- Newest
- Most votes
- Most comments
It seems there's a misunderstanding in the process of granting access to your co-employee for the QuickSight dashboards. The issue you're experiencing is likely due to the method used for inviting users and the account structure you have in place.
For your situation, where IAM users are in a master account and assuming roles to access the finops account, the best approach would be to use cross-account access for QuickSight rather than direct user invitations.
Here's a better way to handle this:
-
In the finops account (where QuickSight dashboards are), create an IAM role specifically for QuickSight access.
-
Configure this role's trust policy to allow it to be assumed by users from the master account.
-
Attach an IAM policy to this role that grants the necessary QuickSight permissions, specifically for reader access.
-
In QuickSight, share the dashboards with this newly created IAM role.
-
Have your co-employees assume this role from the master account when they need to access the QuickSight dashboards.
This approach allows you to control the level of access (in this case, reader access) through the IAM role permissions, without creating new users or requiring password creation in the finops account.
If you still prefer to use QuickSight's direct invitation system, you should be able to specify the user's role when sending the invitation. Make sure to select 'READER' as the role instead of 'ADMIN' when inviting the user.
Remember, it's crucial to carefully manage permissions and access levels, especially when dealing with cross-account scenarios. Always follow the principle of least privilege, granting only the permissions necessary for users to perform their required tasks.
Sources
Cross account access to QuickSight (password-less way) | AWS re:Post
Granting QuickSight access to IAM users - AWS Prescriptive Guidance
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago
