# Identity and access management in Quick
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators and Amazon Quick administrators |
You can use the following tools for identity and access to Quick:
+ [IAM Identity Center](https://docs.aws.amazon.com/quicksight/latest/user/sec-identity-management-identity-center.html) (Enterprise edition only)
+ [IAM federation](https://docs.aws.amazon.com/quicksight/latest/user/security.html) (Standard and Enterprise editions)
+ [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/quicksight/latest/user/aws-directory-service.html) (Enterprise edition only)
+ [SAML-based single sign-on](https://docs.aws.amazon.com/quicksuite/latest/userguide/iam-federation.html) (Standard and Enterprise edition)
+ [Multifactor authentication (MFA)](https://docs.aws.amazon.com/quicksight/latest/user/using-multi-factor-authentication-mfa.html) (Standard and Enterprise edition)
**Note**
In the regions listed below, Amazon Quick accounts can only use [IAM Identity Center](https://docs.aws.amazon.com/quicksight/latest/user/sec-identity-management-identity-center.html) for identity and access management.
`af-south-1` Africa (Cape Town)
`ap-southeast-3` Asia Pacific (Jakarta)
`ap-southeast-5` Asia Pacific (Malaysia)
`eu-south-1` Europe (Milan)
`eu-central-2` Europe (Zurich)
The following sections help you configure the identity management method of your choice for Quick.
**Topics**
+ [
# Using IAM
](iam.md)
+ [
# Using IAM Identity Center
](setting-up-sso.md)
+ [
# IAM federation
](iam-federation.md)
+ [
# Using Active Directory with Amazon Quick Enterprise edition
](aws-directory-service.md)
+ [
# Using multi-factor authentication (MFA) with Amazon Quick
](using-multi-factor-authentication-mfa.md)
# Using IAM
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon Quick resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [
# Introduction to IAM concepts
](security_iam_concepts.md)
+ [
# Using Quick with IAM
](security_iam_service-with-iam.md)
+ [
# Passing IAM roles to Quick
](security-create-iam-role.md)
+ [
# IAM policy examples for Quick
](iam-policy-examples.md)
+ [
# Provisioning users for Amazon Quick
](provisioning-users.md)
+ [
# Troubleshooting Quick identity and access
](security_iam_troubleshoot.md)
# Introduction to IAM concepts
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator to more securely control access to AWS resources. Administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon Quick resources. IAM is an AWS service that you can use with no additional charge.
IAM is used with Amazon Quick in several ways, including the following:
+ If your company uses IAM for their identity management, people might have IAM user names and passwords that they use to sign in to Amazon Quick.
+ If you want your Amazon Quick users to be automatically created at first sign-in, you can use IAM to create a policy for users who are preauthorized to use Amazon Quick.
+ If you want to create specialized access for specific groups of Amazon Quick users or to specific resources, you can use IAM policies to accomplish this.
**Topics**
+ [
## Audience
](#security_iam_audience)
+ [
## Authenticating with identities
](#security_iam_authentication)
+ [
## Managing access using policies
](#security_iam_access-manage)
## Audience
Use the following to help understand the context of the information provided in this section, and how it applies to your role. How you use AWS Identity and Access Management (IAM) differs depending on the work that you do in Amazon Quick.
**Service user** – In some cases, you might use Amazon Quick as an Author or Reader to interact with data, analyses, and dashboards, spaces, and agents through the Amazon Quick by using the browser interface. In these cases, this section provides only background information for you. You don't directly interact with the IAM service, except if you use IAM to sign into Amazon Quick.
**Amazon Quick administrator** – If you're in charge of Amazon Quick resources at your company, you probably have full access to Amazon Quick. It's your job to determine which Amazon Quick features and resources your team members should access. If you have specialized requirements that you can't solve by using the Amazon Quick admin panel, then you can work with your administrator to create permissions policies for your Amazon Quick users. To learn more about IAM, read this page to understand the basic concepts of IAM. To learn more about how your company can use IAM with Amazon Quick, see [Using Amazon Quick with IAM](https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam.html).
**Administrator** – If you're a system administrator, you might want to learn details about how you can write policies to manage access to Amazon Quick. To view examples of Amazon Quick identity-based policies that you can use in IAM, see [IAM identity-based policies for Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples).
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
**Topics**
+ [
### AWS account root user
](#security_iam_authentication-rootuser)
+ [
### IAM users and groups
](#security_iam_authentication-iamuser)
+ [
### IAM roles
](#security_iam_authentication-iamrole)
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Access control lists (ACLs)
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access control list (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# Using Quick with IAM
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators |
Before you use IAM to manage access to Amazon Quick, you should understand what IAM features are available to use with Amazon Quick. To get a high-level view of how Amazon Quick and other AWS services work with IAM, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
**Topics**
+ [
## Amazon Quick Policies (identity-based)
](#security_iam_service-with-iam-id-based-policies)
+ [
## Amazon Quick policies (resource-based)
](#security_iam_service-with-iam-resource-based-policies)
+ [
## Authorization based on Amazon Quick tags
](#security_iam_service-with-iam-tags)
+ [
## Amazon Quick IAM roles
](#security_iam_service-with-iam-roles)
## Amazon Quick Policies (identity-based)
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. Amazon Quick supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see [IAM JSON Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
You can use AWS root credentials or IAM user credentials to create an Amazon Quick account. AWS root and administrator credentials already have all of the required permissions for managing Amazon Quick access to AWS resources.
However, we recommend that you protect your root credentials, and instead use IAM user credentials. To do this, you can create a policy and attach it to the IAM user and roles that you plan to use for Amazon Quick. The policy must include the appropriate statements for the Amazon Quick administrative tasks you need to perform, as described in the following sections.
**Important**
Be aware of the following when working with Quick and IAM policies:
Avoid directly modifying a policy that was created by Quick. When you modify it yourself, Quick can't edit it. This inability can cause an issue with the policy. To fix this issue, delete the previously modified policy.
If you get an error on permissions when you try to create an Amazon Quick account, see [Actions Defined by Amazon Quick](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html#amazonquicksight-actions-as-permissions) in the *IAM User Guide*.
In some cases, you might have an Amazon Quick account that you can't access even from the root account (for example, if you accidentally deleted its directory service). In this case, you can delete your old Amazon Quick account, then recreate it. For more information, see [Deleting your Amazon Quick subscription and closing the account](https://docs.aws.amazon.com/quicksight/latest/user/closing-account.html).
**Topics**
+ [
### Actions
](#security_iam_service-with-iam-id-based-policies-actions)
+ [
### Resources
](#security_iam_service-with-iam-id-based-policies-resources)
+ [
### Condition keys
](#security_iam_service-with-iam-id-based-policies-conditionkeys)
+ [
### Examples
](#security_iam_service-with-iam-id-based-policies-examples)
### Actions
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
Policy actions in Amazon Quick use the following prefix before the action: `quicksight:`. For example, to grant someone permission to run an Amazon EC2 instance with the Amazon EC2 `RunInstances` API operation, you include the `ec2:RunInstances` action in their policy. Policy statements must include either an `Action` or `NotAction` element. Amazon Quick defines its own set of actions that describe tasks that you can perform with this service.
