Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I set up cross-account access from Quick Suite to an Amazon S3 bucket in another account?

4 minute read
0

I want to use data from an Amazon Simple Storage Service (Amazon S3) bucket in another AWS account to create a dataset in Amazon Quick Suite.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

When you set up cross-account access from Quick Suite to an S3 bucket in another account, use your manifest file to connect to your S3 bucket. Also, use S3 files to create a dataset. Make sure that you use a supported format for your S3 manifest file.

Update your S3 bucket policy in Account B

To set up cross-account access from Quick Suite to Amazon S3, complete the following steps:

  1. Update your S3 bucket policy in Account B to include the following statement: 
    {  "Version": "2012-10-17",
  "Id": "BucketPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account_A:role/service-role/aws-quicksight-service-role-v0"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::cross-account-qstest-bucket",
        "arn:aws:s3:::cross-account-qstest-bucket/*"
      ]
    }
  ]
}
    Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then make sure to use this role instead. Replace aws-quicksight-service-role-v0 with aws-quicksight-s3-consumers-role-v0 to avoid connection issues with Amazon S3.
  2. Run the following create-grant AWS CLI command to add the Quick Suite service role from Account A to the list of users that can access the S3 bucket's AWS KMS key: 
    aws kms create-grant --key-id aws_kms_key_arn --grantee-principal quickSight_role_arn --operations Decrypt
    Note: Replace aws_kms_key_arn with your AWS KMS key's Amazon Resource Name (ARN) and quicksight_role_arn with your Quick Suite role's ARN.

To get your AWS KMS key ARN, complete the following steps:

  1. Open the Amazon S3 console.
  2. In the navigation pane, choose Buckets, and then select the S3 bucket that contains your data file.
  3. Choose Properties, and then find your AWS KMS key ARN under Default encryption.

To get your Quick Suite service role ARN, complete the following steps:

  1. Open the AWS Identity Access Management (IAM) console in Account A.
  2. In the navigation pane, choose Roles.
  3. Search for aws-quicksight-service-role.
  4. Select your Quick Suite service role, and then note its ARN.

Note: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then use this role instead. Otherwise, you might receive an error when you try to connect to Amazon S3.

Add the S3 bucket as a resource that Account A can access

To allow Account A access to the S3 bucket in Account B, complete the following steps:

  1. Open your Amazon Quick Suite console.
  2. Choose Manage Quick Suite.
  3. Choose Permissions, and then choose AWS Resources.
  4. Choose Select S3 buckets.
  5. Choose S3 buckets that you can access across AWS to verify that your S3 bucket is listed for Quick Suite access.
    Note: If your S3 bucket isn't listed, then add your bucket under Use a different bucket.
  6. Choose Finish.

Give Account A access to the AWS KMS key for the S3 bucket

It's a best practice to encrypt your S3 bucket with an AWS KMS key. For information about how to activate default encryption for Amazon S3, see Configuring default encryption.

Important: If the aws-quicksight-s3-consumers-role-v0 role exists in Account A, then attach the AWS KMS policy to this role instead of the Quick Suite service role. Otherwise, you might encounter a permissions error. For information about how to resolve the permissions error, see How do I troubleshoot AWS resource permission errors in Quick Suite?

If you don't have the aws-quicksight-s3-consumers-role-v0 role, then add the following inline policy to the service role to grant access to your AWS KMS key:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "ExampleStmt3",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
        ],
      "Resource": "arn:aws:kms:region:S3_bucket_account_ID:key/key_ID"
    }
  ]
}

Note: Replace ExampleStmt3 with your statement ID and region with your S3 bucket's AWS Region. Also, replace S3_bucket_account_ID with the account ID where your S3 bucket resides, and key_ID with your key ID.

For more information, see Setting granular access to AWS services through IAM.

Related information

Change a key policy

I can't connect to Amazon S3

Troubleshooting Amazon Quick Sight

View a key policies

Topics
AnalyticsBusiness ApplicationsMachine Learning & AI
Tags
Amazon Quick Sight
Language
English

Related videos

Watch Shiyu's video to learn more (4:59)
Watch Shiyu's video to learn more (4:59)
AWS OFFICIALUpdated 12 days ago
No comments

Relevant content