission to enable setting default access to AWS resources | Write | |||
| CancelIngestion | Grants permission to cancel a SPICE ingestions on a dataset | Write | |||
| CreateAccountCustomization | Grants permission to create an account customization for QuickSight account or namespace | Write | |||
| CreateAccountSubscription | Grants permission to subscribe to QuickSight | Write | |||
| CreateAdmin [permission only] | Grants permission to provision Amazon QuickSight administrators, authors, and readers | Write | |||
| CreateAnalysis | Grants permission to create an analysis from a template | Write | |||
| CreateCustomPermissions [permission only] | Grants permission to create a custom permissions resource for restricting user access | Permissions management | |||
| CreateDashboard | Grants permission to create a QuickSight Dashboard | Write | |||
| CreateDataSet | Grants permission to create a dataset | Write |
quicksight:PassDataSource |
||
| CreateDataSource | Grants permission to create a data source | Write | |||
| CreateEmailCustomizationTemplate [permission only] | Grants permission to create a QuickSight email customization template | Write | |||
| CreateFolder | Grants permission to create a QuickSight folder | Write | |||
| CreateFolderMembership | Grants permission to add a QuickSight Dashboard, Analysis or Dataset to a QuickSight Folder | Write | |||
| CreateGroup | Grants permission to create a QuickSight group | Write | |||
| CreateGroupMembership | Grants permission to add a QuickSight user to a QuickSight group | Write | |||
| CreateIAMPolicyAssignment | Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight | Write | |||
| CreateIngestion | Grants permission to start a SPICE ingestion on a dataset | Write | |||
| CreateNamespace | Grants permission to create an QuickSight namespace | Write |
ds:CreateIdentityPoolDirectory |
||
| CreateReader [permission only] | Grants permission to provision Amazon QuickSight readers | Write | |||
| CreateTemplate | Grants permission to create a template | Write | |||
| CreateTemplateAlias | Grants permission to create a template alias | Write | |||
| CreateTheme | Grants permission to create a theme | Write | |||
| CreateThemeAlias | Grants permission to create an alias for a theme version | Write | |||
| CreateUser [permission only] | Grants permission to provision Amazon QuickSight authors and readers | Write | |||
| CreateVPCConnection [permission only] | Grants permission to create a VPC connection | Write | |||
| DeleteAccountCustomization | Grants permission to delete an account customization for QuickSight account or namespace | Write | |||
| DeleteAnalysis | Grants permission to delete an analysis | Write | |||
| DeleteCustomPermissions [permission only] | Grants permission to delete a custom permissions resource | Permissions management | |||
| DeleteDashboard | Grants permission to delete a QuickSight Dashboard | Write | |||
| DeleteDataSet | Grants permission to delete a dataset | Write | |||
| DeleteDataSource | Grants permission to delete a data source | Write | |||
| DeleteEmailCustomizationTemplate [permission only] | Grants permission to delete a QuickSight email customization template | Write | |||
| DeleteFolder | Grants permission to delete a QuickSight Folder | Write | |||
| DeleteFolderMembership | Grants permission to remove a QuickSight Dashboard, Analysis or Dataset from a QuickSight Folder | Write | |||
| DeleteGroup | Grants permission to remove a user group from QuickSight | Write | |||
| DeleteGroupMembership | Grants permission to remove a user from a group so that he/she is no longer a member of the group | Write | |||
| DeleteIAMPolicyAssignment | Grants permission to update an existing assignment | Write | |||
| DeleteNamespace | Grants permission to delete a QuickSight namespace | Write |
ds:DeleteDirectory |
||
| DeleteTemplate | Grants permission to delete a template | Write | |||
| DeleteTemplateAlias | Grants permission to delete a template alias | Write | |||
| DeleteTheme | Grants permission to delete a theme | Write | |||
| DeleteThemeAlias | Grants permission to delete the alias of a theme | Write | |||
| DeleteUser | Grants permission to delete a QuickSight user, given the user name | Write | |||
