Share Your AWS re:Post Experience - Quick 3 Question Survey
Help us improve AWS re:Post! We're interested in understanding how you use re:Post and its impact on your AWS journey. Please take a moment to complete our brief 3-question survey.
How do I use templates to set up cross-account access in Amazon QuickSight?
I want to share my datasets and dashboard with another AWS account in Amazon QuickSight.
Short description
You can use templates to create cross-account access to share your Amazon QuickSight analysis and dashboard across other AWS accounts and AWS Regions. You can also use the templates to create dashboards or other templates.
Complete the following steps to provide cross-account access in QuickSight:
- In Account A, create a new template from an existing analysis.
- In Account B, use the same schema in Account A to create a dataset.
- Create a dashboard in Account B from the template in Account A.
(Optional) Create a template in Account B from the existing template in Account A. Use this option if you want to move resources from one account to another, and remove the resources from the source account.
Note: This article uses the AWS Command Line Interface (AWS CLI) with the steps for cross-account access. If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Resolution
Create a template in Account A from an existing analysis in the same account
-
Use the list-dashboards AWS CLI command to list the dashboards that are available in your account:
aws quicksight list-dashboards --aws-account-id account_a_id
Note: Replace account_a_id with the ID of Account A.
-
Note the ID of the dashboard that you want to share.
-
Use the describe-dashboard AWS CLI command to get details from the dashboard:
aws quicksight describe-dashboard --aws-account-id account_a_id --dashboard-id dashboard_id
Note: Replace dashboard_id with your dashboard's ID.
-
Create the template's JSON file, and include the ARNs of the analysis and dataset:
{ "SourceEntity": { "SourceAnalysis": { "Arn": "arn:aws:quicksight:aws_region:account_a_id:analysis/analysis_id", "DataSetReferences": [ { "DataSetPlaceholder": "dataset_name", "DataSetArn": "arn:aws:quicksight:aws_region:account_a_id:dataset/dataset_id" } ] } }, "VersionDescription": "1" }
Note: Replace aws_region with your AWS Region, analysis_id with the ID of your analysis, dataset_name with the dataset name, and dataset_id with your dataset ID.
-
Create a template in the same Region as your analysis:
aws quicksight create-template --aws-account-id account_a_id --template-id template_name --cli-input-json file://template.json --profile default
Note: Replace template_name with the name of the template for Account A.
-
Run the AWS CLI command describe-template to confirm that the template was created:
aws quicksight describe-template --aws-account-id account_a_id --template-id template_id
Note: Replace template_id with your template's ID. Confirm that the response for the describe-template command contains a CREATION_SUCCESSFUL status.
-
Note the template's ARN from the output to use in a later step.
-
Use the update-template-permissions AWS CLI command to grant cross-account READ permission from the template in Account A to Account B:
aws quicksight update-template-permissions --aws-account-id account_a_id --template-id template_id --grant-permissions file://TemplatePermission.json
Example permission JSON file:
[ { "Principal": "arn:aws:iam::account_b_id:root", "Actions": [ "quicksight:UpdateTemplatePermissions", "quicksight:DescribeTemplate" ] } ]
Note: Replace account_b_id with Account B's ID. To share the template with multiple accounts, include the root of all the accounts as the Principal. You can share the template only with the root account. The Principal element doesn't support AWS Identity and Access Management (IAM) roles.
Use the same schema as Account A to create a dataset in Account B
You can't create a dashboard directly from a dataset that's in another account such as Account A. Instead, you must create the same dataset in the account that you want to create the dashboard such as Account B. Then, create the dashboard from the newly created dataset.
-
Use either the Amazon QuickSight console or the AWS CLI to create the dataset in Account B.
Use the Amazon QuickSight console
To use the Amazon QuickSight console to create the dataset, see Creating datasets.
