How do I set up cross-account access using templates in Amazon QuickSight?

Last updated: 2020-12-16

I'm trying to create cross-account access to my dataset and dashboard in Amazon QuickSight. How can I do this?

Short description

You can create cross-account access to your Amazon QuickSight dataset and dashboard between two different AWS accounts. To create the cross-account access, use the CreateTemplate API operation. The template API object allows you to create a template from an existing Amazon QuickSight analysis or template. Then, use the CreateDashboard API to create a dashboard.

Important: Make sure that the appropriate READ permissions are established from the source account. After the correct permissions are established, you' can create or share a dashboard from a template) in another AWS account.

You can create the following types of cross-account access in Amazon QuickSight:
  • Create a new template in another AWS account (Account B) from an existing template (Account A).
  • Create a dashboard in another AWS account (Account B) from an existing template (Account A).
Note: In this article, we outline the steps for cross-account access using the AWS Command Line Interface (AWS CLI) or Boto3 SDK. If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Resolution

Create a dataset in Account B using the same schema as Account A

Create a dataset using the same schema as Account A:

aws quicksight create-data-set --cli-input-json file://<dataset.json>

-or-

Use the following Boto3 SDK query to create a dataset in Account B using the same schema as Account A:

response = client.create_data_set(
    AwsAccountId='<string>',
    DataSetId='<string>',
    Name='<string>',
	 'S3Source': {
                'DataSourceArn': 'arn:aws:quicksight:<region>:<Account-ID>:datasource/<datasource-name>"',
                'InputColumns': [
                {
                "Name": "Col1",
                "Type": "INTEGER"
                },
                {
                "Name": "col2",
                "Type": "DECIMAL"
                },
                {
                "Name": "col3",
                "Type": "INTEGER"
                },
                {
                "Name": "col4",
                "Type": "DECIMAL"
                }
                ]
            },
   ImportMode='SPICE'|'DIRECT_QUERY',
 
)

In this example query, we are using Amazon Simple Storage Service (Amazon S3) as a data source.

To obtain the dataset ARN, use the following command:

aws quicksight list-data-sets --aws-account-id <value>

Create a template in Account A from the existing analysis in Account A

Use the create-template AWS CLI command for Account A to create a template in the AWS Region where your analysis resides.

Important: You can't create templates across different AWS Regions.

Use the following AWS CLI command syntax to create a template in Account A:

aws quicksight create-template --aws-account-id <Account_A> --template-id firsttemplate --source-entity file://template.json --profile default

-or-

Use the following Boto3 SDK query to create a template in Account A:

%config IPCompleter.greedy=True
import boto3
default_namespace = 'default'
account_id = 'Account_A'
client = boto3.client('quicksight')
response = client.create_template( AwsAccountId=account_id, TemplateId='jabsma13', Name='jasbir', SourceEntity={ 'SourceAnalysis': { 'Arn': 'arn:aws:quicksight:us-east-1:12150061445:analysis/198ab579-d3ce-4401-b793-50dd2f81fcd9',
                'DataSetReferences': [ { 'DataSetPlaceholder': 'test', 'DataSetArn': 'arn:aws:quicksight:us-east-1:121500614395:dataset/639111f1-36d2-4873-947a-f94dc9a148bb' }, ] } }, Tags=[ { 'Key': 'jsabir', 'Value': 'singh' }, ], VersionDescription='1'
                )

Here's an example of a template JSON file (template.json):

{
  "SourceAnalysis": {
    "Arn": "arn:aws:quicksight:<Region of analysis>:<Account_A>:analysis/<Analysis ID>",
    "DataSetReferences": [
      {
        "DataSetPlaceholder": "<Any name>",
        "DataSetArn": "arn:aws:quicksight:<dataset region>:<Account_A>:dataset/<DatasetID>"
      }
    ]
  }
}

Creating a template in Account B from an existing template in Account A

1.    In Account A, call the UpdateTemplatePermissions API to grant cross-account READ permission from the source template (Account A) to Account B.

