How do I set up cross-account access from Amazon QuickSight to an Amazon S3 bucket in another account?

Last updated: 2022-08-02

I'm trying to create a dataset in Amazon QuickSight using data from an Amazon Simple Storage Service (Amazon S3) bucket in another account. How can I do this?

Short description

Complete the following steps to create cross-account access from Amazon QuickSight (Account A) to an encrypted Amazon S3 bucket in another account (Account B):

  1. Update your S3 bucket policy in Account B (where your S3 bucket resides).
  2. Add the S3 bucket as a resource that the QuickSight service role (Account A) can access.
  3. Allow the QuickSight service role access to the AWS Key Management Service (KMS) key for the S3 bucket.

Note: This article assumes that your S3 bucket is encrypted. It's also a best practice to encrypt your S3 bucket with an AWS KMS key. For more information about how to enable default encryption for Amazon S3, see Enabling Amazon S3 default bucket encryption.

Resolution

Update your S3 bucket policy in Account B

To set up cross-account access from QuickSight to Amazon S3, complete the following steps:

1.    Update the bucket policy of your S3 bucket in Account B. For example:

{
  "Version": "2012-10-17",
  "Id": "BucketPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Account A>:role/service-role/aws-quicksight-service-role-v0"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::cross-account-qstest-bucket",
        "arn:aws:s3:::cross-account-qstest-bucket/*"
      ]
    }
  ]
}

Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then make sure to use this role instead. Replace aws-quicksight-service-role-v0 with aws-quicksight-s3-consumers-role-v0 to avoid connection issues with Amazon S3.

2.    Add the QuickSight service role from Account A to the list of users that can access the S3 bucket's AWS KMS key:

aws kms create-grant --key-id aws_kms_key_arn --grantee-principal quickSight_role_arn --operations Decrypt

Note: Replace aws_kms_key_arn with your AWS KMS key's ARN, and quicksight_role_arn with your QuickSight role's ARN.

To get your AWS KMS key ARN:

  1. Open the Amazon S3 console.
  2. Go to the S3 bucket that contains your data file.
  3. Choose the Properties tab. The AWS KMS key ARN is located under Default encryption.

To get your QuickSight service role ARN:

  1. Open the AWS Identity Access Management (IAM) console in Account A.
  2. In the left navigation pane, choose Roles.
  3. Search for aws-quicksight-service-role.
  4. Select your QuickSight service role, and copy its ARN.

Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, make sure to use this role instead. Otherwise, you might receive an error when you try to connect to Amazon S3.

Add the S3 bucket as a resource that the QuickSight service role can access

To allow the QuickSight service role access to the S3 bucket in Account B, complete the following steps:

  1. Open your Amazon QuickSight console.
  2. Choose Manage QuickSight.
  3. Choose Security & permissions.
  4. Choose Add or remove.
  5. Choose Details.
  6. Choose Select S3 buckets.
  7. Choose the S3 buckets that you can access across AWS tab to verify that your S3 bucket is listed for QuickSight access.
  8. (Optional) If your S3 bucket isn't listed, then add your bucket under Use a different bucket.
  9. Choose Finish.

Allow the QuickSight service role access to the AWS KMS key for the S3 bucket

Add the following inline IAM policy to the QuickSight service role in Account A:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt3",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
        ],
      "Resource": ""arn:aws:kms:us-east-1:<account ID of your S3 bucket>:key/<KEYID>"
    }
  ]
}

Note: The preceding inline policy allows the QuickSight service role to access your AWS KMS key in Account B. Replace ExampleStmt3 with your statement ID.

Important: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then you must attach the AWS KMS policy to the role. The AWS KMS policy decrypts the data in your S3 bucket. If you attach the updated role policy to your QuickSight service role instead, then you might encounter a permissions error. For information on how to resolve the permissions error, see How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Additional considerations

When you're setting up cross-account access from QuickSight to an S3 bucket in another account, consider the following: