How do I set up cross-account access using templates in Amazon QuickSight?

Last updated: 2021-07-16

I want to share my dashboard or template with another AWS Account in Amazon QuickSight. How can I do this?

Short description

Note: This article outlines the steps for cross-account access using the AWS Command Line Interface (AWS CLI). If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

To provide cross-account access to datasets and dashboards in Amazon QuickSight, perform the following:

1.    Create a template in Account A from existing analyses.

2.    Create a dataset in Account B (like the dataset in Account A).

3.    Create a second template in Account B from the existing template in Account A.

4.    Create a dashboard in Account B from the template in Account B.

Important: Make sure to specify the appropriate read permissions from the source account. After establishing the correct permissions, you can create or share a dashboard from a template in another AWS account.

Resolution

Create a template in Account A from existing analyses

1.    In Account A, create a template (templateA.json) in the AWS Region and AWS account where your analysis resides:

aws quicksight create-template --aws-account-id <Account_A> --template-id <Any-name> --cli-input-json file://templateA.json

Important: You can't create templates that use cross-Regional resources.

For example:

{
  "AwsAccountId": "<Account_A>",
  "TemplateId": "<Any-name>",
  "Name": "<Any-name>",
  "SourceEntity": {
    "SourceAnalysis": {
      "Arn": "arn:aws:quicksight:<region>:<Account_A>:analysis/<analysis-id>",
      "DataSetReferences": [
        {
          "DataSetPlaceholder": "<Any name>",
          "DataSetArn": "arn:aws:quicksight:<aws-region>:<Account_A>:dataset/<dataset-id>"
        }
      ]
    }
  },
  "VersionDescription": "1"
}

2.    Confirm that the template was created:

aws quicksight describe-template --aws-account-id <Account_A> --template-id <template-id>

3.    Update the template permissions (TemplatePermission.json) to grant access to Account B:

aws quicksight update-template-permissions --aws-account-id <Account_A> --template-id <template-id> --grant-permissions file://TemplatePermission.json

For example:

[
  {
    "Principal": "arn:aws:iam::<Account_B>:root",
    "Actions": [
      "quicksight:UpdateTemplatePermissions",
      "quicksight:DescribeTemplate"
    ]
  }
]

Create a dataset in Account B (like the dataset in Account A)

1.    In Account B, create a dataset (datasetB.json) using the same schema as the dataset in Account A:

aws quicksight create-data-set --aws-account-id <Account_B> --dataset-id <Any-name> --cli-input-json file://datasetB.json

For example:

{
  "AwsAccountId": "<Account_B>",
  "DataSetId": "<Any-name>",
  "Name": "<Any-name>",
  "PhysicalTableMap": {
    "Physicaltablename": {
      "RelationalTable": {
        "DataSourceArn": "arn:aws:quicksight:<region>:<Account_B>:datasource/<datasource-id>",
        "Schema": "<schema-name",
        "Name": "<table-name>",
        "InputColumns": [
          {
            "Name": "<column-name>",
            "Type": "STRING"|"INTEGER"|"DECIMAL"|"DATETIME"|"BIT"|"BOOLEAN"|"JSON"
          }
        ]
      }
    }
  },
  "LogicalTableMap": {
    "Logicaltablename": {
      "Alias": "<Any-alias>",
      "DataTransforms": [
        {
          "ProjectOperation": {
            "ProjectedColumns": [
              "<column-name>",>  "<column-name>"
            ]
          } 
        }
      ],
      "Source": {
        "PhysicalTableId": "Physicaltablename"
      }
    }
  },
  "ImportMode": "SPICE",
  "Permissions": [
    {
      "Principal": "arn:aws:quicksight:<region>:<Account_B>:user/<namespace>/<user-name>",
      "Actions": [
        "quicksight:UpdateDataSetPermissions",
        "quicksight:DescribeDataSet",
        "quicksight:DescribeDataSetPermissions",
        "quicksight:PassDataSet",
        "quicksight:DescribeIngestion",
        "quicksight:ListIngestions",
        "quicksight:UpdateDataSet",
        "quicksight:DeleteDataSet",
        "quicksight:CreateIngestion",
        "quicksight:CancelIngestion"
      ]
    }
  ]
}

Note: This example refers to a SPICE dataset.

2.    Confirm that the dataset is successfully created:

aws quicksight describe-data-set --aws-account-id <Account_B> --data-set-id <dataset-id>

3.    Record the dataset ARN from the returned output. You'll need the dataset ARN for a later step.

Create a template in Account B from the existing template in Account A

1.    Confirm that your AWS Identity Access Management (IAM) user or role has the appropriate permissions. You must have the following permissions to access a cross-account template in Amazon QuickSight:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "arn:aws:quicksight:<region>:<Account_A>:template/<template-id>",
      "Action": "quicksight:DescribeTemplate"
    },
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": "quicksight:CreateTemplate"
    }
  ]
}

2.    Create a new template in Account B (templateB.json) from the template in Account A:

aws quicksight create-template --aws-account-id <Account_B> --template-id <Any-name> --source-entity file://templateB.json

For example:

{
   "SourceTemplate": {
    "Arn": "arn:aws:quicksight:<region>:<Account_A>:template/<template-id>"
 }

3.    Confirm that the template is created:

aws quicksight describe-template --aws-account-id <Account_B> --template-id <template-id>

Create a dashboard in Account B from the template in Account B

1.    Create a dashboard (dashboardB.json) from the newly created template in Account B:

aws quicksight create-dashboard --aws-account-id <Account_B> --dashboard-id <Any-name> --name <Any-name> --source-entity file://dashboardB.json

For example:

{
  "SourceTemplate": {
    "DataSetReferences": [
      {
        "DataSetPlaceholder": "<placeholder-name>",
        "DataSetArn": "arn:aws:quicksight:<region>:<Account_B>:dataset/<dataset-id>"
      }
    ],
    "Arn": "arn:aws:quicksight:<region>:<Account_B>:template/<template-id>"
  }
}

Note: Update the DataSetPlaceholder variable with the placeholder name that is provided with the template created in Account A (templateA.json). Update the DataSetARN variable with the ARN of the dataset that you created in Account B (datasetB.json).

2.    Confirm that the dashboard is successfully created:

aws quicksight describe-dashboard --aws-account-id <Account_B> --dashboard-id <dashboard-id>

3.    Grant the appropriate permissions (DashboardPermission.json) to users requiring access to the Amazon QuickSight dashboard:

aws quicksight update-dashboard-permissions--aws-account-id <Account_B> --dashboard-id <dashboard-id> --grant-permissions file://DashboardPermission.json

In this example, the Amazon QuickSight user is granted co-owner access to the dashboard:

[
  {
    "Principal": "arn:aws:quicksight:<region>:<Account_B>:user/<namespace>/<quicksight-user-name>",
    "Actions": [
      "quicksight:DescribeDashboard",
      "quicksight:ListDashboardVersions",
      "quicksight:UpdateDashboardPermissions",
      "quicksight:QueryDashboard",
      "quicksight:UpdateDashboard",
      "quicksight:DeleteDashboard",
      "quicksight:DescribeDashboardPermissions",
      "quicksight:UpdateDashboardPublishedVersion"
    ]
  }
]

Did this article help?


Do you need billing or technical support?