How do I set up cross-account access from Amazon QuickSight to an Amazon S3 bucket in another account?

Last updated: 2021-05-24

I'm trying to create a dataset in Amazon QuickSight using data from an Amazon Simple Storage Service (Amazon S3) bucket in another account. How can I do this?

Short description

Assume that Account A is where your Amazon QuickSight instance resides and Account B is where your Amazon S3 bucket resides. You can create cross-account access from Amazon QuickSight to an encrypted Amazon S3 bucket in another account using these steps:

1.    Update your Amazon S3 bucket policy in Account B (where your S3 bucket resides).

2.    Add the Amazon S3 bucket (Account B) as a resource that the Amazon QuickSight service role (Account A) can access.

3.    Allow your Amazon QuickSight service role (Account A) access to the KMS key for your Amazon S3 bucket (Account B).

Note: This article assumes that your Amazon S3 bucket is encrypted. It's also a best practice to encrypt your Amazon S3 bucket with a KMS key. For more information about how to enable default encryption for S3, see Enabling Amazon S3 default bucket encryption.

Resolution

Updating your Amazon S3 bucket policy in Account B (where your S3 bucket resides)

To set up cross-account access from Amazon QuickSight to Amazon S3, perform the following steps:

1.    Update the bucket policy of your Amazon S3 bucket (in Account B) as shown in this example:

{
    "Version": "2012-10-17",
    "Id": "BucketPolicy",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account A>:role/service-role/aws-quicksight-service-role-v0"
            },
            "Action": ["s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion" ], 
            "Resource": [
                "arn:aws:s3:::cross-account-qstest-bucket",
                "arn:aws:s3:::cross-account-qstest-bucket/*"
            ]
        }
    ]
}

Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then make sure to use this role instead. Replace aws-quicksight-service-role-v0 with aws-quicksight-s3-consumers-role-v0 to avoid any connection issues with Amazon S3.

2.    Add your Amazon QuickSight service role (from Account A) to the list of users that can access the Amazon S3 bucket's KMS key:

aws kms create-grant --key-id <KMS key ARN> --grantee-principal <Amazon QuickSight Role ARN> --operations Decrypt

Note: To obtain your KMS key ARN, open the Amazon S3 console. Go to the Amazon S3 bucket that contains your data file and choose the Properties tab. The key ARN is located under Default encryption.

To obtain the Amazon QuickSight service role ARN, open the AWS Identity Access Management (IAM) console in Account A, where your Amazon QuickSight subscription resides. Choose Roles from the left navigation pane. Search for aws-quicksight-service-role and select your Amazon QuickSight service role. Copy the service role ARN.

Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, make sure to use this role instead. Otherwise, you might receive an error when you try to connect to Amazon S3.

Adding the Amazon S3 bucket (Account B) as a resource that the Amazon QuickSight service role (Account A) can access

To allow your Amazon QuickSight service role access to the Amazon S3 bucket in another account, perform the following steps:

1.    Open your Amazon QuickSight console.

2.    Choose Manage QuickSight.

3.    Choose Security & permissions.

4.    Choose Add or remove.

5.    Choose Details.

6.    Choose Select S3 buckets.

7.    Choose the S3 buckets that you can access across AWS tab to verify that your S3 bucket is listed for Amazon QuickSight access.

8.    (Optional) If your Amazon S3 bucket isn't listed, add your bucket under Use a different bucket.

9.    Choose Finish.

Allowing the Amazon QuickSight service role (Account A) access to the KMS key for your Amazon S3 bucket (Account B)

Add the following in-line IAM policy to the Amazon QuickSight service role in Account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExampleStmt3",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": ""arn:aws:kms:us-east-1:<account ID of your S3 bucket>:key/<KEYID>"
        }
    ]
}

This updated policy allow the Amazon QuickSight service role access to your KMS key in Account B, where your Amazon S3 bucket resides. Make sure to add the policy in-line and replace ExampleStmt3 with your own statement ID.

Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, you must attach this KMS policy to the role. The KMS policy will decrypt the data in your Amazon S3 bucket.

If you attach the updated role policy to your Amazon QuickSight service role instead, you might encounter a permissions error. For information on how to resolve this permissions error, see How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Additional considerations

Here are some additional considerations: