How do I set up cross-account access from Amazon QuickSight to an Amazon S3 bucket in another account?

Last updated: 2021-03-04

I'm trying to create a dataset in Amazon QuickSight using data from an Amazon Simple Storage Service (Amazon S3) bucket in another account. How can I do this?

Short description

To create cross-account access from Amazon QuickSight to an encrypted Amazon S3 bucket in another account, perform the following steps:

1.    Update your Amazon S3 bucket policy in Account B (where your S3 bucket resides).

2.    Add the Amazon S3 bucket (Account B) as a resource that the Amazon QuickSight service role (Account A) can access.

3.    Allow your Amazon QuickSight service role (Account A) access to the KMS key for your Amazon S3 bucket (Account B).

Note: This article assumes that your Amazon S3 bucket is encrypted. It's also a best practice to encrypt your Amazon S3 bucket with a KMS key. For more information, see How do I enable default encryption for an Amazon S3 bucket?.

Resolution

Updating your Amazon S3 bucket policy in Account B (where your S3 bucket resides)

To set up cross-account access from Amazon QuickSight to Amazon S3, perform the following steps:

1.    Update the bucket policy of your Amazon S3 bucket (in Account B) like this:

{
    "Version": "2012-10-17",
    "Id": "BucketPolicy",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account A>:role/service-role/aws-quicksight-service-role-v0"
            },
            "Action": ["s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion" ], 
            "Resource": [
                "arn:aws:s3:::cross-account-qstest-bucket",
                "arn:aws:s3:::cross-account-qstest-bucket/*"
            ]
        }
    ]
}

2.    Add your Amazon QuickSight service role (from Account A) to the list of users that can access the Amazon S3 bucket's KMS key:

aws kms create-grant --key-id <KMS key ARN> --grantee-principal <Amazon QuickSight Role ARN> --operations Decrypt

Note: To obtain your KMS key ARN, open the Amazon S3 console. Go to the Amazon S3 bucket that contains your data file and choose the Properties tab. The key ARN is located under Default encryption.

To obtain the Amazon QuickSight service role ARN, open the AWS Identity Access Management (IAM) console in Account A, where your Amazon QuickSight subscription resides. Choose Roles from the left navigation pane. Search for aws-quicksight-service-role and select your Amazon QuickSight service role. Copy the service role ARN.

Adding the Amazon S3 bucket (Account B) as a resource that the Amazon QuickSight service role (Account A) can access

To allow your Amazon QuickSight service role access to the Amazon S3 bucket in another account, perform the following steps:

1.    Open your Amazon QuickSight console.

2.    Choose Manage QuickSight.

3.    Choose Security & permissions.

4.    Choose Add or remove.

5.    Choose Details.

6.    Choose Select S3 buckets.

7.    Choose the S3 buckets that you can access across AWS tab to verify that your S3 bucket is listed for Amazon QuickSight access.

8.    (Optional) If your Amazon S3 bucket isn't listed, add your bucket under Use a different bucket.

9.    Choose Finish.

Allowing the Amazon QuickSight service role (Account A) access to the KMS key for your Amazon S3 bucket (Account B)

Add the following in-line IAM policy to the Amazon QuickSight service role in Account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExampleStmt3",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": ""arn:aws:kms:us-east-1:<account ID of your S3 bucket>:key/<KEYID>"
        }
    ]
}

This updated policy allow the Amazon QuickSight service role access to your KMS key in Account B, where your Amazon S3 bucket resides. Make sure to add the policy in-line.

If you attach the updated role policy to your Amazon QuickSight service role instead, you might encounter a permissions error. For information on how to resolve this permissions error, see How do I troubleshoot AWS resource permission errors in Amazon QuickSight?

Additional considerations

Here are some additional considerations: