Cross account access to QuickSight (password-less way)

0

I have two AWS accounts: Account A and Account B. IAM users from Account B typically access resources in Account A by assuming a role via IAM.

We are now planning to set up QuickSight dashboards in Account A. I want IAM users from Account B to access these dashboards using role assumption, without creating additional IAM users in Account A. I haven't found any models for this in QuickSight. Can someone provide guidance on how to achieve this?

P.S. I know that non-IAM users can be invited directly through QuickSight (signup using a password), but I’m seeking a passwordless solution for accessing QuickSight from non-IAM users.

1 Answer
2

Hello.

  • To provide cross-account access to Amazon QuickSight dashboards in Account A for IAM users from Account B, without creating additional IAM users in Account A or using passwords.

Please follow bellow steps.

Create an IAM Role in Account A

  • Role Creation In Account A, create an IAM role that can be assumed by IAM users from Account B.

  • Trust Policy Configure the role's trust policy to allow Account B's users to assume the role. This establishes the trust relationship between the two accounts.

Grant QuickSight Access

  • Attach Permissions Attach an IAM policy to the role that grants the necessary permissions to access QuickSight dashboards. This policy will allow the role to list, view, and embed the dashboards.

Share the QuickSight Dashboards

  • Dashboard Sharing In QuickSight, share the dashboards with the IAM role created in Account A. This step ensures that when the role is assumed, the user will have access to the specific dashboards.

Assume the IAM Role from Account B

  • Role Assumption Users in Account B will assume the IAM role in Account A using AWS Security Token Service (STS). This provides temporary security credentials that allow access to resources in Account A, including QuickSight.

Access the Dashboards

  • Pre-Signed URL Use the GetDashboardEmbedUrl API in Account A to generate a pre-signed URL for the dashboards. This URL can be used by the users in Account B to access the QuickSight dashboards directly, without requiring a QuickSight login.

https://repost.aws/knowledge-center/quicksight-cross-account-template

EXPERT
answered 4 days ago
profile picture
EXPERT
reviewed 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions