Migrate native Quicksight users to new IAM accounts w permissions and dashboards

I have a lot of users that were set up natively in Quicksight but now need IAM accounts for MFA. How can I get each user’s permissions and dashboard access, and port that to new IAM accounts for each user? I know I can use the CLI ‘describe-user’ and ‘describe-dashboard-permissions’ actions, etc., but can I get any help with the whole step-by-step process or any automation scripting resources for this? Thank you very much!

Hi @TimB

This requires a one batch program to be created with below list of API/CLI.

  1. List all users in your Quicksight account and in the response, get list of users having Identity_type = “QUICKSIGHT”
    list-users — AWS CLI 1.27.126 Command Reference

  2. Create an IAM role for registering the user in quicksight with appropriate permissions like READER/USER/ADMIN
    example : IAM policy examples for Amazon QuickSight - Amazon QuickSight

  3. Register users from step#1 using register-user — AWS CLI 1.27.126 Command Reference
    You need to create loop to register every single user from step#1
    CLI example to register IAM user :
    aws quicksight register-user
    –identity-type IAM
    –namespace default
    –iam-arn arn:aws:iam:::role/<IAM Role from Step#2>
    –session-name <user_name>

    Within the same loop, get the list of assets (Dashboard, Dataset, Data Source and Analysis) permissions, user has and apply same to the new user registered with IAM type.
    For this, you can use describe-permissions-* and update-*-permissions CLIs

  4. Once registration and asset transfer completed, you can delete users with QUICKSIGHT identity type using delete-user — AWS CLI 1.27.126 Command Reference

For the Step#3, if you would like transfer assets using UI, you can try the new launched Asset Management feature, using which you can transfer or asset from one user to another from Quicksight UI

Blog : Govern and manage permissions of Amazon QuickSight assets with the new centralized asset management console | AWS Big Data Blog


Very nice detailed reply! I really appreciate that, I will look this over and hopefully have quite a bit better understanding of how to achieve this. Thank you so much for your guidance!

1 Like

Thanks @Ashok! @TimB We are so gald this helped. Thanks for letting us know! :slight_smile: After you look and step through everything, can you help the Community out by marking Ashok’s reply as “Solution” (check box under the reply) if it resolves your question? Thank you!

1 Like

Sure, will do. Thanks!

1 Like

Hi @Ashok,

Thank you again for your reply. I am still struggling however with understanding the steps you provided as I am quite new to AWS. Can you give me any more detail or clarification on Steps 2 & 3? In step 2 are you talking about creating a role for programmatic access to register the users in the script?

In Step 3, I tried to register a user in the CLI myself, but got an error message. Here is what I typed in the command line and the response:
aws quicksight register-user --identity-type IAM --email user@email.com --user-role READER --aws-account-id xxxxxxxxxxx --namespace default

"An error occurred (InvalidParameterValueException) when calling the RegisterUser operation: Invalid resource identifiers provided. Please check the documentation. "

Is there a reason why this shouldn’t work? Also, I thought I read that register-user is only for users already set up in IAM? These are all Quicksight Only native users that I need to migrate to IAM. Can I use ‘create-user’ to the same effect, or is register-user the right way to go?

Thank you again for your time and assistance!