To specify multiple actions in a single statement, separate them with commas as follows:
```
"Action": [
"quicksight:action1",
"quicksight:action2"]
```
You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Create`, include the following action:
```
"Action": "quicksight:Create*"
```
Amazon Quick provides a number of AWS Identity and Access Management (IAM) actions. All Amazon Quick actions are prefixed with `quicksight:`, such as `quicksight:Subscribe`. For information about using Amazon Quick actions in an IAM policy, see [IAM policy examples for Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html).
To see the most up-to-date list of Amazon Quick actions, see [Actions Defined by Amazon Quick](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html#amazonquicksight-actions-as-permissions) in the *IAM User Guide*.
### Resources
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
Following is an example policy. It means that the caller with this policy attached, is able to invoke the `CreateGroupMembership` operation on any group, provided that the user name they are adding to the group is not `user1`.
```
{
"Effect": "Allow",
"Action": "quicksight:CreateGroupMembership",
"Resource": "arn:aws:quicksight:us-east-1:aws-account-id:group/default/*",
"Condition": {
"StringNotEquals": {
"quicksight:UserName": "user1"
}
}
}
```
Some Amazon Quick actions, such as those for creating resources, cannot be performed on a specific resource. In those cases, you must use the wildcard (\$1).
```
"Resource": "*"
```
Some API actions involve multiple resources. To specify multiple resources in a single statement, separate the ARNs with commas.
```
"Resource": [
"resource1",
"resource2"
```
To see a list of Amazon Quick resource types and their Amazon Resource Names (ARNs), see [Resources Defined by Amazon Quick](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html#amazonquicksight-resources-for-iam-policies) in the *IAM User Guide*. To learn with which actions you can specify the ARN of each resource, see [Actions Defined by Amazon Quick](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html#amazonquicksight-actions-as-permissions).
### Condition keys
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
Amazon Quick does not provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
### Examples
To view examples of Amazon Quick identity-based policies, see [Amazon Quick Policies (identity-based)](https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam-id-based-policies.html).
## Amazon Quick policies (resource-based)
Amazon Quick doesn't support resource-based policies. However, you can use the Amazon Quick console to configure access to other AWS resources in your AWS account.
## Authorization based on Amazon Quick tags
Amazon Quick does not support tagging resources or controlling access based on tags.
## Amazon Quick IAM roles
An [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) is an entity within your AWS account that has specific permissions. You can use IAM roles to group permissions together to make it easier to manage user's access to Amazon Quick actions.
Amazon Quick doesn't support the following role features:
+ Service-linked roles.
+ Service roles.
+ Temporary credentials (direct use): However, Amazon Quick uses temporary credentials to allow users to assume an IAM role to access embedded dashboards. For more information, see [Embedded analytics for Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/embedded-analytics.html).
For more information on how Amazon Quick uses IAM roles, see [Using Amazon Quick with IAM](https://docs.aws.amazon.com/quicksight/latest/user/security_iam_service-with-iam.html) and [IAM policy examples for Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html).
# Passing IAM roles to Quick
| |
| --- |
| Applies to: Enterprise Edition |
When your IAM users sign up for Quick, they can choose to use the Amazon Quick-managed role (this is the default role). Or they can pass an existing IAM role to Amazon Quick.
Use the sections below to pass existing IAM roles to Amazon Quick
**Topics**
+ [
## Prerequisites
](#security-create-iam-role-prerequisites)
+ [
## Attaching additional policies
](#security-create-iam-role-athena-s3)
+ [
## Using existing IAM roles in Quick
](#security-create-iam-role-use)
## Prerequisites
For your users to pass IAM roles to Amazon Quick, your administrator needs to complete the following tasks:
+ **Create an IAM role**. For more information about creating IAM roles, see [Creating IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) in the *IAM User Guide*.
+ **Attach a trust policy to your IAM role that allows Amazon Quick to assume the role**. Use the following example to create a trust policy for the role. The following example trust policy allows the Quick principal to assume the IAM role that it's attached to.
For more information about creating IAM trust policies and attaching them to roles, see [Modifying a Role (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-managingrole_edit-trust-policy.html) in the *IAM User Guide*.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "quicksight.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
+ **Assign the following IAM permissions to your administrator (IAM users or roles)**:
+ `quicksight:UpdateResourcePermissions` – This grants IAM users who are Amazon Quick administrators the permission to update resource-level permissions in Amazon Quick. For more information about resource types defined by Amazon Quick, see [Actions, resources, and condition keys for Quick](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonquicksight.html) in the *IAM User Guide*.
+ `iam:PassRole` – This grants users permission to pass roles to Amazon Quick. For more information, see [Granting a user permissions to pass a role to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *IAM User Guide*.
+ `iam:ListRoles` – (Optional) This grants users permission to see a list of existing roles in Amazon Quick. If this permission is not provided, they can use an ARN to use existing IAM roles.
Following is an example IAM permissions policy that allows managing resource-level permissions, listing IAM roles, and passing IAM roles in Quick.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": "iam:ListRoles",
"Resource": "arn:aws:iam::account-id:role:*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::account-id:role/path/role-name",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"quicksight.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": "quicksight:UpdateResourcePermissions",
"Resource": "*"
}
]
}
```
For more examples of IAM policies that you can use with Amazon Quick, see [IAM policy examples for Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html).
For more information about assigning permissions policies to users or user groups, see [Changing permissions for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html) in the *IAM User Guide*.
## Attaching additional policies
If you're using another AWS service, such as Amazon Athena or Amazon S3, you can create a permissions policy that grants Amazon Quick permission to perform specific actions. You can then attach the policy to the IAM roles that you later pass to Amazon Quick. The following are examples of how you can set up and attach additional permissions policies to your IAM roles.
For an example managed policy for Amazon Quick in Athena, see [AWSQuicksightAthenaAccess Managed Policy](https://docs.aws.amazon.com/athena/latest/ug/awsquicksightathenaaccess-managed-policy.html) in the *Amazon Athena User Guide*. IAM users can access this role in Amazon Quick using the following ARN: `arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess`.
The following is an example of a permissions policy for Amazon Quick in Amazon S3. For more information about using IAM with Amazon S3, see [Identity and access management in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html) in the *Amazon S3 User Guide*.
For information on how to create cross-account access from Amazon Quick to an Amazon S3 bucket in another account, see [How do I set up cross-account access from Quick to an Amazon S3 bucket in another account?](https://aws.amazon.com/premiumsupport/knowledge-center/quicksight-cross-account-s3/) in the AWS Knowledge Center.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-athena-query-results-us-west-2-123456789"
]
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-athena-query-results-us-west-2-123456789/*"
]
},
{
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::aws-athena-query-results-us-west-2-123456789"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-us-west-2-123456789/*"
]
}
]
}
```
## Using existing IAM roles in Quick
If you're a Amazon Quick administrator and have permissions to update Amazon Quick resources and pass IAM roles, you can use existing IAM roles in Amazon Quick. To learn more about the prerequisites for passing IAM roles in Amazon Quick, see the [Prerequisites](https://docs.aws.amazon.com/quicksight/latest/user/security-create-iam-role-prerequisites.html#byor-prereq) outlined in the previous list.
Use the following procedure to learn how to pass IAM roles in Amazon Quick.
**To use an existing IAM role in Amazon Quick**
1. In Amazon Quick, choose your account name in the navigation bar at top right and choose **Manage QuickSight**.
1. On the **Manage Amazon Quick** page that opens, choose **Security & Permissions** in the menu at left.
1. In the **Security & Permissions** page that opens, under **Amazon Quick access to AWS services**, choose **Manage**.
1. For **IAM role**, choose **Use an existing role**, and then do one of the following:
+ Choose the role that you want to use from the list.
+ Or, if you don't see a list of existing IAM roles, you can enter the IAM ARN for the role in the following format: `arn:aws:iam::account-id:role/path/role-name`.
1. Choose **Save**.
# IAM policy examples for Quick
This section provides examples of IAM policies that you can use with Quick.
## IAM identity-based policies for Quick
This section shows examples of identity-based policies to use with Quick.
**Topics**
+ [
### IAM identity-based policies for Amazon Quick IAM console administration
](#security_iam_conosole-administration)
### IAM identity-based policies for Amazon Quick IAM console administration
The following example shows the IAM permissions needed for Amazon Quick IAM console administration actions.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog"
],
"Resource": [
"*"
]
}
]
}
```
## IAM identity-based policies for Quick: dashboards
The following example shows an IAM policy that allows dashboard sharing and embedding for specific dashboards.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:us-west-2:111122223333:dashboard/1a1ac2b2-3fc3-4b44-5e5d-c6db6778df89",
"Effect": "Allow"
}
]
}
```
## IAM identity-based policies for Quick: namespaces
The following examples show IAM policies that allow a Amazon Quick administrator to create or delete namespaces.
**Creating namespaces**
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"ds:DescribeDirectories",
"quicksight:CreateNamespace"
],
"Resource": "*"
}
]
}
```
**Deleting namespaces**
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:UnauthorizeApplication",
"ds:DeleteDirectory",
"ds:DescribeDirectories",
"quicksight:DeleteNamespace"
],
"Resource": "*"
}
]
}
```
## IAM identity-based policies for Quick: custom permissions
The following example shows an IAM policy that allows a Amazon Quick administrator or a developer to manage custom permissions.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:*CustomPermissions"
],
"Resource": "*"
}
]
}
```
The following example shows another way to grant the same permissions as shown in the previous example.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:CreateCustomPermissions",
"quicksight:DescribeCustomPermissions",
"quicksight:ListCustomPermissions",
"quicksight:UpdateCustomPermissions",
"quicksight:DeleteCustomPermissions"
],
"Resource": "*"
}
]
}
```
## IAM identity-based policies for Quick: customizing email report templates
The following example shows a policy that allows viewing, updating, and creating email report templates in Amazon Quick, as well as obtaining verification attributes for an Amazon Simple Email Service identity. This policy allows a Amazon Quick administrator to create and update custom email report templates, and to confirm that any custom email address they want to send email reports from is a verified identity in SES.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:DescribeAccountCustomization",
"quicksight:CreateAccountCustomization",
"quicksight:UpdateAccountCustomization",
"quicksight:DescribeEmailCustomizationTemplate",
"quicksight:CreateEmailCustomizationTemplate",
"quicksight:UpdateEmailCustomizationTemplate",
"ses:GetIdentityVerificationAttributes"
],
"Resource": "*"
}
]
}
```
## IAM identity-based policies for Quick: create an Enterprise account with Amazon Quick managed users
The following example shows a policy that allows Amazon Quick admins to create an Enterprise edition Amazon Quick account with Amazon Quick managed users.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory"
],
"Resource": [
"*"
]
}
]
}
```
## IAM identity-based policies for Quick: creating users
The following example shows a policy that allows creating Amazon Quick users only. For `quicksight:CreateReader`, `quicksight:CreateUser`, and `quicksight:CreateAdmin`, you can limit the permissions to **"Resource": "arn:aws:quicksight::**:user/\$1\$1aws:userid\$1"**. For all other permissions described in this guide, use **"Resource": "\$1"**. The resource you specify limits the scope of the permissions to the specified resource.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Action": [
"quicksight:CreateUser"
],
"Effect": "Allow",
"Resource": "arn:aws:quicksight:::user/${aws:userid}"
}
]
}
```
## IAM identity-based policies for Quick: creating and managing groups
The following example shows a policy that allows Amazon Quick administrators and developers to create and manage groups.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:ListGroups",
"quicksight:CreateGroup",
"quicksight:SearchGroups",
"quicksight:ListGroupMemberships",
"quicksight:CreateGroupMembership",
"quicksight:DeleteGroupMembership",
"quicksight:DescribeGroupMembership",
"quicksight:ListUsers"
],
"Resource": "*"
}
]
}
```
## IAM identity-based policies for Quick: All access for Standard edition
The following example for Amazon Quick Standard edition shows a policy that allows subscribing and creating authors and readers. This example explicitly denies permission to unsubscribe from Amazon Quick.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateUser",
"quicksight:DescribeAccountSubscription",
"quicksight:Subscribe"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
```
## IAM identity-based policies for Quick: All access for Enterprise edition with IAM Identity Center (Pro roles)
The following example for Amazon Quick Enterprise edition shows a policy that allows a Amazon Quick user to subscribe to Amazon Quick, create users, and manage Active Directory in a Amazon Quick account that is integrated with IAM Identity Center.
This policy also allows users to subscribe to Amazon Quick Pro roles that grant access to Amazon Q in Quick Generative BI capabilities. For more information about Pro roles in Amazon Quick, see [Get started with Generative BI](https://docs.aws.amazon.com/quicksight/latest/user/generative-bi-get-started.html).
This example explicitly denies permission to unsubscribe from Amazon Quick.
```
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"iam:CreateServiceLinkedRole",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization",
"user-subscriptions:CreateClaim",
"user-subscriptions:UpdateClaim",
"sso-directory:DescribeUser",
"sso:ListApplicationAssignments",
"sso-directory:DescribeGroup",
"organizations:ListAWSServiceAccessForOrganization",
"identitystore:DescribeUser",
"identitystore:DescribeGroup"
],
"Resource": [
"*"
]
}
]
}
```
## IAM identity-based policies for Quick: All access for Enterprise edition with IAM Identity Center
The following example for Amazon Quick Enterprise edition shows a policy that allows subscribing, creating users, and managing Active Directory in a Amazon Quick account that is integrated with IAM Identity Center.
This policy does not grant permissions to create Pro roles in Amazon Quick. To create a policy that grants permission to subscribe to Pro roles in Amazon Quick, see [IAM identity-based policies for Amazon Quick: All access for Enterprise edition with IAM Identity Center (Pro roles)](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples-all-access-enterprise-edition-sso-pro).
This example explicitly denies permission to unsubscribe from Amazon Quick.
