How do I set up cross-account access from Amazon QuickSight to an Amazon S3 bucket in another account?
Last updated: 2021-03-04
I'm trying to create a dataset in Amazon QuickSight using data from an Amazon Simple Storage Service (Amazon S3) bucket in another account. How can I do this?
Short description
To create cross-account access from Amazon QuickSight to an encrypted Amazon S3 bucket in another account, perform the following steps:
1. Update your Amazon S3 bucket policy in Account B (where your S3 bucket resides).
2. Add the Amazon S3 bucket (Account B) as a resource that the Amazon QuickSight service role (Account A) can access.
3. Allow your Amazon QuickSight service role (Account A) access to the KMS key for your Amazon S3 bucket (Account B).
Note: This article assumes that your Amazon S3 bucket is encrypted. It's also a best practice to encrypt your Amazon S3 bucket with a KMS key. For more information, see How do I enable default encryption for an Amazon S3 bucket?.
Resolution
Updating your Amazon S3 bucket policy in Account B (where your S3 bucket resides)
To set up cross-account access from Amazon QuickSight to Amazon S3, perform the following steps:
1. Update the bucket policy of your Amazon S3 bucket (in Account B) like this:
{
"Version": "2012-10-17",
"Id": "BucketPolicy",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account A>:role/service-role/aws-quicksight-service-role-v0"
},
"Action": ["s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion" ],
"Resource": [
"arn:aws:s3:::cross-account-qstest-bucket",
"arn:aws:s3:::cross-account-qstest-bucket/*"
]
}
]
}
2. Add your Amazon QuickSight service role (from Account A) to the list of users that can access the Amazon S3 bucket's KMS key:
aws kms create-grant --key-id <KMS key ARN> --grantee-principal <Amazon QuickSight Role ARN> --operations Decrypt
Note: To obtain your KMS key ARN, open the Amazon S3 console. Go to the Amazon S3 bucket that contains your data file and choose the Properties tab. The key ARN is located under Default encryption.
To obtain the Amazon QuickSight service role ARN, open the AWS Identity Access Management (IAM) console in Account A, where your Amazon QuickSight subscription resides. Choose Roles from the left navigation pane. Search for aws-quicksight-service-role and select your Amazon QuickSight service role. Copy the service role ARN.
Adding the Amazon S3 bucket (Account B) as a resource that the Amazon QuickSight service role (Account A) can access
To allow your Amazon QuickSight service role access to the Amazon S3 bucket in another account, perform the following steps:
1. Open your Amazon QuickSight console.
2. Choose Manage QuickSight.
3. Choose Security & permissions.
4. Choose Add or remove.
5. Choose Details.
6. Choose Select S3 buckets.
7. Choose the S3 buckets that you can access across AWS tab to verify that your S3 bucket is listed for Amazon QuickSight access.
8. (Optional) If your Amazon S3 bucket isn't listed, add your bucket under Use a different bucket.
9. Choose Finish.
Allowing the Amazon QuickSight service role (Account A) access to the KMS key for your Amazon S3 bucket (Account B)
Add the following in-line IAM policy to the Amazon QuickSight service role in Account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt3",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": ""arn:aws:kms:us-east-1:<account ID of your S3 bucket>:key/<KEYID>"
}
]
}
This updated policy allow the Amazon QuickSight service role access to your KMS key in Account B, where your Amazon S3 bucket resides. Make sure to add the policy in-line.
If you attach the updated role policy to your Amazon QuickSight service role instead, you might encounter a permissions error. For information on how to resolve this permissions error, see How do I troubleshoot AWS resource permission errors in Amazon QuickSight?
Additional considerations
Here are some additional considerations:
- Check the IAM policy assignments in your Amazon QuickSight account. The IAM role policies must grant the Amazon QuickSight service role access to the Amazon S3 bucket. For more information about viewing your policy assignments, see Setting granular access to AWS services through IAM.
- Use your manifest file to connect to your Amazon S3 bucket and create a dataset using S3 files. Make sure to use a supported format for your Amazon S3 manifest file.
Related information
Did this article help?
Do you need billing or technical support?