I am trying to create data sources and data sets in the created with API custom namespace, but I can’t give permission for my owner account in the default namespace, and had to create Admin user in the custom namespace and give him permissions, but for each Admin user I should pay 18$, but I want to have only READER users and give them only dashboard permissions
Can I somehow create datasets in custom namespaces without Admins in there?
QuickSight assets (Dashboards, Datasets, Analysis, Datasources, Folders) belong to QuickSight account, not to a namespace. Currently, you cannot share these assets with users in different namespaces via QuickSight console. However you can use APIs to share dashboards with readers with different namespaces.
Thank for your response, but let me clarify a little bit
- I am not using quicksight console, I am trying to build all assets with API requests (boto3)
- Inside my owner account, I want to have a few READERS in different custom namespaces
- And I want to separate namespaces, and assets like datasources and datasets, then create with template dashboards, and give them relevant permissions
- The issue is indeed with creation datasources and datasets, because to create them I have to pass Principal (please have a look on screenshot, this is from boto3 docs create_datasource request section) link
so users with READER role will not be able to see it, but I am going to give them permissions to dashboards in namespace scope
And only thing I could do is to create Admin user, and pass in Principal section, but I don’t want to create for each namespace Admin user to assign assets, and I am wondering how can I avoid creation for each namespace Admin user, because if I indicate in permissions/principal my Owner User Arn, it creates assets in default namespace
Namespace is a logical isolation of users and groups. This means the ADMIN in your default namespace is not visible and has no rights in custom namespaces.
If the requirement is to share dashboards that you have created in the default namespace to another namespace : using API you can update the dashboard permissions ( update-dashboard-permissions — AWS CLI 1.23.6 Command Reference )
The readers do not require access to datasets and datasources in order to view dashboards. Hence create readers in your custom namespace.
To share with all users in the custom namespace > The Principal is : arn:aws:quicksight:region:aws-account-id:user/namespace ( You can get the exact arn by using list-namespaces ) .
To share it with a specific user in the custom namespace > The Principal is : arn:aws:quicksight:identity_region:aws-account-id:user/namespace/username
For creating an analysis , dashboards which are to be published in the custom namespace. Datasets and datasources requires an AUTHOR which has to be first created in your custom namespace.
You can then use : update-data-set-permissions — AWS CLI 1.23.6 Command Reference
The Principal in this scenario is in the following format : arn:aws:quicksight:identity_region:aws-account-id:user/namespace/username ( You can get the exact arn by using list-users for a namespace )