```
{
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"quicksight:*",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:DeleteRole",
"iam:CreateRole",
"iam:GetRole",
"iam:ListRoles",
"iam:CreatePolicy",
"iam:ListEntitiesForPolicy",
"iam:listPolicies",
"s3:ListAllMyBuckets",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:DeleteApplication",
"sso:SearchGroups",
"sso:GetProfile",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListInstances",
"sso:DescribeRegisteredRegions",
"organizations:DescribeOrganization"
],
"Resource": [
"*"
]
}
]
}
```
## IAM identity-based policies for Quick: all access for Enterprise edition with Active Directory
The following example for Amazon Quick Enterprise edition shows a policy that allows subscribing, creating users, and managing Active Directory in a Amazon Quick account that uses Active Directory for identity management. This example explicitly denies permission to unsubscribe from Amazon Quick.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:AuthorizeApplication",
"ds:UnauthorizeApplication",
"ds:CheckAlias",
"ds:CreateAlias",
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"ds:DeleteDirectory",
"ds:CreateIdentityPoolDirectory",
"iam:ListAccountAliases",
"quicksight:CreateAdmin",
"quicksight:Subscribe",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "quicksight:Unsubscribe",
"Resource": "*"
}
]
}
```
## IAM identity-based policies for Quick: active directory groups
The following example shows an IAM policy that allows Active Directory group management for an Amazon Quick Enterprise edition account.
```
{
"Statement": [
{
"Action": [
"ds:DescribeTrusts",
"quicksight:GetGroupMapping",
"quicksight:SearchDirectoryGroups",
"quicksight:SetGroupMapping"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
```
## IAM identity-based policies for Quick: using the admin asset management console
The following example shows an IAM policy that allows access to the admin asset management console.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"quicksight:SearchGroups",
"quicksight:SearchUsers",
"quicksight:ListNamespaces",
"quicksight:DescribeAnalysisPermissions",
"quicksight:DescribeDashboardPermissions",
"quicksight:DescribeDataSetPermissions",
"quicksight:DescribeDataSourcePermissions",
"quicksight:DescribeFolderPermissions",
"quicksight:ListAnalyses",
"quicksight:ListDashboards",
"quicksight:ListDataSets",
"quicksight:ListDataSources",
"quicksight:ListFolders",
"quicksight:SearchAnalyses",
"quicksight:SearchDashboards",
"quicksight:SearchFolders",
"quicksight:SearchDatasets",
"quicksight:SearchDatasources",
"quicksight:UpdateAnalysisPermissions",
"quicksight:UpdateDashboardPermissions",
"quicksight:UpdateDataSetPermissions",
"quicksight:UpdateDataSourcePermissions",
"quicksight:UpdateFolderPermissions"
],
"Resource": "*"
}
]
}
```
## IAM identity-based policies for Quick: using the admin key management console
The following example shows an IAM policy that allows access to the admin key management console.
```
{
"Version":"2012-10-17" ,
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration",
"quicksight:UpdateKeyRegistration",
"quicksight:ListKMSKeysForUser",
"kms:CreateGrant",
"kms:ListGrants",
"kms:ListAliases"
],
"Resource":"*"
}
]
}
```
The `"quicksight:ListKMSKeysForUser"` and `"kms:ListAliases"` permissions are required to access customer managed keys from the Amazon Quick console. `"quicksight:ListKMSKeysForUser"` and `"kms:ListAliases"` are not required to use the Amazon Quick key management APIs.
To specify which keys you want a user to be able to access, add the ARNs of the keys that you want the user to access to the `UpdateKeyRegistration` condition with the `quicksight:KmsKeyArns` condition key. Users can only access the keys specified in `UpdateKeyRegistration`. For more information about supported condition keys for Amazon Quick, see [Condition keys for Amazon Quick](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonquicksight.html#amazonquicksight-policy-keys).
The example below grants `Describe` permissions for all CMKs that are registered to a Amazon Quick account and `Update` permissons to specific CMKs that are registered to the Amazon Quick account.
```
{
"Version":"2012-10-17" ,
"Statement":[
{
"Effect":"Allow",
"Action":[
"quicksight:DescribeKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*"
},
{
"Effect":"Allow",
"Action":[
"quicksight:UpdateKeyRegistration"
],
"Resource":"arn:aws:quicksight:us-west-2:123456789012:*",
"Condition":{
"ForAllValues:StringEquals":{
"quicksight:KmsKeyArns":[
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key1",
"arn:aws:kms:us-west-2:123456789012:key/key-id-of-key2",
"..."
]
}
}
},
{
"Effect":"Allow",
"Action":[
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource":"arn:aws:kms:us-west-2:123456789012:key/*"
}
]
}
```
## AWS resources Quick: scoping policies in Enterprise edition
The following example for Amazon Quick Enterprise edition shows a policy that allows setting default access to AWS resources and scoping policies for permissions to AWS resources.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Action": [
"quicksight:*IAMPolicyAssignment*",
"quicksight:AccountConfigurations"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
# Provisioning users for Amazon Quick
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators and Amazon Quick administrators |
## Self-provisioning an Amazon Quick administrator
Amazon Quick administrators are users who can also manage Amazon Quick features such as account settings and accounts. They can also purchase additional Amazon Quick user subscriptions, purchase [SPICE](https://docs.aws.amazon.com/quicksight/latest/user/spice.html), and cancel the subscription to Amazon Quick for your AWS account.
You can use an AWS user or group policy to give users the ability to add themselves as administrators of Amazon Quick. Users that have been granted this ability can only add themselves as administrators and can't use this policy to add others. Their accounts become active and billable the first time that they open Amazon Quick. To set up self-provisioning, give these users permission to use the `quicksight:CreateAdmin` action.
Alternatively, you can use the following procedure to use the console to set or create the administrator for Amazon Quick.
**To make a user the Amazon Quick administrator**
1. Create the AWS user:
+ Use IAM to create the user that you want to be the administrator of Amazon Quick. Alternatively, identify an existing user in IAM for the administrator role. You can also put the user inside a new group, for manageability.
+ Grant the user (or group) sufficient permissions.
1. Sign in to your AWS Management Console with the target user's credentials.
1. Go to [http://quicksight.aws.amazon.com/sn/console/get-user-email](http://quicksight.aws.amazon.com/sn/console/get-user-email), type in the target user's email address, and choose **Continue**.
On success, the target user is now an administrator in Amazon Quick.
## Self-provisioning an Amazon Quick author
Amazon Quick authors can create data sources, datasets, analyses, and dashboards. They can share analyses and dashboards with other Amazon Quick users in your Amazon Quick account. However, they don't have access to the **Manage Amazon Quick** menu. They can't change account settings, manage accounts, purchase additional Amazon Quick user subscriptions or [SPICE](https://docs.aws.amazon.com/quicksight/latest/user/spice.html) capacity, or cancel the subscription to Amazon Quick for your AWS account. Author Pro users can additionally create content using natural language, build knowledge bases, configure actions, and access advanced automation capabilities.
You can use an AWS user or group policy to give users the ability to create an Amazon Quick author account for themselves. Their accounts become active and billable the first time they open Amazon Quick. To set up self-provisioning, you need to give them permission to use the `quicksight:CreateUser` action.