| DeleteUserByPrincipalId | Grants permission to deletes a user identified by its principal ID | Write | |||
| DeleteVPCConnection [permission only] | Grants permission to delete a VPC connection | Write | |||
| DescribeAccountCustomization | Grants permission to describe an account customization for QuickSight account or namespace | Read | |||
| DescribeAccountSettings | Grants permission to describe the administrative account settings for QuickSight account | Read | |||
| DescribeAccountSubscription | Grants permission to describe a QuickSight account | Read | |||
| DescribeAnalysis | Grants permission to describe an analysis | Read | |||
| DescribeAnalysisPermissions | Grants permission to describe permissions for an analysis | Read | |||
| DescribeCustomPermissions [permission only] | Grants permission to describe a custom permissions resource in a QuickSight account | Write | |||
| DescribeDashboard | Grants permission to describe a QuickSight Dashboard | Read | |||
| DescribeDashboardPermissions | Grants permission to describe permissions for a QuickSight Dashboard | Read | |||
| DescribeDataSet | Grants permission to describe a dataset | Read | |||
| DescribeDataSetPermissions | Grants permission to describe the resource policy of a dataset | Permissions management | |||
| DescribeDataSource | Grants permission to describe a data source | Read | |||
| DescribeDataSourcePermissions | Grants permission to describe the resource policy of a data source | Permissions management | |||
| DescribeEmailCustomizationTemplate [permission only] | Grants permission to describe a QuickSight email customization template | Read | |||
| DescribeFolder | Grants permission to describe a QuickSight Folder | Read | |||
| DescribeFolderPermissions | Grants permission to describe permissions for a QuickSight Folder | Read | |||
| DescribeFolderResolvedPermissions | Grants permission to describe resolved permissions for a QuickSight Folder | Read | |||
| DescribeGroup | Grants permission to describe a QuickSight group | Read | |||
| DescribeGroupMembership | Grants permission to describe a QuickSight group member | Read | |||
| DescribeIAMPolicyAssignment | Grants permission to describe an existing assignment | Read | |||
| DescribeIngestion | Grants permission to describe a SPICE ingestion on a dataset | Read | |||
| DescribeIpRestriction | Grants permission to describe the IP restrictions for QuickSight account | Read | |||
| DescribeNamespace | Grants permission to describe a QuickSight namespace | Read | |||
| DescribeTemplate | Grants permission to describe a template | Read | |||
| DescribeTemplateAlias | Grants permission to describe a template alias | Read | |||
| DescribeTemplatePermissions | Grants permission to describe permissions for a template | Read | |||
| DescribeTheme | Grants permission to describe a theme | Read | |||
| DescribeThemeAlias | Grants permission to describe a theme alias | Read | |||
| DescribeThemePermissions | Grants permission to describe permissions for a theme | Read | |||
| DescribeUser | Grants permission to describe a QuickSight user given the user name | Read | |||
| GenerateEmbedUrlForAnonymousUser | Grants permission to generate a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight | Write | |||
| GenerateEmbedUrlForRegisteredUser | Grants permission to generate a URL used to embed a QuickSight Dashboard for a user registered with QuickSight | Write | |||
| GetAnonymousUserEmbedUrl [permission only] | Grants permission to get a URL used to embed a QuickSight Dashboard for a user not registered with QuickSight | Read | |||
| GetAuthCode [permission only] | Grants permission to get an auth code representing a QuickSight user | Read | |||
| GetDashboardEmbedUrl | Grants permission to get a URL used to embed a QuickSight Dashboard | Read | |||
| GetGroupMapping [permission only] | Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight | Read | |||
| GetSessionEmbedUrl | Grants permission to get a URL to embed QuickSight console experience | Read | |||
| ListAnalyses | Grants permission to list all analyses in an account | List | |||
