How to convert old Authentication method to IAM Identity Center type?

tbdori · August 2, 2024, 6:50pm

We’ve been using QS with the original Auth type ( IAM federated identities & QuickSight-managed users). But, we are thinking to convert this to IAM identity center type utilizing OKTA-IAM identity center - Quicksight

I know there is no option available in admin console. But, I heard there is a way to do it in one of the learning video.

How do I change identitytype ?
With this change, how a user can be author and reader ?

Currently we do this.

  const params = {
    AwsAccountId: awsAccountId,
    Namespace: 'default',
    IdentityType: 'IAM',
    IamArn: lambdaExecRoleArn, 
    UserRole: 'READER',
    SessionName: userName, 
    Email: email_,
  };
 quicksight.registerUser(params);

We register all users from app as READER. Then, how can I have Author as this is coming from OKTA-IAM identity center. There will be only one person of me, right?

ArunSanthosh · August 6, 2024, 7:56pm

Hi @tbdori,

If you want to upgrade your current user from READER to AUTHOR, QuickSight admin user can do it from Manage QuickSight>Manage users screen or by running the update-user API.
Authentication mode that QuickSight uses can currently be set only at the sign up time.
Since your account was setup to use IAM federated identities and QuickSight managed users, you can still route your users via IDC if you choose to do so but such users will still be treated as federated identities (with two part user name - role name/role session name) within QuickSight.
ie - this will not get you the additional benefits that come with PRO users.

As of today(06-Aug-2024), it is not possible to change the auth mode to direct IDC without recreating your account. Product team is working on building mechanisms to make it easier for existing customers to migrate their accounts from current auth modes over to IDC. (No timeline projections available)

[The prior response that was provided to you by another community user wasn’t accurate. Hence, I have removed that response from this thread.]

Regards,
Arun Santhosh
Pr QuickSight SA

tbdori · November 1, 2024, 1:43pm

Is there any update on this?

At the moment, let’s assume I recreate QuickSight on my dev account which will use IDC this time.
If I export all assets, can I import those into new IDC enabled QuickSight so I don’t lose anything?

ArunSanthosh · November 6, 2024, 7:42pm

Hi @tbdori,

Porting all assets over to a new IDC backed account is an option. However, it can be quite a heavy lift depending on the number of assets and users that you have. Work is progressing on the managed migration route. I have provided some additional details to your account team and they will be reaching out to you.

Regards,
Arun Santhosh
Pr QuickSight SA