## Self-provisioning an Amazon Quick read-only user
Amazon Quick read-only users or *readers* can view and manipulate dashboards that are shared with them, but they can't make any changes or save a dashboard for further analysis. Amazon Quick readers can't create data sources, datasets, analyses, or visuals. They can't do any administrative tasks. Choose this role for people who are consumers of the dashboards but don't author their own analysis, for example, executives. Reader Pro users have access to advanced features including AI chat agents, collaborative spaces, flows, and extensions.
If you are using Microsoft Active Directory with Amazon Quick, you can manage read-only permissions by using a group. Otherwise, you can bulk-invite users to use Amazon Quick. You can also use an AWS user or group policy to give people the ability to create an Amazon Quick reader account for themselves.
Reader accounts become active and billable the first time they open Amazon Quick. If you decide to upgrade or downgrade a user, billing for that user is prorated for the month. To set up self-provisioning, you need to give them permission to use the `quicksight:CreateReader` action.
Readers that are used to automatically or programmatically refresh dashboards for near real-time use cases must choose capacity pricing. For readers under user pricing, each reader is limited to manual use by one individual only.
# Troubleshooting Quick identity and access
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators |
Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon Quick and IAM.
**Topics**
+ [
## I am not authorized to perform an action in Amazon Quick
](#security_iam_troubleshoot-no-permissions)
+ [
## I am not authorized to perform iam:PassRole
](#security_iam_troubleshoot-passrole)
+ [
## I want to allow people outside of my AWS account to access my Amazon Quick resources
](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in Amazon Quick
If the AWS Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance.
The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a *widget* but does not have `quicksight:GetWidget` permissions.
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: quicksight:GetWidget on resource: my-example-widget
```
In this case, Mateo asks his administrator to update his policies to allow him to access the `my-example-widget` resource using the `quicksight:GetWidget` action.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon Quick.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Amazon Quick. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I want to allow people outside of my AWS account to access my Amazon Quick resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether Amazon Quick supports these features, see [Using Quick with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Using IAM Identity Center
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators and Amazon Quick administrators |
Amazon Quick Enterprise edition integrates with your existing directories, using either Microsoft Active Directory or single sign-on (IAM Identity Center) using Security Assertion Markup Language (SAML). You can use AWS Identity and Access Management (IAM) to further enhance your security, or for custom options such as embedding dashboards.
In Quick Standard edition, you can manage users entirely within Quick. If you prefer, you can integrate with your existing users, groups, and roles in IAM.
You can use the following tools for identity and access to Amazon Quick:
+ [IAM Identity Center](https://docs.aws.amazon.com/quicksight/latest/user/sec-identity-management-identity-center.html) (Enterprise edition only)
+ [IAM federation](https://docs.aws.amazon.com/quicksuite/latest/userguide/iam-federation.html) (Standard and Enterprise editions)
+ [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/quicksight/latest/user/aws-directory-service.html) (Enterprise edition only)
+ [SAML-based single sign-on](https://docs.aws.amazon.com/quicksight/latest/user/external-identity-providers.html) (Standard and Enterprise edition)
+ [Multifactor authentication (MFA)](https://docs.aws.amazon.com/quicksight/latest/user/using-multi-factor-authentication-mfa.html) (Standard and Enterprise edition)
**Note**
In the regions listed below, Amazon Quick accounts can only use [IAM Identity Center](https://docs.aws.amazon.com/quicksight/latest/user/sec-identity-management-identity-center.html) for identity and access management.
`af-south-1` Africa (Cape Town)
`ap-southeast-3` Asia Pacific (Jakarta)
`ap-southeast-5` Asia Pacific (Malaysia)
`eu-south-1` Europe (Milan)
`eu-central-2` Europe (Zurich)
IAM Identity Center helps you securely create or connect your workforce identities and manage their access across AWS accounts and applications.
Before you integrate your Amazon Quick account with IAM Identity Center, set up IAM Identity Center in your AWS account. If you haven't set up IAM Identity Center in your AWS organization, see [Getting started](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) in the *AWS IAM Identity Center User Guide*.
If you want to configure an external identity provider with IAM Identity Center, see [Supported identity providers](https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html) to view a list of supported identity providers' configuration steps.
**Topics**
+ [
## Configure your Amazon Quick account with IAM Identity Center
](#sec-identity-management-identity-center)
## Configure your Amazon Quick account with IAM Identity Center
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators |
IAM Identity Center helps you securely create or configure your existing workforce identities and manage their access across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type. To learn more about IAM Identity Center, see [AWS IAM Identity Center](https://aws.amazon.com//iam/identity-center/).
Configure Amazon Quick and IAM Identity Center so that you can sign up for a new Amazon Quick account with an IAM Identity Center configured identity source. With IAM Identity Center, you can configure your external identity provider as an identity source. You can also use IAM Identity Center as an identity store if you don't want to use a third-party identity provider with Amazon Quick. Identity methods can't be changed after your account is created.
When you integrate your Amazon Quick account with IAM Identity Center, Amazon Quick account administrators can create a new Amazon Quick account that automatically has the identity provider's groups available. This simplifies asset sharing at scale in Amazon Quick.
Access to some sections of the Amazon Quick administration console is restricted by IAM permissions. The following table summarizes the admin actions that you can perform in Amazon Quick based on the access type that you choose.
To learn more how to sign up for an Amazon Quick account with IAM Identity Center, see [Signing up for an Amazon Quick subscription](https://docs.aws.amazon.com/quicksight/latest/user/signing-up.html).
| Admin action | IAM permissions | Amazon Quick admin role permissions |
| --- | --- | --- |
| **Manage assets** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No |
| **Security & permissions** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No |
| **Manage VPC connections** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No |
| **KMS keys** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No |
| **Account settings** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No |
| **Account customization** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes |
| **Manage users** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes (IAM Identity Center users) | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes (Amazon Quick and IAM users) |
| **Your subscriptions** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes |
| **Mobile settings** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes |
| **Domains and embedding** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes |
| **SPICE capacity** | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/negative_icon.svg) No | ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/success_icon.svg) Yes |
The Amazon Quick mobile app is not supported with Amazon Quick accounts that are integrated with IAM Identity Center.
### Considerations
The following actions permanently remove the ability for Amazon Quick users to sign into Amazon Quick. Amazon Quick does not recommend that Amazon Quick users perform these actions.
+ Disabling or deleting the Amazon Quick application in the IAM Identity Center console. If you want to delete your Amazon Quick account, see [Closing your Amazon Quick account](https://docs.aws.amazon.com/quicksight/latest/user/closing-account.html).
+ Migrating the Amazon Quick account that contains your IAM Identity Center configuration to an AWS Organization that does not contain the IAM Identity Center instance that your Amazon Quick account is configured to.
+ Deleting the IAM Identity Center instance that is configured to your Amazon Quick account.
+ Editing IAM Identity Center application attributes, for example the **requires assignment** attribute.
