It is possible to access a secret ( AWS Secrets Manager ) from a dataset in QuickSight?

It is possible to access a secret ( AWS Secrets Manager ) from a dataset in QuickSight?

I need to pass a key to the dataset to decrypt columns, example data set:

SELECT pgp_sym_decrypt(id:bytea, ‘[decryption key]’) AS id
FROM users

Hi @luisbadi - Welcome to AWS QuickSight community and thanks for posting this question. This is a very interesting one. QuickSight is able to integrate with AWS Secret manager, to do the same, first you need to add Secret manager in Quicksight.

Go to QuickSight User icon → Manage QuickSight → Security and Permission → manage → add secret manager. This way you can establish the secret manager data in QuickSight.

Personally I never tried this, but give a try and see whether it is working or not. See the below document for reference as well .

Adding @Jesse @Max and @David_Wong for their feedback as well.

Regards - Sanjeeb

1 Like

Thanks @Sanjeeb2022 , I’ve read the documentation and understand that all the SPICEs in the datasets were encrypted with the default key, but it’s not clear to me if the secret or key can be called explicitly from the query to decrypt a column level.

Hi @luisbadi - Can you please raise a ticket to AWS customer support on this. To raise a ticket, please follow the link - Creating support cases and case management - AWS Support. If you do not have access, please request your admin to raise the request on behalf of you.

I am not sure whether you can use secret key to use in a data set in QuickSight from Secret Manager, better to raise a request and validate. Please update here for if you will hear something from AWS Customer support team.

Regards - Sanjeeb

Hi @luisbadi - I cant think of a way for QuickSight to retrieve a key from Secrets Manager within a SQL query. When access data in encrypted S3 buckets, as long as the IAM role the quicksight service runs under has access to that key, then quicksight can access data in the encrypted S3 bucket, but sounds like what you are asking is different (trying to pass this in a query). QuickSight’s integration with Secrets Manager is more for allowing you to manage data source credentials via Secrets Manager rather than hardcoding them into the data source, which again doesnt sound like what you are after.