After successful migration of the quicksight assets from dev to production using cloudformation, now I am working on granting permissions for VARIOUS USERS TO ACCESS THE DASHBOARD as a last step.
OBJECTIVE: When I am scheduling the reports everyday morning, users of a created group will be able to get the email and access the dashboard.
Environment- Production
Currently, I have the admin access to the above environment and, admin Role for the AWS quicksight. I am working on granting permissions to access dashboards that I have created, to the other users so that they access from their account , by first inviting them. They must accept using SSO login.
The issue that we are currently facing is, the person who has only the FULLADMIN access to the PRODUCTION AWS ACCOUNT can access to the dashboard shared , the people having the READALL access cannot see the dashboard even if they have been added as a user and added to the group.
For example,
The team member, who has a READALL Access to the pdpprod account is unable to log in to quicksight to view the dashboard, even if added to the users, gets the following error after accepting the request and entering her/his email id-
“You must have permissions “quicksight:CreateUser”, “quicksight:CreateAdmin” or “quicksight:CreateReader” within your IAM policy. Either sign in using a role with the correct permissions, or contact your AWS administrator for
assistance.”
Please let us know, if there is a way, or minimal AWS permissions to be given(what can be those?) so that I can be able to grant different users permission and they can access the dashboard.
There are the list of users who have the access to the quicksight dashboard( all of them are full admin to the aws account)
The group highlighted in red, consists of diff users as well who are not admins and have readall access to aws quicksight.
Even though they are in the group, those members are not able to access because they cannot access the quicksight as well. Basically they cannot login to quicksight primarily. Secondarily, they cannot access the dashboard because they cannot login.
Error I sent previously, so wanted to check if there is any minimal permission to access quicksight or you have to have the admin role?
Thank you for helping on this.
Second thoughts, is it possible if I can create a IAM policy , attach it to an IAM role and include the group in that role which has all the users to access the dashboard( admins and non admins of aws account) . Could you comment on this.
Hello @dsahu, were you able to resolve this issue? If so could you either share your solution or mark one of the comments above as the solution?
Otherwise, you mentioned creating a group that has access through IAM and then attaching the users to that group. That should work based on the situation you mentioned above!
I think you are trying to invite the users directly from QuickSIght admin console UI in this case users will be registered & maintained within QuickSight .
If SSO is enabled in QuickSight account then please enable JIT ( Just-in-time) user provisioning as explained here or register user in QuickSight using API along with the relevant roles details (for non-admin users ) .
First ensure users are able to login with SSO credentials and then add the users to QuickSight Groups to access the dashboards.
Did my suggestion help you in resolving your query? If yes, would request you to mark the post as “Solution”.
This will help the community to find guidance and answers to similar question. Thank you!