Use the AWS CLI
Use the create-data-set AWS CLI command to create the dataset:
aws quicksight create-data-set --aws-account-id account_b_id --dataset-id dataset_name --cli-input-json file://datasetB.json
Example dataset JSON file:
{ "Name": "dataset_name", "PhysicalTableMap": { "Physicaltablename": { "RelationalTable": { "DataSourceArn": "arn:aws:quicksight:aws_region:account_b_id:datasource/datasource_id", "Schema": "schema_name", "Name": "table_name", "InputColumns": [ { "Name": "column_name", "Type": "STRING"|"INTEGER"|"DECIMAL"|"DATETIME"|"BIT"|"BOOLEAN"|"JSON" } ] } } }, "LogicalTableMap": { "Logicaltablename": { "Alias": "any_alias", "DataTransforms": [ { "ProjectOperation": { "ProjectedColumns": [ "column_name", "column_name" ] } } ], "Source": { "PhysicalTableId": "Physicaltablename" } } }, "ImportMode": "SPICE", "Permissions": [ { "Principal": "arn:aws:quicksight:aws_region:account_b_id:user/namespace/user_name", "Actions": [ "quicksight:UpdateDataSetPermissions", "quicksight:DescribeDataSet", "quicksight:DescribeDataSetPermissions", "quicksight:PassDataSet", "quicksight:DescribeIngestion", "quicksight:ListIngestions", "quicksight:UpdateDataSet", "quicksight:DeleteDataSet", "quicksight:CreateIngestion", "quicksight:CancelIngestion" ] } ] }
Note: Replace namespace with your namespace and user_name with the name of the QuickSight user. The preceding example refers to a SPICE dataset.
-
Confirm that the dataset is successfully created:
aws quicksight describe-data-set --aws-account-id account_b_id --data-set-id dataset_id
Confirm that response for the describe-data-set command contains a status code of 201. The 201 status code means that the dataset is successfully created.
-
Note the dataset's ARN from the output to use in a later step.
Create a dashboard in Account B from the template in Account A
-
Run the following command, and include the template's ARN:
aws quicksight create-dashboard --aws-account-id account_b_id --dashboard-id dashboard_id --name dashboard_name --source-entity file://DashboardFromTemplate.json
Note: You can add the --region target_region parameter to create the dashboard in a different Region. Replace target_region with the Region that you want to create the template in.
Example dashboard JSON file for Account B:
{ "SourceTemplate": { "DataSetReferences": [ { "DataSetPlaceholder": "dataset_name", "DataSetArn": "arn:aws:quicksight:aws_region:account_b_id:dataset/dataset_id" } ], "Arn": "arn:aws:quicksight:aws_region:account_a_id:template/template_id" } }
In the preceding dashboard JSON file:
- For DataSetPlaceholder, you must use the same dataset name from Account A's template.
- For DataSetARN, use can use the ARN of the dataset that you created in Account B.
- For Arn, you can use the ARN of the template that you created in Account A.
-
Confirm that the dashboard is successfully created:
aws quicksight describe-dashboard --aws-account-id account_b_id --dashboard-id dashboard_id
Note: Confirm that the response for the describe-dashboard command contains a status code of 200. The 200 status code means that the dashboard exists.
-
Use the update-dashboard-permissions AWS CLI command to grant the appropriate permissions to QuickSight users:
aws quicksight update-dashboard-permissions --aws-account-id account_b_id --dashboard-id dashboard_id --grant-permissions file://DashboardPermission.json
Example dashboard JSON file:
[ { "Principal": "arn:aws:quicksight:aws_region:account_b_id:user/namespace/quicksight_user_name", "Actions": [ "quicksight:DescribeDashboard", "quicksight:ListDashboardVersions", "quicksight:UpdateDashboardPermissions", "quicksight:QueryDashboard", "quicksight:UpdateDashboard", "quicksight:DeleteDashboard", "quicksight:DescribeDashboardPermissions", "quicksight:UpdateDashboardPublishedVersion" ] } ]
In the preceding example dashboard JSON file, the QuickSight user is granted co-owner access. To provide READ only access to users, specify the following permissions:
"quicksight:DescribeDashboard", "quicksight:ListDashboardVersions", "quicksight:QueryDashboard"
(Optional) Create a template in Account B from the existing template in Account A
-
Confirm that your IAM user or role has the appropriate permissions. You must have the following permissions to access a cross-account template in QuickSight:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:quicksight:aws_region:account_a_id:template/template_id", "Action": "quicksight:DescribeTemplate" }, { "Effect": "Allow", "Resource": "*", "Action": "quicksight:CreateTemplate" } ] }
-
Create a new template in Account B from the template in Account A:
aws quicksight create-template --aws-account-id account_b_id --template-id template_name --source-entity file://templateB.json
Note: Replace template_name with the name of the template for Account B. To create a template in a different Region, add --region target_region.
Example JSON file for Account B:
{ "SourceTemplate": { "Arn": "arn:aws:quicksight:region:account_a_id:template/template_id" } }
-
Confirm that the template is created:
aws quicksight describe-template --aws-account-id account_b_id --template-id template_id
Note: Confirm that the response for the describe-template command contains a status CREATION_SUCCESSFUL status.
Related information

Relevant content
- asked 8 months agolg...
- Accepted Answerasked 3 years agolg...
- asked 2 years agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago