How do I use templates to set up cross-account access in Amazon QuickSight?

7 minute read

I want to share my datasets and dashboard with another AWS account in Amazon QuickSight.

Short description

You can use templates to create cross-account access to share your Amazon QuickSight analysis and dashboard across other AWS accounts and AWS Regions. You can also use the templates to create dashboards or other templates.

Complete the following steps to provide cross-account access in QuickSight:

In Account A, create a new template from an existing analysis.
In Account B, use the same schema in Account A to create a dataset.
Create a dashboard in Account B from the template in Account A.

(Optional) Create a template in Account B from the existing template in Account A. Use this option if you want to move resources from one account to another, and remove the resources from the source account.

Note: This article uses the AWS Command Line Interface (AWS CLI) with the steps for cross-account access. If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Resolution

Create a template in Account A from an existing analysis in the same account

Use the list-dashboards AWS CLI command to list the dashboards that are available in your account:

aws quicksight list-dashboards --aws-account-id account_a_id

Note: Replace account_a_id with the ID of Account A.

Note the ID of the dashboard that you want to share.

Use the describe-dashboard AWS CLI command to get details from the dashboard:

aws quicksight describe-dashboard --aws-account-id account_a_id --dashboard-id dashboard_id

Note: Replace dashboard_id with your dashboard's ID.

Create the template's JSON file, and include the ARNs of the analysis and dataset:

{ "SourceEntity": {
   "SourceAnalysis": {
     "Arn": "arn:aws:quicksight:aws_region:account_a_id:analysis/analysis_id",
     "DataSetReferences": [
       {
         "DataSetPlaceholder": "dataset_name",
         "DataSetArn": "arn:aws:quicksight:aws_region:account_a_id:dataset/dataset_id"
       }
     ]
   }
 },
 "VersionDescription": "1"
}

Note: Replace aws_region with your AWS Region, analysis_id with the ID of your analysis, dataset_name with the dataset name, and dataset_id with your dataset ID.

Create a template in the same Region as your analysis:

aws quicksight create-template --aws-account-id account_a_id --template-id template_name --cli-input-json file://template.json --profile default

Note: Replace template_name with the name of the template for Account A.

Run the AWS CLI command describe-template to confirm that the template was created:

aws quicksight describe-template --aws-account-id account_a_id --template-id template_id

Note: Replace template_id with your template's ID. Confirm that the response for the describe-template command contains a CREATION_SUCCESSFUL status.

Note the template's ARN from the output to use in a later step.

Use the update-template-permissions AWS CLI command to grant cross-account READ permission from the template in Account A to Account B:

aws quicksight update-template-permissions --aws-account-id account_a_id --template-id template_id --grant-permissions file://TemplatePermission.json

Example permission JSON file:

[  {
    "Principal": "arn:aws:iam::account_b_id:root",
    "Actions": [
      "quicksight:UpdateTemplatePermissions",
      "quicksight:DescribeTemplate"
    ]
  }
]

Note: Replace account_b_id with Account B's ID. To share the template with multiple accounts, include the root of all the accounts as the Principal. You can share the template only with the root account. The Principal element doesn't support AWS Identity and Access Management (IAM) roles.

Use the same schema as Account A to create a dataset in Account B

You can't create a dashboard directly from a dataset that's in another account such as Account A. Instead, you must create the same dataset in the account that you want to create the dashboard such as Account B. Then, create the dashboard from the newly created dataset.

Use either the Amazon QuickSight console or the AWS CLI to create the dataset in Account B.

Use the Amazon QuickSight console

To use the Amazon QuickSight console to create the dataset, see Creating datasets.

Use the AWS CLI

Use the create-data-set AWS CLI command to create the dataset:

aws quicksight create-data-set --aws-account-id account_b_id --dataset-id dataset_name --cli-input-json file://datasetB.json

Example dataset JSON file:

{  "Name": "dataset_name",
  "PhysicalTableMap": {
    "Physicaltablename": {
      "RelationalTable": {
         "DataSourceArn": "arn:aws:quicksight:aws_region:account_b_id:datasource/datasource_id",
         "Schema": "schema_name",
         "Name": "table_name",
         "InputColumns": [
           {
             "Name": "column_name",
             "Type": "STRING"|"INTEGER"|"DECIMAL"|"DATETIME"|"BIT"|"BOOLEAN"|"JSON"
           }
        ]
      }
    }
  },
 "LogicalTableMap": {
   "Logicaltablename": {
     "Alias": "any_alias",
     "DataTransforms": [
       {
         "ProjectOperation": {
           "ProjectedColumns": [
             "column_name", "column_name"
         ]
       }
     }
   ],
   "Source": {
     "PhysicalTableId": "Physicaltablename"
   }
  }
 },
 "ImportMode": "SPICE",
 "Permissions": [
   {
     "Principal": "arn:aws:quicksight:aws_region:account_b_id:user/namespace/user_name",
     "Actions": [
       "quicksight:UpdateDataSetPermissions",
       "quicksight:DescribeDataSet",
       "quicksight:DescribeDataSetPermissions",
       "quicksight:PassDataSet",
       "quicksight:DescribeIngestion",
       "quicksight:ListIngestions",
       "quicksight:UpdateDataSet",
       "quicksight:DeleteDataSet",
       "quicksight:CreateIngestion",
       "quicksight:CancelIngestion"
    ]
  }
 ]
}

Note: Replace namespace with your namespace and user_name with the name of the QuickSight user. The preceding example refers to a SPICE dataset.