| ListCustomPermissions [permission only] | Grants permission to list custom permissions resources in QuickSight account | Write | |||
| ListDashboardVersions | Grants permission to list all versions of a QuickSight Dashboard | List | |||
| ListDashboards | Grants permission to list all Dashboards in a QuickSight Account | List | |||
| ListDataSets | Grants permission to list all datasets | List | |||
| ListDataSources | Grants permission to list all data sources | List | |||
| ListFolderMembers | Grants permission to list all members in a folder | Read | |||
| ListFolders | Grants permission to list all Folders in a QuickSight Account | List | |||
| ListGroupMemberships | Grants permission to list member users in a group | List | |||
| ListGroups | Grants permission to list all user groups in QuickSight | List | |||
| ListIAMPolicyAssignments | Grants permission to list all assignments in the current Amazon QuickSight account | List | |||
| ListIAMPolicyAssignmentsForUser | Grants permission to list all assignments assigned to a user and the groups it belongs | List | |||
| ListIngestions | Grants permission to list all SPICE ingestions on a dataset | List | |||
| ListNamespaces | Grants permission to lists all namespaces in a QuickSight account | List | |||
| ListTagsForResource | Grants permission to list tags of a QuickSight resource | Read | |||
| ListTemplateAliases | Grants permission to list all aliases for a template | List | |||
| ListTemplateVersions | Grants permission to list all versions of a template | List | |||
| ListTemplates | Grants permission to list all templates in a QuickSight account | List | |||
| ListThemeAliases | Grants permission to list all aliases of a theme | List | |||
| ListThemeVersions | Grants permission to list all versions of a theme | List | |||
| ListThemes | Grants permission to list all themes in an account | List | |||
| ListUserGroups | Grants permission to list groups that a given user is a member of | List | |||
| ListUsers | Grants permission to list all of the QuickSight users belonging to this account | List | |||
| PassDataSet [permission only] | Grants permission to use a dataset for a template | Read | |||
| PassDataSource [permission only] | Grants permission to use a data source for a data set | Read | |||
| RegisterUser | Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request | Write | |||
| RestoreAnalysis | Grants permission to restore a deleted analysis | Write | |||
| ScopeDownPolicy [permission only] | Grants permission to manage scoping policies for permissions to AWS resources | Write | |||
| SearchAnalyses | Grants permission to search for a sub-set of analyses | List | |||
| SearchDashboards | Grants permission to search for a sub-set of QuickSight Dashboards | List | |||
| SearchDirectoryGroups [permission only] | Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight | List | |||
| SearchFolders | Grants permission to search for a sub-set of QuickSight Folders | Read | |||
| SearchGroups | Grants permission to search for a sub-set of QuickSight groups | List | |||
| SetGroupMapping [permission only] | Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight | Write | |||
| Subscribe [permission only] | Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition | Write | |||
| TagResource | Grants permission to add tags to a QuickSight resource | Tagging | |||
| Unsubscribe [permission only] | Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight | Write | |||
| UntagResource | Grants permission to remove tags from a QuickSight resource | Tagging | |||
| UpdateAccountCustomization | Grants permission to update an account customization for QuickSight account or namespace | Write | |||
| UpdateAccountSettings | Grants permission to update the administrative account settings for QuickSight account | Write | |||
| UpdateAnalysis | Grants permission to update an analysis | Write | |||
| UpdateAnalysisPermissions | Grants permission to update permissions for an analysis | Permissions management | |||
| UpdateCustomPermissions [permission only] | Grants permission to update a custom permissions resource | Permissions management | |||
| UpdateDashboard | Grants permission to update a QuickSight Dashboard | Write | |||
