I’ve successfully configured QuickSight to use IAM Identity Center (IDC) as the identity provider, and it’s working well for direct user logins via the IDC portal.
However, I’m encountering an issue when accessing QuickSight via the AWS console using an assumed IAM administrator role. When I select QuickSight from the service list, a message appears:
You are signed in with IAM permissions and can only see Quick Suite IAM administration sections. Sign in as a Quick Suite administrator user to access all Quick Suite administration sections.
Clicking the “Quick Suite Sign In” button redirects me to the IDC login portal, requiring a separate authorization step using IDC credentials.
I attempted to modify the IAM role’s trust relationship by adding quicksight.amazonaws.com, but this did not resolve the issue.
My question is: Is it possible to access the full QuickSight console directly from the AWS console while logged in with an assumed IAM administrator role, bypassing the secondary IDC login prompt?
When QuickSight is integrated with IAM Identity Center, there are two distinct access paths with different permission models :
1. Direct IDC Access (What’s working)
Users sign in through the IDC portal
Full QuickSight functionality available
Uses IDC groups mapped to QuickSight roles
2. AWS Console Access via IAM Role (Your current issue) - typically when you first setup the Quick suite Account through AWS Console with IAM role
Accessing through AWS console with assumed IAM administrator role
Limited to IAM administration sections only
Requires specific IAM permissions for full QuickSight administration
Probable Reason :-
The message you’re seeing indicates that your IAM administrator role has limited IAM permissions but lacks the QuickSight-specific administrative permissions needed for full QuickSight administration when accessed via the AWS console.
See here below - Admin Actions Permission Matrix
Here’s what you can access based on your current setup :
For full QuickSight administration, continue using the IDC portal access where you have complete functionality.
Option 2: Enhance IAM Role Permissions
If you need AWS console access for QuickSight administration, your IAM administrator role may needs additional QuickSight-specific permissions. The role should include policies similar to those described in the IAM policy examples for QuickSight.
Option 3: Hybrid Approach
Use IDC portal for QuickSight-specific administration
Use AWS console access for infrastructure-level tasks (IAM, VPC, etc.)
Key Considerations
Identity Method Limitation: Identity methods cannot be changed after your QuickSight account is created
Permission Propagation: Changes to users or groups can take up to 5 minutes to take effect
Mobile App: The QuickSight mobile app is not supported with IDC-integrated accounts
Suggestion -
Immediate: Continue using IDC portal access for full QuickSight administration
Long-term: If AWS console access is required, work with your AWS administrator to enhance the IAM role with appropriate QuickSight permissions
The behavior you’re experiencing is by design when QuickSight is integrated with IAM Identity Center, ensuring proper separation between IAM infrastructure permissions and QuickSight application permissions.
Thanks @Deep for your detailed and professional explanation! Since the administrator IAM role already associated with AWS managed IAM policy AdministratorAccess, I thought it should cover the QuickSight-specific permissions. I’ll try to add explicit additional permissions.