# IAM federation
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators |
**Important**
Amazon Quick recommends that you integrate new Amazon Quick subscriptions with IAM Identity Center for identity management. This IAM identity federation user guide is provided as a reference for existing account configurations. For more information on integrating your Amazon Quick account with IAM Identity Center, see [Configure your Amazon Quick account with IAM Identity Center](https://docs.aws.amazon.com/quicksight/latest/user/sec-identity-management-identity-center.html).
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
Amazon Quick supports identity federation in both Standard and Enterprise editions. When you use federated users, you can manage users with your enterprise identity provider (IdP) and use AWS Identity and Access Management (IAM) to authenticate users when they sign in to Quick. You can use a third-party identity provider that supports Security Assertion Markup Language 2.0 (SAML 2.0) to provide an onboarding flow for your Amazon Quick users. Such identity providers include Microsoft Active Directory Federation Services, Okta, and Ping One Federation Server. With identity federation, your users get one-click access to their Amazon Quick applications using their existing identity credentials. You also have the security benefit of identity authentication by your identity provider. You can control which users have access to Amazon Quick using your existing identity provider.
**Topics**
+ [
# Initiating sign-on from the identity provider (IdP)
](federated-identities-idp-to-sp.md)
+ [
# Setting up IdP federation using IAM and Amazon Quick
](external-identity-providers-setting-up-saml.md)
+ [
# Initiating sign-on from Quick
](federated-identities-sp-to-idp.md)
+ [
# Setting up service provider–initiated federation with Quick Enterprise edition
](setup-quicksight-to-idp.md)
+ [
# Configuring email syncing for federated users in Quick
](jit-email-syncing.md)
+ [
# Tutorial: Amazon Quick and IAM identity federation
](tutorial-okta-quicksight.md)
# Initiating sign-on from the identity provider (IdP)
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
In this scenario, your users initiate the sign-on process from the identity provider's portal. After the users are authenticated, they sign in to Amazon Quick. After Quick checks that they are authorized, your users can access Quick.
Beginning with a user signing into the IdP, authentication flows through these steps:
1. The user browses to `https://applications.example.com` and signs on to the IdP. At this point, the user isn't signed in to the service provider.
1. The federation service and the IdP authenticate the user:
1. The federation service requests authentication from the organization's identity store.
1. The identity store authenticates the user and returns the authentication response to the federation service.
1. When authentication is successful, the federation service posts the SAML assertion to the user’s browser.
1. The user opens Amazon Quick:
1. The user's browser posts the SAML assertion to the AWS Sign-In SAML endpoint (`https://signin.aws.amazon.com/saml`).
1. AWS Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the Amazon Quick service.
1. Amazon Quick accepts the authentication token from AWS and presents Amazon Quick to the user.
From the user's perspective, the process happens transparently. The user starts at your organization's internal portal and lands at an Amazon Quick application portal, without ever having to supply any AWS credentials.
In the following diagram, you can find an authentication flow between Amazon Quick and a third-party identity provider (IdP). In this example, the administrator has set up a sign-in page to access Amazon Quick, called `applications.example.com`. When a user signs in, the sign-in page posts a request to a federation service that complies with SAML 2.0. The end user initiates authentication from the sign-on page of the IdP.
![\[Quick SAML Diagram. The diagram contains two boxes. The first one describes an authentication process inside the enterprise. The second one describes authentication inside AWS. The process is described in the text following the table.\]](http://docs.aws.amazon.com/quick/latest/userguide/images/SAML-Flow-Diagram.png)
For information from some common providers, see the following third-party documentation:
+ CA – [Enabling SAML 2.0 HTTP Post Binding](https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/configuring/partnership-federation/saml-2-0-only-configurable-features/enable-saml-2-0-http-post-binding.html)
+ Okta – [Planning a SAML deployment](https://developer.okta.com/docs/concepts/saml/)
+ Ping – [Amazon integrations](https://docs.pingidentity.com/bundle/integrations/page/kun1563994988131.html)
Use the following topics to understand using an existing federation with AWS:
+ [Identity federation in AWS](https://aws.amazon.com/identity/federation/) on the AWS website
+ [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*
+ [Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) in the *IAM User Guide*
# Setting up IdP federation using IAM and Amazon Quick
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
You can use an AWS Identity and Access Management (IAM) role and a relay state URL to configure an identity provider (IdP) that is compliant with SAML 2.0. The role grants users permissions to access Amazon Quick. The relay state is the portal that the user is forwarded to, after successful authentication by AWS.
**Topics**
+ [
## Prerequisites
](#external-identity-providers-setting-up-prerequisites)
+ [
## Step 1: Create a SAML provider in AWS
](#external-identity-providers-create-saml-provider)
+ [
## Step 2: Configure permissions in AWS for your federated users
](#external-identity-providers-grantperms)
+ [
## Step 3: Configure the SAML IdP
](#external-identity-providers-config-idp)
+ [
## Step 4: Create assertions for the SAML authentication response
](#external-identity-providers-create-assertions)
+ [
## Step 5: Configure the relay state of your federation
](#external-identity-providers-relay-state)
## Prerequisites
Before configuring your SAML 2.0 connection, do the following:
+ Configure your IdP to establish a trust relationship with AWS:
+ Inside your organization's network, configure your identity store, such as Windows Active Directory, to work with a SAML-based IdP. SAML-based IdPs include Active Directory Federation Services, Shibboleth, and so on.
+ Using your IdP, generate a metadata document that describes your organization as an identity provider.
+ Set up SAML 2.0 authentication, using the same steps as for the AWS Management Console. When this process is complete, you can configure your relay state to match the relay state of Quick. For more information, see [Configure the relay state of your federation](https://docs.aws.amazon.com/quicksight/latest/user/external-identity-providers-setting-up-saml.html#external-identity-providers-relay-state).
+ Create an Amazon Quick account and note the name to use when you configure your IAM policy and IdP. For more information on creating an Amazon Quick account, see [Signing up for an Amazon Quick subscription](https://docs.aws.amazon.com/quicksight/latest/user/signing-up.html).
After you create the setup to federate to the AWS Management Console as outlined in the tutorial, you can edit the relay state provided in the tutorial. You do so with the relay state of Amazon Quick, described in step 5 following.
For more information, see the following resources:
+ [Integrating Third-Party SAML Solution Providers with AWS](https://docs.aws.amazon.com/singlesignon/latest/userguide/) in the *IAM User Guide*.
+ [Troubleshooting SAML 2.0 federation with AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html), also in the *IAM User Guide*.
+ [Setting up trust between ADFS and AWS and using Active Directory credentials to connect to Amazon Athena with ODBC driver](https://aws.amazon.com/blogs/big-data/setting-up-trust-between-adfs-and-aws-and-using-active-directory-credentials-to-connect-to-amazon-athena-with-odbc-driver/) – This walkthrough article is helpful, although you don't need to set up Athena in order to use Amazon Quick.
## Step 1: Create a SAML provider in AWS
Your SAML identity provider defines your organization's IdP to AWS. It does so by using the metadata document that you previously generated using your IdP.
**To create a SAML provider in AWS**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Create a new SAML provider, which is an entity in IAM that holds information about your organization's identity provider. For more information, see [Creating SAML Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) in the *IAM User Guide*.