AWS CLI

aws quicksight update-template-permissions --aws-account-id <Account_A> --template-id firsttemplate --grant-permissions file://TemplatePermission.json --profile default

Update your template file (TemplatePermission.json) like this:

[{
    "Principal": "arn:aws:iam::<Account_B>:root",
    "Actions": ["quicksight:UpdateTemplatePermissions", "quicksight:DescribeTemplate"]
}]

Boto3 SDK

response_updated_perm = client.update_template_permissions(
    AwsAccountId='Account_A',
    TemplateId='kumo-123',
    GrantPermissions=[
        {
            'Principal': 'arn:aws:iam::<Account_B>:root',
            'Actions': [
                'quicksight:UpdateTemplatePermissions',
                 'quicksight:DescribeTemplate'
            ]
            
        },
    ]
)

print(response_updated_perm

2.    Set up the proper AWS Identity and Access Management (IAM) permissions for the IAM user (QS-Test) in Account B:

{
	"Version": "2012-10-17",
	"Statement": [{
			"Effect": "Allow",
			"Resource": "arn:aws:quicksight:us-east-1:<Account_A>:template/kumo-123",
			"Action": "quicksight:DescribeTemplate"
		},
		{
			"Effect": "Allow",
			"Resource": "*",
			"Action": "quicksight:CreateTemplate"
		}
	]
}

The IAM user (QS-Test) must have permission to perform the following actions:

quicksight:DescribeTemplate on the template file created in Account A
quicksight:CreateTemplate to create new templates in Account B

3.    Assume your IAM role with the permissions defined in Step 2.

AWS CLI

aws sts assume-role \
     --role-arn "arn:aws:iam::<Account_B>:role/<role_name>" \
     --role-session-name john.doe@example.com

export.export AWS_ACCESS_KEY_ID = "access_key_from_assume_role"
export AWS_SECRET_ACCESS_KEY = "secret_key_from_assume_role"
export AWS_SESSION_TOKEN = "session_token_from_assume_role"

Boto3 SDK

/code 
sts_client  = boto3.client('sts')

assumed_role_object=sts_client.assume_role(
    RoleArn="arn:aws:iam::<Account_B>:role/<role_name>",
    RoleSessionName="AssumeRoleSession1"
)

credentials=assumed_role_object['Credentials']

QS=boto3.client(
    'quicksight',
    aws_access_key_id=credentials['AccessKeyId'],
    aws_secret_access_key=credentials['SecretAccessKey'],
    aws_session_token=credentials['SessionToken'],
)

Use the temporary credentials that AssumeRole returns to make a connection to Amazon QuickSight.

4.    Create your template in Account B.

AWS CLI

aws quicksight create-template --aws-account-id <Account B ID> --template-id firsttemplate --source-entity file://TemplateFromTemplate.json --profile default

The template file in Account B (TemplateFromTemplate.json) looks like this:

{
      "SourceTemplate": {
        "Arn": "arn:aws:quicksight:us-east-1:<Account A ID>:template/firsttemplate"
  }

Boto3 SDK

# Create template in Account B

client = boto3.client(
  'quicksight',
  # Hard coded strings as credentials, not recommended.
  aws_access_key_id='xxxxxxx',
  aws_secret_access_key='xxxxxxxxx'
)

response = client.create_template(
    AwsAccountId='Account_B',
    TemplateId='XXXXXXX',
    Name='XXXXXX',
    SourceEntity={
    'SourceTemplate': {
            'Arn': 'arn:aws:quicksight:us-east-1:<Account_A>:template/kumo-123'
        }
    }
)

print(response)

5.    Use the list_template API to verify the template in Account B:

AWS CLI

aws quicksight list-templates --aws-account-id <Account B>

Boto3 SDK

responsetemplates_B = client.list_templates(
    AwsAccountId='Account_B')

print(responsetemplates_B['TemplateSummaryList'])

Creating a dashboard in Account B from the template we just created in Account A

1.    Create a dashboard in Account B from the template in Account A. Or, you can create the dashboard using the newly created template in Account B.

