Hello.
Is it possible, for now, to connect QuickSight in an OpenSearch instance in another account (cross account), as we can with Athena and Redshift?
If yes, can you please provide some documentation (if exists)?
If not, can you share if it is in the roadmap?
Thanks
Hello @andrpele , welcome to the Quicksight community!
Here is the documentation for OpenSearch + Quicksight:
Hi @duncan. Yes I’m aware of that doc, but my point is that I do not see anything about cross account access, can you please share if it is possible or not?
Hi @andrpele ,
I can confirm that there is a Product Feature Request (PFR) for OpenSearch cross-account access within Quicksight, so it’s not a supported feature, yet. We’ll tag this post as a feature request for the Quicksight team to add more weight to the PFR.
There is, however, the ability to setup a VPC endpoint for OpenSearch and add that to Quicksight (see here). There’s also a blog on Open Search network access patterns here. With that in place, you can setup a VPC connection in Quicksight (see here) and select that VPC when you create the OpenSearch dataset.
This makes me curious if can use use that VPC endpoint across accounts (see here).
It’s worth exploring and I’ll dig into that a bit later this week. I’ll keep you posted.
ws
I dug into this a bit and, unfortunately, confirmed that cross account domain setup is not possible.
I used the CreateDataSource API (here and here) and it comes down to the AmazonElasticsearchParameters object. This has a single parameter, domain.
It’s clear that there are two validations on domain; 1) it does a regex check on the value and the cross account domain ARN fails the check. 2) it checks that the domain name is in the account that you are running the API on. See errors below
My hope was that the API would either take the full domain arn or use the cross account VPC endpoint. But it does neither.
I should get notified when this feature is delivered and I’ll make sure that the Community sees it.
ws
API Failure 1 - Value ‘arn:aws:es:us-xxxx-1:xxxxxxxxx:domain/cross-account-os-2’ at ‘domainName’ failed to satisfy constraint: Member must satisfy regular expression pattern: [a-z][a-z0-9-]+; Value ‘arn:aws:es:us-xxxx-1:xxxxxxxxxxxx:domain/cross-account-os-2’ at ‘domainName’ failed to satisfy constraint: Member must have length less than or equal to 28
API Failuare 2 - An error occurred (InvalidParameterValueException) when calling the CreateDataSource operation: Domain cross-account-os-2 is not found for account xxxxxxxxx