1. As part of this process, upload the metadata document produced by the IdP software in your organization noted in the previous section.
## Step 2: Configure permissions in AWS for your federated users
Next, create an IAM role that establishes a trust relationship between IAM and your organization's IdP. This role identifies your IdP as a principal (trusted entity) for the purposes of federation. The role also defines which users authenticated by your organization's IdP are allowed to access Amazon Quick. For more information about creating a role for a SAML IdP, see [Creating a Role for SAML 2.0 Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) in the *IAM User Guide*.
After you have created the role, you can limit the role to have permissions only to Amazon Quick by attaching an inline policy to the role. The following sample policy document provides access to Amazon Quick. This policy allows the user access to Amazon Quick and allows them to create both author accounts and reader accounts.
**Note**
In the following example, replace ** with your 12-digit AWS account ID (with no hyphens ‘‐’).
```
{
"Statement": [
{
"Action": [
"quicksight:CreateUser"
],
"Effect": "Allow",
"Resource": [
"arn:aws:quicksight:::user/${aws:userid}"
]
}
],
"Version": "2012-10-17"
}
```
If you want to provide access to Amazon Quick and also the ability to create Amazon Quick admins, authors (standard users), and readers, you can use the following policy example.
```
{
"Statement": [
{
"Action": [
"quicksight:CreateAdmin"
],
"Effect": "Allow",
"Resource": [
"arn:aws:quicksight:::user/${aws:userid}"
]
}
],
"Version": "2012-10-17"
}
```
You can view account details in the AWS Management Console.
After you have set up SAML and the IAM policy or policies, you don't need to invite users manually. The first time that users open Amazon Quick, they are provisioned automatically, using the highest level permissions in the policy. For example, if they have permissions to both `quicksight:CreateUser` and `quicksight:CreateReader`, they are provisioned as authors. If they also have permissions to `quicksight:CreateAdmin`, they are provisioned as admins. Each permission level includes the ability to create the same level user and below. For example, an author can add other authors or readers.
Users who are invited manually are created in the role assigned by the person who invited them. They don't need to have policies that grant them permissions.
## Step 3: Configure the SAML IdP
After you create the IAM role, update your SAML IdP about AWS as a service provider. To do so, install the `saml-metadata.xml` file found at [https://signin.aws.amazon.com/static/saml-metadata.xml](https://signin.aws.amazon.com/static/saml-metadata.xml).
To update the IdP metadata, see the instructions provided by your IdP. Some providers give you the option to type the URL, after which the IdP gets and installs the file for you. Others require you to download the file from the URL and then provide it as a local file.
For more information, see your IdP documentation.
## Step 4: Create assertions for the SAML authentication response
Next, configure the information that the IdP passes as SAML attributes to AWS as part of the authentication response. For more information, see [Configuring SAML Assertions for the Authentication Response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html) in the *IAM User Guide*.
## Step 5: Configure the relay state of your federation
Finally, configure the relay state of your federation to point to the Amazon Quick relay state URL. After successful authentication by AWS, the user is directed to Amazon Quick, defined as the relay state in the SAML authentication response.
The relay state URL for Amazon Quick is as follows.
```
https://quicksight.aws.amazon.com
```
# Initiating sign-on from Quick
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
In this scenario, your user initiates the sign-on process from an Amazon Quick application portal without being signed on to the identity provider. In this case, the user has a federated account managed by a third-party IdP. The user might have a user account on Quick. Quick sends an authentication request to the IdP. After the user is authenticated, Quick opens.
Beginning with the user signing into Quick, authentication flows through these steps:
1. The user opens Quick. At this point, the user isn't signed in to the IdP.
1. The user attempts to sign in to Amazon Quick.
1. Amazon Quick redirects the user's input to the federation service and requests authentication.
1. The federation service and the IdP authenticate the user:
1. The federation service requests authentication from the organization's identity store.
1. The identity store authenticates the user and returns the authentication response to the federation service.
1. When authentication is successful, the federation service posts the SAML assertion to the user's browser.
1. The user's browser posts the SAML assertion to the AWS Sign-In SAML endpoint (`https://signin.aws.amazon.com/saml`).
1. AWS Sign-In receives the SAML request, processes the request, authenticates the user, and forwards the authentication token to the Amazon Quick service.
1. Amazon Quick accepts the authentication token from AWS and presents Amazon Quick to the user.
From the user's perspective, the process happens transparently. The user starts at an Amazon Quick application portal. Amazon Quick negotiates authentication with your organization's federation service and AWS. Amazon Quick opens, without the user needing to supply any additional credentials.
# Setting up service provider–initiated federation with Quick Enterprise edition
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
After you have finished configuring your identity provider with AWS Identity and Access Management (IAM), you can set up service provider–initiated sign in through Amazon Quick Enterprise Edition. For Quick-initiated IAM federation to work, you need to authorize Quick to send the authentication request to your IdP. A Quick administrator can configure this by adding the following information provided by the IdP:
+ The IdP URL – Quick redirects users to this URL for authentication.
+ The relay state parameter – This parameter relays the state that the browser session was in when it was redirected for authentication. The IdP redirects the user back to the original state after authentication. The state is provided as a URL.
The following table shows the standard authentication URL and relay state parameter for redirecting the user to the Quick URL that you provide.
| Identity provider | Parameter | Authentication URL |
| --- | --- | --- |
| Auth0 | `RelayState` | `https://.auth0.com/samlp/` |
| Google accounts | `RelayState` | `https://accounts.google.com/o/saml2/initsso?idpid=&spid=&forceauthn=false` |
| Microsoft Azure | `RelayState` | `https://myapps.microsoft.com/signin//?tenantId=` |
| Okta | `RelayState` | `https://.okta.com/app///sso/saml` |
| PingFederate | `TargetResource` | `https:///idp//startSSO.ping?PartnerSpId=` |
| PingOne | `TargetResource` | `https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=&idpid=` |
Amazon Quick supports connecting to one IdP per AWS account. The configuration page in Amazon Quick provides you with test URLs based on your entries, so you can test the settings before you turn on the feature. To make the process even more seamless, Amazon Quick provides a parameter (`enable-sso=0`) to temporarily turn off Amazon Quick initiated IAM federation, in case you need to disable it temporarily.
## To set up Amazon Quick as a service provider that can initiate IAM federation for an existing IdP
1. Make sure that you already have IAM federation set up in your IdP, in IAM, and Amazon Quick. To test this setup, check if you can share a dashboard with another person in your company's domain.
1. Open Amazon Quick, and choose **Manage Amazon Quick** from your profile menu at upper right.
To perform this procedure, you need to be a Amazon Quick administrator. If you aren't, you can't see **Manage Amazon Quick** under your profile menu.
1. Choose **Single sign-on (IAM federation)** from the navigation pane.
1. For **Configuration**, **IdP URL**, enter the URL that your IdP provides to authenticate users.
1. For **IdP URL**, enter the parameter that your IdP provides to relay state, for example `RelayState`. The actual name of the parameter is provided by your IdP.