AWS CLI

aws quicksight create-dashboard --aws-account-id <Account B ID> --dashboard-id <any ID> --name <any dashboard name> --source-entity file://DashboardFromTemplate.json

Here's an example of what your dashboard JSON file ( DashboardFromTemplate.json) looks like:

{
  "SourceTemplate": {
    "DataSetReferences": [
      {
        "DataSetPlaceholder": "placeholder", // the place holder you have provided while creating the template in step 1.
        "DataSetArn": "arn:aws:quicksight:us-east-1:<Account B ID>:dataset/<Dataset ID>"
      }
    ],
    "Arn": "arn:aws:quicksight:us-east-1:<Account B ID>:template/<Template ID>"
  }
}

Boto3 SDK

response_dashboard = client.create_dashboard(
    AwsAccountId=Account_B_Id,
    DashboardId='Test',
    Name='test123',
    SourceEntity={
        'SourceTemplate': {
            'DataSetReferences': [
                {
                    'DataSetPlaceholder': 'test',
                    'DataSetArn': 'arn:aws:quicksight:us-east-1:<accountId B>:dataset/639111f1-36d2-4873-947a-f94dc9a148bb'
                },
            ],
            'Arn': 'arn:aws:quicksight:us-east-1:<Accout_A>:template/<TemplateName>'        }
    },
    Tags=[
        {
            'Key': 'test',
            'Value': 'jsb'
        },
    ]
    
        )

print(response_dashboard)

2.    Verify the newly created dashboard:

AWS CLI

aws quicksight list-dashboards \
 --aws-account-id <Account B>

Boto3 SDK

response_dashboards_B= client.list_dashboards(
    AwsAccountId='Account_B'
)
print(response_dashboards_A['DashboardSummaryList'])

3.    Grant the IAM permission to the assumed IAM role in Account B:

Note: The IAM policy can be limited to specific actions. Make sure to update the permissions of the new dashboard or it will not be visible in the Amazon QuickSight console.

AWS CLI

aws quicksight update-dashboard-permissions --aws-account-id <Account B> --dashboard-id <ID of newly created dashboard> --grant-permissions file://DashboardPermission.json

This command syntax grants the IAM role (QS-TEST) full access to the Amazon QuickSight dashboard. You can update the permissions of the new dashboard using the update-dashboard-permissions command.

Boto3 SDK

response = client.update_dashboard_permissions(AwsAccountId='string',DashboardId='string',GrantPermissions=[{'Principal': 'string','Actions': ['string',]},],RevokePermissions=[{'Principal': 'string','Actions': ['string',]},])

Here's an example of what your dashboard JSON file ( DashboardPermission.json) looks like:

[
  {
    "Principal": "arn:aws:quicksight:us-east-1:<Account_A ID >:user/default/<Quicksight user name>", // arn of the QuickSight user you want to assign ownership
    "Actions": ["quicksight:DescribeDashboard","quicksight:ListDashboardVersions","quicksight:UpdateDashboardPermissions","quicksight:QueryDashboard","quicksight:UpdateDashboard","quicksight:DeleteDashboard","quicksight:DescribeDashboardPermissions","quicksight:UpdateDashboardPublishedVersion"]
  }
]

The permissions listed in this template file grants you access as a co-owner of the dashboard.

To provide READ only access to other users, specify the following permissions:

quicksight:DescribeDashboard
quicksight:ListDashboardVersions
quicksight:QueryDashboard

In the following example, full access is granted using the "quicksight:*" Wildcard expression:

}
    ]
        }
"Effect": "Allow"
        "Resource": "*",
        "Action": "quicksight:*",
    "Statement": {
    "Version": "2012-10-17",
{

Did this article help?


Do you need billing or technical support?