Confirm that the dataset is successfully created:

aws quicksight describe-data-set --aws-account-id account_b_id --data-set-id dataset_id

Confirm that response for the describe-data-set command contains a status code of 201. The 201 status code means that the dataset is successfully created.

Note the dataset's ARN from the output to use in a later step.

Create a dashboard in Account B from the template in Account A

Run the following command, and include the template's ARN:

aws quicksight create-dashboard --aws-account-id account_b_id --dashboard-id dashboard_id --name dashboard_name --source-entity file://DashboardFromTemplate.json

Note: You can add the --region target_region parameter to create the dashboard in a different Region. Replace target_region with the Region that you want to create the template in.

Example dashboard JSON file for Account B:

{ "SourceTemplate": {
   "DataSetReferences": [
     {
       "DataSetPlaceholder": "dataset_name",
       "DataSetArn": "arn:aws:quicksight:aws_region:account_b_id:dataset/dataset_id"
     }
   ],
   "Arn": "arn:aws:quicksight:aws_region:account_a_id:template/template_id"
 }
}

In the preceding dashboard JSON file:

For DataSetPlaceholder, you must use the same dataset name from Account A's template.
For DataSetARN, use can use the ARN of the dataset that you created in Account B.
For Arn, you can use the ARN of the template that you created in Account A.

Confirm that the dashboard is successfully created:

aws quicksight describe-dashboard --aws-account-id account_b_id --dashboard-id dashboard_id

Note: Confirm that the response for the describe-dashboard command contains a status code of 200. The 200 status code means that the dashboard exists.

Use the update-dashboard-permissions AWS CLI command to grant the appropriate permissions to QuickSight users:

aws quicksight update-dashboard-permissions --aws-account-id account_b_id --dashboard-id dashboard_id --grant-permissions file://DashboardPermission.json

Example dashboard JSON file:

[  {
    "Principal": "arn:aws:quicksight:aws_region:account_b_id:user/namespace/quicksight_user_name",
    "Actions": [
      "quicksight:DescribeDashboard",
      "quicksight:ListDashboardVersions",
      "quicksight:UpdateDashboardPermissions",
      "quicksight:QueryDashboard",
      "quicksight:UpdateDashboard",
      "quicksight:DeleteDashboard",
      "quicksight:DescribeDashboardPermissions",
      "quicksight:UpdateDashboardPublishedVersion"
    ]
  }
]

In the preceding example dashboard JSON file, the QuickSight user is granted co-owner access. To provide READ only access to users, specify the following permissions:

"quicksight:DescribeDashboard", "quicksight:ListDashboardVersions",
 "quicksight:QueryDashboard"

(Optional) Create a template in Account B from the existing template in Account A

Confirm that your IAM user or role has the appropriate permissions. You must have the following permissions to access a cross-account template in QuickSight:

{ "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Resource": "arn:aws:quicksight:aws_region:account_a_id:template/template_id",
     "Action": "quicksight:DescribeTemplate"
   },
   {
     "Effect": "Allow",
     "Resource": "*",
     "Action": "quicksight:CreateTemplate"
   }
 ]
}

Create a new template in Account B from the template in Account A:

aws quicksight create-template --aws-account-id account_b_id --template-id template_name --source-entity file://templateB.json

Note: Replace template_name with the name of the template for Account B. To create a template in a different Region, add --region target_region.

Example JSON file for Account B:

{   "SourceTemplate": {
    "Arn": "arn:aws:quicksight:region:account_a_id:template/template_id"
    }
}

Confirm that the template is created:

aws quicksight describe-template --aws-account-id account_b_id --template-id template_id

Note: Confirm that the response for the describe-template command contains a status CREATION_SUCCESSFUL status.

Related information

Migrate Amazon QuickSight across AWS accounts

Topics

Analytics

Relevant content

How to create Quicksight Analysis & Template in CDK
Accepted Answer
AWS-User-0821016
asked 2 years ago
Set up WebSocket API with AWS_IAM auth using CloudFormation template
rePost-User
asked 2 years ago
Can I use a Cloud Formation template in stack set which will spin up different resources in different regions?
ConfidentialDev
asked 10 months ago
Quicksight Template Building
rePost-User-0417494
asked 2 years ago
Setting up Quicksight Multi Account SSO
Accepted Answer
Bisina
asked 9 months ago
How can I set up alerts to see when an IAM access key is used?
AWS OFFICIALUpdated a year ago
How do I resolve "Access denied" errors when I use Athena as a data source in Quicksight?
AWS OFFICIALUpdated 14 days ago
How do I set up cross-account access from Amazon QuickSight to an Amazon S3 bucket in another account?
AWS OFFICIALUpdated 2 months ago
How do I set up and connect to SMTP using Amazon SES?
AWS OFFICIALUpdated 2 years ago
How to add a collaborator to edit Custom SQL datasets on Amazon QuickSight
EXPERT
kasiaws
published 8 months ago