# Accessing AWS resources
AWS resources


|  | 
| --- |
|    Applies to: Enterprise Edition and Standard Edition  | 


|  | 
| --- |
|    Intended audience:  System administrators and Amazon Quick administrators  | 

You can control the AWS resources that Amazon Quick can access and scope down access to these resources at a more granular level. In Enterprise edition, you can also set up general access defaults for everyone in your account, and you can set up specific access for individual users and groups. 

These access configurations are essential for Amazon Quick Sight data source connectivity, enabling secure connections to AWS services like Amazon S3, Amazon RDS, Amazon Redshift, and Athena for data analysis and visualization. Proper resource access setup ensures that Amazon Quick Sight can retrieve and process data from your AWS data sources while maintaining appropriate security boundaries.

Use the following sections to help you configure your AWS resources to work with Quick.

Before you begin, make sure that you have the correct permissions; your system administrator can give you these. To do so, your system administrator creates a policy that enables you to use certain IAM actions. Your system administrator then associates that policy with your user or group in IAM. The required actions are the following:
+ **`quicksight:AccountConfigurations`** – To enable setting default access to AWS resources
+ **`quicksight:ScopeDownPolicy`** – Scoping policies for permissions to AWS resources
+ You can also bring your own IAM roles into Amazon Quick. For more information, see [Passing IAM roles to Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/security-create-iam-role.html).

**To enable or disable the AWS services that Amazon Quick can access**

1. Sign in to Amazon Quick at [https://quicksight.aws.amazon.com/](https://quicksight.aws.amazon.com/).

1. At the upper right, choose your user name, and then choose **Manage Quick**. 

1. Choose **Security & permissions**. 

1. Under **QuickSight access to AWS services**, choose **Add or remove**.

   A screen appears where you can enable all available AWS services.
**Note**  
If you see a permissions error, and you're an authorized Amazon Quick administrator, contact your system administrator for assistance.

1. Select the check boxes for the services that you want to allow. Clear check boxes for services that you don't want to allow.

   If you have already enabled an AWS service, the check box for that service is already selected. If Amazon Quick can't access a particular AWS service, its check box is not selected.

   In some cases, you might see a message like the following. 

   `This policy used by Amazon Quick for AWS resource access was modified outside of Amazon Quick, so you can no longer edit this policy to provide AWS resource permission to Amazon Quick. To edit this policy permissions, go to the IAM console and delete this policy permission with policy arn - arn:aws:iam::111122223333:policy/service-role/AWSQuickSightS3Policy. `

   This type of message means that one of the IAM policies that Amazon Quick uses was manually altered. To fix this, the system administrator needs to delete the IAM policy listed in the error message and reload the **Security & permissions** screen before you try again.

1. Choose **Update** to confirm, or **Cancel** to return to the previous screen.

**Topics**
+ [

# Setting granular access to AWS services through IAM
](scoping-policies-iam-interface.md)
+ [

# Using AWS Secrets Manager secrets instead of database credentials in Quick
](secrets-manager-integration.md)

# Setting granular access to AWS services through IAM



|  | 
| --- |
|  Applies to:  Enterprise Edition  | 


|  | 
| --- |
|    Intended audience:  System administrators and Amazon Quick administrators  | 

In Enterprise edition, Amazon Quick provides a way for you to set up detailed access to resources in AWS services. Like every other AWS service, Quick uses IAM policies to control access for users and groups.

Before you begin, ask an administrator to set up the necessary IAM policies ahead of time. If these are set up, you can select them as part of the procedure in this section. For information about creating IAM policies to use with Quick, see [Identity and access management in Quick](https://docs.aws.amazon.com/quicksight/latest/user/identity.html).

**To assign an IAM policy to a user or group**

1. Sign in to Quick at [https://quicksight.aws.amazon.com/](https://quicksight.aws.amazon.com/).

1. At upper left, choose your user name, and then choose **Manage QuickSight**.

1. Choose **Security & permissions**. 

1. Under **Resource access for individual users and groups**, choose **IAM policy assignments**.

   The remaining steps at this point involve choosing an IAM policy to assign to the user or group. You can assign multiple IAM policies to one Amazon Quick user or group. To determine permissions, Amazon Quick performs a union and an intersection with the AWS account–level policies. 

   If you already have active IAM policy assignments, they are listed on this page. You can search for existing assignments by using the search box. If you have drafts that aren't active yet, they are listed under **Assignment drafts**.

1. Choose one of the following:
   + To create an IAM policy assignment, choose **Add new assignment**.
   + To edit an existing assignment, choose the **Edit assignment** icon for that assignment.
   + To enable or disable a policy, select the check box for that policy, and then choose **Enable** or **Disable**. You can select multiple policy assignments at a time.
   + To delete an existing assignment, choose the **Remove assignment** icon near the name of the assignment. To confirm your choice, choose **Delete** on the confirmation screen. Or choose **Back** to cancel deletion. 

   If you are creating or editing an assignment, continue to the next step. Otherwise, skip to the end of this procedure.

1. On the next screen, you perform the policy assignment process, which is divided into steps. As you work through the steps, you can go forward or backward to make changes. When you exit the screen, your changes from all of the steps are saved. 

   1. **Step 1: Name assignment** – If this is a new assignment, enter a name for the assignment, and then choose **Next** to continue. If you want to change the name, choose **Step 1** at left.

   1. **Step 2: Select an IAM policy** – Choose an IAM policy that you want to use. From this screen, you can interact with the policies as follows: 
      + Choose a policy that you want to use.
      + Search for a policy name.
      + Filter the list to see all IAM policies, AWS-managed policies, or customer-managed policies. 
      + View a policy, by choosing **View policy**. 

      To choose a policy, choose the button beside it, and then choose **Next** to continue.

   1. **Step 3: Assign users and groups** – Choose specific users or groups. Or choose to use the selected IAM policy for all users and groups. 

      Choose one of the following.
      + For **Assign to all users and groups**, select the check box to assign the IAM policy to all Amazon Quick users and groups. Choosing this option assigns the policy to all current and future users and groups. 
      + Choose the users and groups you want to assign to this IAM policy. You can search for them by name, email address, or group name.

      When you are finished selecting users and groups, choose **Next** to continue.

   1. **Step 4: Review and enable changes** – Save your changes.

      Choose one of the following.
      + To edit any of your choices, choose that step to edit it.
      + To save this policy assignment as a draft, choose **Save as draft**. You can enable the draft later.
      + To immediately enable this policy, choose **Save and enable**. This option overwrites any existing policy assignment with the same name.

# Using AWS Secrets Manager secrets instead of database credentials in Quick
Using Secrets Manager secrets instead of database credentials


|  | 
| --- |
|    Intended audience:  Amazon Quick Administrators and Amazon Quick developers  | 

AWS Secrets Manager is a secret storage service that you can use to protect database credentials, API keys, and other secret information. Using a key helps you ensure that the secret can't be compromised by someone examining your code, because the secret isn't stored in the code. For an overview, see the [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide).

Quick administrators can grant Amazon Quick read-only access to secrets they create in Secrets Manager. These secrets can be used in place of database credentials when creating and editing data sources using the Quick API.

Quick supports using secrets with data source types that support credential pair authentication. Jira and ServiceNow are not currently supported.

**Note**  
If you use AWS Secrets Manager with Quick, you are billed for access and maintenance as described in the [AWS Secrets Manager Pricing page](https://aws.amazon.com/secrets-manager/pricing). In your billing statement, the costs are itemized under Secrets Manager and not under Amazon Quick.

Use the procedures described in the following sections to integrate Secrets Manager with Amazon Quick.

**Topics**
+ [

## Granting Amazon Quick access to Secrets Manager and selected secrets
](#secrets-manager-integration-select-secrets)
+ [

## Creating or updating a data source with secret credentials using the Amazon Quick API
](#secrets-manager-integration-api)
+ [

## What's in the secret
](#secrets-manager-integration-whats-in-secret)
+ [

## Modify a secret
](#secrets-manager-integration-modifying)

## Granting Amazon Quick access to Secrets Manager and selected secrets
Grant Amazon Quick access to Secrets Manager

If you're an administrator and you have secrets in Secrets Manager, you can grant Amazon Quick read-only access to selected secrets. 

**To grant Amazon Quick access to Secrets Manager and selected secrets**

1. In Amazon Quick, choose your user icon on the upper right, and then choose **Manage Quick**.

1. Choose **Security & permissions** on the left.

1. Choose **Manage** in **Amazon Quick access to AWS resources**.

1. In **Allow access and autodiscovery for these resources**, choose **AWS Secrets Manager**, **Select secrets**. 

   The **AWS Secrets Manager secrets** page opens. 

1. Select the secrets that you want to grant Amazon Quick read-only access to.

   Secrets in your Amazon Quick sign-up Region are shown automatically. To select secrets outside your home Region, choose **Secrets in Other AWS Regions**, and then enter the Amazon Resource Names (ARNs) for those secrets.

1. When you're done, choose **Finish**. 

   Amazon Quick creates an IAM role called `aws-quicksight-secretsmanager-role-v0` in your account. It grants users in the account read-only access to the specified secrets and looks similar to the following:

   When Amazon Quick users create analyses from or view dashboards that use a data source with secrets, Amazon Quick assumes this Secrets Manager IAM role. For more information about secret permissions policies, see [Authentication and access control for AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) in the *AWS Secrets Manager User Guide*.

   The specified secret in the Amazon Quick IAM role may have an additional resource policy that denies access. For more information, see [Attach a permissions policy to a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html) in the *AWS Secrets Manager User Guide*.

   If you're using an AWS managed AWS KMS key to encrypt your secret, Amazon Quick doesn't require any additional permissions setup in Secrets Manager.

   If you're using a customer managed key to encrypt your secret, ensure that the Amazon Quick IAM role, `aws-quicksight-secretsmanager-role-v0` has `kms:Decrypt` permissions. For more information, see [Permissions for the KMS key](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-authz) in the *AWS Secrets Manager User Guide*.

   For more information about the types of keys used in AWS Key Management Service, see [Customer keys and AWS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt) in the *AWS Key Management Service guide*.

## Creating or updating a data source with secret credentials using the Amazon Quick API


After the Amazon Quick administrator has granted Amazon Quick read-only access to Secrets Manager, you can create and update data sources in the API using a secret the administrator selected as credentials.

Following is an example API call to create a data source in Amazon Quick. This example uses the `create-data-source` API operation. You can also use the `update-data-source` operation. For more information, see [CreateDataSource](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_UpdateDataSource.html) in the *Amazon Quick API Reference*.

The user specified in the permissions in the following API call example can delete, view, and edit data sources for the specified MySQL data source in Amazon Quick. They can also view and update the data source permissions. Instead of a Amazon Quick username and password, a secret ARN is used as credentials for the data source.

```
aws quicksight create-data-source 
    --aws-account-id AWSACCOUNTID \ 
    --data-source-id DATASOURCEID \
    --name NAME \
    --type MYSQL \
    --permissions '[{"Principal": "arn:aws:quicksight:region:accountID:user/namespace/username", "Actions": ["quicksight:DeleteDataSource", "quicksight:DescribeDataSource", "quicksight:DescribeDataSourcePermissions", "quicksight:PassDataSource", "quicksight:UpdateDataSource", "quicksight:UpdateDataSourcePermissions"]}]' \
    --data-source-parameters='{"MySQLParameters":{"Database": "database", "Host":"hostURL", "Port":"port"}}' \
    --credentials='{"SecretArn":"arn:aws:secretsmanager:region:accountID:secret:secretname"}' \
    --region us-west-2
```

In this call, Amazon Quick authorizes `secretsmanager:GetSecretValue` access to the secret based on the API caller's IAM policy, not the IAM service role's policy. The IAM service role acts on the account level and is used when an analysis or dashboard is viewed by a user. It cannot be used to authorize secret access when a user creates or updates the data source. 

When they edit a data source in the Amazon Quick UI, users can view the secret ARN for data sources that use AWS Secrets Manager as the credential type. However, they can't edit the secret, or select a different secret. If they need to make changes, for example to the database server or port, users first need to choose **Credential pair** and enter their Amazon Quick account username and password.

Secrets are automatically removed from a data source when the data source is altered in the UI. To restore the secret to the data source, use the `update-data-source` API operation.

## What's in the secret


Amazon Quick requires the following JSON format to access your secret:

```
{
  "username": "username",
  "password": "password"
}
```

The `username` and `password` fields are required for Amazon Quick to access secrets. All other fields are optional and are ignored by Amazon Quick.

The JSON format may vary depending on the type of database. For more information, see [JSON structure of AWS Secrets Manager database credential secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html) in the *AWS Secrets Manager User Guide*.

## Modify a secret


To modify a secret, you use Secrets Manager. After you make changes to a secret, the updates become available the next time Amazon Quick requests access to the secret.