How do I set up cross-account access from Amazon QuickSight to an Amazon S3 bucket in another account?
4 minute read
I'm trying to create a dataset in Amazon QuickSight using data from an Amazon Simple Storage Service (Amazon S3) bucket in another account. How can I do this?
Complete the following steps to create cross-account access from Amazon QuickSight (Account A) to an encrypted Amazon S3 bucket in another account (Account B):
Update your S3 bucket policy in Account B (where your S3 bucket resides).
Add the S3 bucket as a resource that the QuickSight service role (Account A) can access.
Allow the QuickSight service role access to the AWS Key Management Service (KMS) key for the S3 bucket.
Note: This article assumes that your S3 bucket is encrypted. It's also a best practice to encrypt your S3 bucket with an AWS KMS key. For more information about how to enable default encryption for Amazon S3, see Enabling Amazon S3 default bucket encryption.
Update your S3 bucket policy in Account B
To set up cross-account access from QuickSight to Amazon S3, complete the following steps:
Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then make sure to use this role instead. Replace aws-quicksight-service-role-v0 with aws-quicksight-s3-consumers-role-v0 to avoid connection issues with Amazon S3.
2. Add the QuickSight service role from Account A to the list of users that can access the S3 bucket's AWS KMS key:
"Resource": ""arn:aws:kms:us-east-1:<account ID of your S3 bucket>:key/<KEYID>"
Note: The preceding inline policy allows the QuickSight service role to access your AWS KMS key in Account B. Replace ExampleStmt3 with your statement ID.
Important: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then you must attach the AWS KMS policy to the role. The AWS KMS policy decrypts the data in your S3 bucket. If you attach the updated role policy to your QuickSight service role instead, then you might encounter a permissions error. For information on how to resolve the permissions error, see How do I troubleshoot AWS resource permission errors in Amazon QuickSight?
When you're setting up cross-account access from QuickSight to an S3 bucket in another account, consider the following:
Check the IAM policy assignments in your QuickSight account. The IAM role policies must grant the QuickSight service role access to the S3 bucket. For more information about viewing your policy assignments, see Setting granular access to AWS services through IAM.