Providing Access Permission to Multiple users at the same time through CloudFormation

Question & Answer
, , , , , ,
1

I am working on the migration of Quicksight assets from DEV to PROD to create the analysis, dataset , dashboard in the target account (prod) taking assets from the dev account using CLOUDFORMATION.

I have been successful in doing the same, and then incorporating terraform to run the pipeline that upon execution, uploads the Cloudformation template , creates the stack and deploys my assets in the pROD. It is Successful!!

However, I am not able to Provide Access Permission to Multiple users at the same time through CloudFormation.

We have a template in json where we have to provide permission from our DEV to the destination account below as you can see

[
    {
      "Principal": "arn:aws:iam::target_Account_ID:root",
      "Actions": [
        "quicksight:UpdateTemplatePermissions",
        "quicksight:DescribeTemplate"
      ]
    }
  ]

However, the quicksight user name which has been created via terraform , is unable to see the assets, even though the cloudformation stack is created and successful.

Is there a way, where we can work on the permission part, if multiple users can be given permissions at the same time then the resources might show up for everyone in prod after deployment. Please let me know.

For example in the above code, if we can put “,user2,user3,user4” instead of root etc. something like below?

“Principal”: “arn:aws:iam::target_Account_ID:user1,user2,user3”,

Thank you so much.

Appreciate your help in this.

2

Hi @dsahu

You can use one JSON file to grant multiple users / groups access to one asset using an approach similar to below:

"Permissions": [
    {
        "Principal": "arn:aws:quicksight:us-east-1:accountID:user/default/user1",
        "Actions": [
            "quicksight:RestoreAnalysis",
            "quicksight:UpdateAnalysisPermissions",
            "quicksight:DeleteAnalysis",
            "quicksight:DescribeAnalysisPermissions",
            "quicksight:QueryAnalysis",
            "quicksight:DescribeAnalysis",
            "quicksight:UpdateAnalysis"
        ]
    },
    {
        "Principal": "arn:aws:quicksight:us-east-1:accountID:user/default/admin/user2",
        "Actions": [
            "quicksight:RestoreAnalysis",
            "quicksight:UpdateAnalysisPermissions",
            "quicksight:DeleteAnalysis",
            "quicksight:DescribeAnalysisPermissions",
            "quicksight:QueryAnalysis",
            "quicksight:DescribeAnalysis",
            "quicksight:UpdateAnalysis"
        ]
    }
],

One thing to be aware of is that you can share analyses, dashboards, templates, and themes with up to 100 principals so rather than using usernames like in the above code, you could share it out to QuickSight groups instead which would also help with scalability.

I am marking this reply as, “Solution,” but let me know if this doesn’t answer your question!

1 Like
3

Hi @olivia ,

Thank you for the response,

When I am trying to put user 1, user 2 as you mentioned, it is showing the following error, but it is working fine for the root.

Please check-

My Templatepersmission.json

[
    {
      "Principal": "arn:aws:iam::TARGET ACCOUNT ID :user/default/AWSReservedSSO_FULLADMIN_2ad11be8ca8c2efb/****.com",  
      "Actions": [
        "quicksight:UpdateTemplatePermissions",
        "quicksight:DescribeTemplate"
      ]
    }
  ]

The above user is the user present in the target account

error below

Screenshot 2023-11-22 at 9.20.25 AM
Screenshot 2023-11-22 at 9.20.25 AM1795Ă—117 21.8 KB

I am running the template in cloudshell in my source account, the id that I have provided in the query is the source account id (ending in 50). The json script has target account id in it.

Can you please let me know, where I am missing, I cannot get rid of that error. It will be very helpful.

Thank you for help. Appreciate it.
Dibyasha

4

@dsahu ,

You share the template with the root account ( Set up cross-account templates in Amazon QuickSight | AWS re:Post )
For the analysis and dashboards which have been deployed and to be shared with users, you can update the permissions ( UpdateAnalysisPermissions - Amazon QuickSight , UpdateDashboardPermissions - Amazon QuickSight ) .

Kind Regards,
Koushik