I’m interested to know if by using IAM Identity Center for identity management, I’m able to configure group assignments automatically. I know that this is not possible with IAM Identity Federation (this question talks about it, but I also tested it myself) but I was wondering if it would be possible when using Identity Center.
I read this article and it says that you can map an Identity Center group to a Quick Sight ROLE (but not group), that is, you can only assign the user to one of the three default roles (READER, AUTHOR, ADMIN). Which doesn’t help much since the user would still have no access to shared folders since those are shared with groups instead. Is my understanding correct?
By reading other questions, the “best” solution I found was to use CloudTrail Events + Lambda trigger to then perform the group assignment. Is that what the Quick Sight team recommends?
Also, is there anything on the roadmap to add this functionallity (for both Identity Center and Identity Federation integrations)? This would be extremely helpful and other big players already do that.
Groups and users are then managed in IAM Identity center . You would have a group for Admin, Author and Reader . Add individual users based on the role required to respective groups.
If you create the custom groups in IdC (not in Quick Sight!) then the same groups will be recreated and synced in Quick Sight. So, a new user who in Identity Center is assigned a Quicksight Role and added to a custom Group (again, in Identity Center), will automatically be authenticated in Quick Sight with the assigned Role and belonging to the Custom group (now created in Quicksight as well).
I am marking this as, “Solution,” but let us know if this is not resolved. Thanks for posting your questions on the Quick Sight Community Q&A Forum!
Okay, but a user can be part of multiple Groups in Identity Center, how that works in the end? Will all groups a user is part of in IdC be created in Quick Sight? Also, does it work for existing groups as well?
So let’s say user is part of group A in IdC and then he gets access to Quick Sight, which also has a group called A. Will the user be automatically assigned to this group?
Do we have any official documentation about this behavior today?
I’m facing a very similar situation. The difference is that I’m using an external IdP (Azure Entra ID) to authenticate users. I followed this federation setup guide: Enabling Amazon Quick Sight federation with Azure AD, but it doesn’t mention anything about group federation.
In my scenario, the groups are created in Entra ID and synchronized with AWS IAM Identity Center via SCIM. These groups already include the users from Active Directory. However, they are not being reflected in Amazon Quick Sight, even after login.
Is there a way to make those Identity Center groups visible in Quick Sight?
Is this supported?
If yes, is there any official documentation or example you can share?
