How do I set up cross-account access using templates in Amazon QuickSight?

Last updated: 2022-08-12

I want to share my datasets and dashboard with another AWS account in Amazon QuickSight. How can I do this?

Short description

You can use templates to create cross-account access to share your Amazon QuickSight analysis and dashboard across other AWS accounts and AWS Regions. You can also use the templates to create dashboards or other templates.

Complete the following steps to provide cross-account access in QuickSight:

  1. In one account (Account A), create a new template from an existing analysis.
  2. In another account (Account B), create a dataset using the same schema in Account A.
  3. Create a dashboard in Account B from the template in Account A.

(Optional) Create a template in Account B from the existing template in Account A. Use this option if you want to move resources from one account to another, and remove the resources from the source account.

Note: This article outlines the steps for cross-account access using the AWS Command Line Interface (AWS CLI). If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Resolution

Create a template in Account A from an existing analysis in the same account

1.    Use the list-dashboards AWS CLI command to list the dashboards that are available in your account:

aws quicksight list-dashboards --aws-account-id account_a_id

Note: Replace account_a_id with the ID of Account A.

2.    Note the ID of the dashboard that you want to share.

3.    Use the describe-dashboard AWS CLI command to get details from the dashboard:

aws quicksight describe-dashboard --aws-account-id account_a_id --dashboard-id dashboard_id

Note: Replace dashboard_id with your dashboard's ID.

4.    Create the template's JSON file, and include the ARNs of the analysis and dataset:

{
 "SourceEntity": {
   "SourceAnalysis": {
     "Arn": "arn:aws:quicksight:aws_region:account_a_id:analysis/analysis_id",
     "DataSetReferences": [
       {
         "DataSetPlaceholder": "dataset_name",
         "DataSetArn": "arn:aws:quicksight:aws_region:account_a_id:dataset/dataset_id"
       }
     ]
   }
 },
 "VersionDescription": "1"
}

Note: Replace aws_region with your AWS Region, analysis_id with the ID of your analysis, dataset_name with the dataset name, and dataset_id with the ID of your dataset.

5.    Create a template in the same Region as your analysis:

aws quicksight create-template --aws-account-id account_a_id --template-id template_name --cli-input-json file://template.json --profile default

Note: Replace template_name with the name of the template for Account A.

6.    Confirm that the template is created by running the describe-template AWS CLI command:

aws quicksight describe-template --aws-account-id account_a_id --template-id template_id

Note: Replace template_id with your template's ID. Confirm that the response for the describe-template command contains a CREATION_SUCCESSFUL status.

7.    Note the template's ARN from the output to use in a later step.

8.    Use the update-template-permissions AWS CLI command to grant cross-account READ permission from the template in Account A to Account B:

aws quicksight update-template-permissions --aws-account-id account_a_id --template-id template_id --grant-permissions file://TemplatePermission.json

Example permission JSON file:

[
  {
    "Principal": "arn:aws:iam::account_b_id:root",
    "Actions": [
      "quicksight:UpdateTemplatePermissions",
      "quicksight:DescribeTemplate"
    ]
  }
]

Note: Replace account_b_id with Account B's ID. To share the template with multiple accounts, include the root of all the accounts as the Principal. You can share the template with only the root account. The Principal element doesn't support AWS Identity and Access Management (IAM) roles.

Create a dataset in Account B using the same schema as Account A

You can't create a dashboard directly from a dataset that's in another account (Account A). Instead, you must create the same dataset in the account that you want to create the dashboard (Account B). Then, create the dashboard from the newly created dataset.

1.    Create the dataset in Account B.

Using the Amazon QuickSight console

See Creating datasets.

Using the AWS CLI

Use the create-data-set AWS CLI command:

aws quicksight create-data-set --aws-account-id account_b_id --dataset-id dataset_name --cli-input-json file://datasetB.json

Example dataset JSON file:

{
  "Name": "dataset_name",
  "PhysicalTableMap": {
    "Physicaltablename": {
      "RelationalTable": {
         "DataSourceArn": "arn:aws:quicksight:aws_region:account_b_id:datasource/datasource_id",
         "Schema": "schema_name",
         "Name": "table_name",
         "InputColumns": [
           {
             "Name": "column_name",
             "Type": "STRING"|"INTEGER"|"DECIMAL"|"DATETIME"|"BIT"|"BOOLEAN"|"JSON"
           }
        ]
      }
    }
  },
 "LogicalTableMap": {
   "Logicaltablename": {
     "Alias": "any_alias",
     "DataTransforms": [
       {
         "ProjectOperation": {
           "ProjectedColumns": [
             "column_name", "column_name"
         ]
       }
     }
   ],
   "Source": {
     "PhysicalTableId": "Physicaltablename"
   }
  }
 },
 "ImportMode": "SPICE",
 "Permissions": [
   {
     "Principal": "arn:aws:quicksight:aws_region:account_b_id:user/namespace/user_name",
     "Actions": [
       "quicksight:UpdateDataSetPermissions",
       "quicksight:DescribeDataSet",
       "quicksight:DescribeDataSetPermissions",
       "quicksight:PassDataSet",
       "quicksight:DescribeIngestion",
       "quicksight:ListIngestions",
       "quicksight:UpdateDataSet",
       "quicksight:DeleteDataSet",
       "quicksight:CreateIngestion",
       "quicksight:CancelIngestion"
    ]
  }
 ]
}