| UpdateDashboardPermissions | Grants permission to update permissions for a QuickSight Dashboard | Permissions management | |||
| UpdateDashboardPublishedVersion | Grants permission to update a QuickSight Dashboard’s Published Version | Write | |||
| UpdateDataSet | Grants permission to update a dataset | Write |
quicksight:PassDataSource |
||
| UpdateDataSetPermissions | Grants permission to update the resource policy of a dataset | Permissions management | |||
| UpdateDataSource | Grants permission to update a data source | Write | |||
| UpdateDataSourcePermissions | Grants permission to update the resource policy of a data source | Permissions management | |||
| UpdateEmailCustomizationTemplate [permission only] | Grants permission to update a QuickSight email customization template | Write | |||
| UpdateFolder | Grants permission to update a QuickSight Folder | Write | |||
| UpdateFolderPermissions | Grants permission to update permissions for a QuickSight Folder | Permissions management | |||
| UpdateGroup | Grants permission to change group description | Write | |||
| UpdateIAMPolicyAssignment | Grants permission to update an existing assignment | Write | |||
| UpdateIpRestriction | Grants permission to update the IP restrictions for QuickSight account | Write | |||
| UpdatePublicSharingSettings | Grants permission to enable or disable public sharing on an account | Write | |||
| UpdateResourcePermissions [permission only] | Grants permission to update resource-level permissions in QuickSight | Write | |||
| UpdateTemplate | Grants permission to update a template | Write | |||
| UpdateTemplateAlias | Grants permission to update a template alias | Write | |||
| UpdateTemplatePermissions | Grants permission to update permissions for a template | Permissions management | |||
| UpdateTheme | Grants permission to update a theme | Write | |||
| UpdateThemeAlias | Grants permission to update the alias of a theme | Write | |||
| UpdateThemePermissions | Grants permission to update permissions for a theme | Permissions management | |||
| UpdateUser | Grants permission to update an Amazon QuickSight user | Write |
Resource types defined by Amazon QuickSight
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| account |
arn:${Partition}:quicksight:${Region}:${Account}:account/${ResourceId}
|
|
| user |
arn:${Partition}:quicksight:${Region}:${Account}:user/${ResourceId}
|
|
| group |
arn:${Partition}:quicksight:${Region}:${Account}:group/${ResourceId}
|
|
| analysis |
arn:${Partition}:quicksight:${Region}:${Account}:analysis/${ResourceId}
|
|
| dashboard |
arn:${Partition}:quicksight:${Region}:${Account}:dashboard/${ResourceId}
|
|
| template |
arn:${Partition}:quicksight:${Region}:${Account}:template/${ResourceId}
|
|
| datasource |
arn:${Partition}:quicksight:${Region}:${Account}:datasource/${ResourceId}
|
|
| dataset |
arn:${Partition}:quicksight:${Region}:${Account}:dataset/${ResourceId}
|
|
| ingestion |
arn:${Partition}:quicksight:${Region}:${Account}:dataset/${DatasetId}/ingestion/${ResourceId}
|
|
| theme |
arn:${Partition}:quicksight:${Region}:${Account}:theme/${ResourceId}
|
|
| assignment |
arn:${Partition}:quicksight::${Account}:assignment/${ResourceId}
|
|
| customization |
arn:${Partition}:quicksight:${Region}:${Account}:customization/${ResourceId}
|
|
| namespace |
arn:${Partition}:quicksight:${Region}:${Account}:namespace/${ResourceId}
|
|
| folder |
arn:${Partition}:quicksight:${Region}:${Account}:folder/${ResourceId}
|
|
| emailCustomizationTemplate |
arn:${Partition}:quicksight:${Region}:${Account}:email-customization-template/${ResourceId}
|
Condition keys for Amazon QuickSight
Amazon QuickSight defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by tag keys | ArrayOfString |
| quicksight:AllowedEmbeddingDomains | Filters access by the allowed embedding domains | ArrayOfString |
| quicksight:DirectoryType | Filters access by the user management options | String |
| quicksight:Edition | Filters access by the edition of QuickSight | String |
| quicksight:IamArn | Filters access by IAM user or role ARN | String |
| quicksight:SessionName | Filters access by session name | String |
| quicksight:UserName | Filters access by user name | String |