Note: Replace namespace with your namespace and user_name with the name of the QuickSight user. The preceding example refers to a SPICE dataset.

2.    Confirm that the dataset is successfully created:

aws quicksight describe-data-set --aws-account-id account_b_id --data-set-id dataset_id

Confirm that response for the describe-data-set command contains a status code of 201. The 201 status code means that the dataset is successfully created.

3.    Note the dataset's ARN from the output to use in a later step.

Create a dashboard in Account B from the template in Account A

1.    Run the following command, and include the template's ARN:

aws quicksight create-dashboard --aws-account-id account_b_id --dashboard-id dashboard_id --name dashboard_name --source-entity file://DashboardFromTemplate.json

Note: You can create the dashboard in a different Region by adding the --region target_region parameter. Replace target_region with the Region that you want to create the template in.

Example dashboard JSON file for Account B:

{
 "SourceTemplate": {
   "DataSetReferences": [
     {
       "DataSetPlaceholder": "dataset_name",
       "DataSetArn": "arn:aws:quicksight:aws_region:account_b_id:dataset/dataset_id"
     }
   ],
   "Arn": "arn:aws:quicksight:aws_region:account_a_id:template/template_id"
 }
}

In the preceding dashboard JSON file:

  • For DataSetPlaceholder, you must use the same dataset name from Account A's template.
  • For DataSetARN, use can use the ARN of the dataset that you created in Account B.
  • For Arn, you can use the ARN of the template that you created in Account A.

2.    Confirm that the dashboard is successfully created:

aws quicksight describe-dashboard --aws-account-id account_b_id --dashboard-id dashboard_id

Note: Confirm that the response for the describe-dashboard command contains a status code of 200. The 200 status code means that the dashboard exists.

3.    Use the update-dashboard-permissions AWS CLI command to grant the appropriate permissions to QuickSight users:

aws quicksight update-dashboard-permissions --aws-account-id account_b_id --dashboard-id dashboard_id --grant-permissions file://DashboardPermission.json

Example dashboard JSON file:

[
  {
    "Principal": "arn:aws:quicksight:aws_region:account_b_id:user/namespace/quicksight_user_name",
    "Actions": [
      "quicksight:DescribeDashboard",
      "quicksight:ListDashboardVersions",
      "quicksight:UpdateDashboardPermissions",
      "quicksight:QueryDashboard",
      "quicksight:UpdateDashboard",
      "quicksight:DeleteDashboard",
      "quicksight:DescribeDashboardPermissions",
      "quicksight:UpdateDashboardPublishedVersion"
    ]
  }
]

In the preceding example dashboard JSON file, the QuickSight user is granted co-owner access.

To provide READ only access to users, specify the following permissions:

"quicksight:DescribeDashboard",
 "quicksight:ListDashboardVersions",
 "quicksight:QueryDashboard"

(Optional) Create a template in Account B from the existing template in Account A

1.    Confirm that your IAM user or role has the appropriate permissions. You must have the following permissions to access a cross-account template in QuickSight:

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Resource": "arn:aws:quicksight:aws_region:account_a_id:template/template_id",
     "Action": "quicksight:DescribeTemplate"
   },
   {
     "Effect": "Allow",
     "Resource": "*",
     "Action": "quicksight:CreateTemplate"
   }
 ]
}

2.    Create a new template in Account B from the template in Account A:

aws quicksight create-template --aws-account-id account_b_id --template-id template_name --source-entity file://templateB.json

Note: Replace template_name with the name of the template for Account B. To create a template in a different Region, add --region target_region.

Example JSON file for Account B:

{
   "SourceTemplate": {
    "Arn": "arn:aws:quicksight:region:account_a_id:template/template_id"
    }
}

3.    Confirm that the template is created:

aws quicksight describe-template --aws-account-id account_b_id --template-id template_id

Note: Confirm that the response for the describe-template command contains a status CREATION_SUCCESSFUL status.


Did this article help?


Do you need billing or technical support?