1. Test signing in:
+ To test signing in with your identity provider, use the custom URL provided in **Test starting with your IdP**. You should arrive at the start page for Amazon Quick, for example https://quicksight.aws.amazon.com/sn/start.
+ To test signing in with Amazon Quick first, use the custom URL provided in **Test the end-to-end experience**. The `enable-sso` parameter is appended to the URL. If `enable-sso=1`, IAM federation attempts to authenticate.
1. Choose **Save** to keep your settings.
## To enable service provider–initiated IAM federation IdP
1. Make sure your IAM federation settings are configured and tested. If you're not sure about the configuration, test the connection by using the URLs from the previous procedure.
1. Open Amazon Quick, and choose **Manage Amazon Quick** from your profile menu.
1. Choose **Single sign-on (IAM federation)** from the navigation pane.
1. For **Status**, choose **ON**.
1. Verify that it's working by disconnecting from your IdP and opening Amazon Quick.
## To disable service provider initiated IAM federation
1. Open Amazon Quick, and choose **Manage Amazon Quick** from your profile menu.
1. Choose **Single sign-on (IAM federation)** from the navigation pane.
1. For **Status**, choose **OFF**.
# Configuring email syncing for federated users in Quick
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators and Amazon Quick administrators |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
In Amazon Quick Enterprise edition, as an administrator you can restrict new users from using personal email addresses when provisioning through their identity provider (IdP) directly to Quick. Quick then uses the preconfigured email addresses passed through the IdP when provisioning new users to your account. For example, you can make it so that only corporate-assigned email addresses are used when users are provisioned to your Amazon Quick account through your IdP.
**Note**
Make sure that your users are federating directly to Amazon Quick through their IdP. Federating to the AWS Management Console through their IdP and then clicking into Amazon Quick results in an error and they won't be able to access Amazon Quick.
When you configure email syncing for federated users in Amazon Quick, users who log in to your Amazon Quick account for the first time have preassigned email addresses. These are used to register their accounts. With this approach, users can manually bypass by entering an email address. Also, users can't use an email address that might differ from the email address prescribed by you, the administrator.
Amazon Quick supports provisioning through an IdP that supports SAML or OpenID Connect (OIDC) authentication. To configure email addresses for new users when provisioning through an IdP, you update the trust relationship for the IAM role that they use with `AssumeRoleWithSAML` or `AssumeRoleWithWebIdentity`. Then you add a SAML attribute or OIDC token in their IdP. Last, you turn on email syncing for federated users in Amazon Quick.
The following procedures describe these steps in detail.
## Step 1: Update the trust relationship for the IAM role with AssumeRoleWithSAML or AssumeRoleWithWebIdentity
You can configure email addresses for your users to use when provisioning through your IdP to Amazon Quick. To do this, add the `sts:TagSession` action to the trust relationship for the IAM role that you use with `AssumeRoleWithSAML` or `AssumeRoleWithWebIdentity`. By doing this, you can pass in `principal` tags when users assume the role.
The following example illustrates an updated IAM role where the IdP is Okta. To use this example, update the `Federated` Amazon Resource Name (ARN) with the ARN for your service provider. You can replace items in red with your AWS and IdP service-specific information.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::account-id:saml-provider/Okta"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::account-id:saml-provider/Okta"
},
"Action": "sts:TagSession",
"Condition": {
"StringLike": {
"aws:RequestTag/Email": "*"
}
}
}
]
}
```
## Step 2: Add a SAML attribute or OIDC token for the IAM principal tag in your IdP
After you update the trust relationship for the IAM role as described in the preceding section, add a SAML attribute or OIDC token for the IAM `Principal` tag in your IdP.
The following examples illustrate a SAML attribute and an OIDC token. To use these examples, replace the email address with a variable in your IdP that points to a user's email address. You can replace items highlighted in red with your information.
+ **SAML attribute**: The following example illustrates a SAML attribute.
```
john.doe@example.com
```
**Note**
If you're using Okta as your IdP, make sure to turn on a feature flag in your Okta user account to use SAML. For more information, see [Okta and AWS Partner to Simplify Access Via Session Tags](https://www.okta.com/blog/2019/11/okta-and-aws-partner-to-simplify-access-via-session-tags/) on the Okta blog.
+ **OIDC token**: The following example illustrates an OIDC token example.
```
"https://aws.amazon.com/tags": {"principal_tags": {"Email": ["john.doe@example.com"]
```
## Step 3: Turn on email syncing for federated users in Amazon Quick
As described preceding, update the trust relationship for the IAM role and add a SAML attribute or OIDC token for the IAM `Principal` tag in your IdP. Then turn on email syncing for federated users in Amazon Quick as described in the following procedure.
**To turn on email syncing for federated users**
1. From any page in Amazon Quick, choose your username at top right, and then choose **Manage Amazon Quick**.
1. Choose **Single sign-on (IAM federation)** in the menu at left.
1. On the **Service Provider Initiated IAM federation** page, for **Email Syncing for Federated Users**, choose **ON**.
When email syncing for federated users is on, Amazon Quick uses the email addresses that you configured in steps 1 and 2 when provisioning new users to your account. Users can't enter their own email addresses.
When email syncing for federated users is off, Amazon Quick asks users to input their email address manually when provisioning new users to your account. They can use any email addresses that they want.
# Tutorial: Amazon Quick and IAM identity federation
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: Amazon Quick Administrators and Amazon Quick developers |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
In the following tutorial, you can find a walkthrough for setting up the IdP Okta as a federation service for Amazon Quick. Although this tutorial shows the integration of AWS Identity and Access Management (IAM) and Okta, you can also replicate this solution using your choice of SAML 2.0 IdPs.
In the following procedure, you create an app in the Okta IdP using their "AWS Account Federation" shortcut. Okta describes this integration app as follows:
"By federating Okta to Amazon Web Services (AWS) Identity and Access Management (IAM) accounts, end users get single sign-on access to all their assigned AWS roles with their Okta credentials. In each AWS account, administrators set up federation and configure AWS roles to trust Okta. When users sign in to AWS, they get Okta single sign-in experience to see their assigned AWS roles. They can then select a desired role, which defined their permissions for the duration of their authenticated session. Customers with large numbers of AWS Accounts, check out the AWS Single Sign-On app as an alternative." (https://www.okta.com/aws/)
**To create an Okta app using Okta's "AWS Account Federation" application shortcut**
1. Sign in to your Okta dashboard. If you don't have one, create a free Okta Developer Edition account by using [this Amazon Quick-branded URL](https://developer.okta.com/quickstart/). When you have activated your email, sign in to Okta.
1. On the Okta website, choose **<> Developer Console** at upper left, and then choose **Classic UI**.
1. Choose **Add Applications**, and choose **Add app**.
1. Enter **aws** for **Search**, and choose **AWS Account Federation** from the search results.
1. Choose **Add** to create an instance of this application.
1. For **Application label**, enter **AWS Account Federation - Amazon Quick**.
1. Choose **Next**.
1. For **SAML 2.0**, **Default Relay State**, enter **https://quicksight.aws.amazon.com**.
1. Open the context (right-click) menu for **Identity Provider metadata**, and choose to save the file. Name the file `metadata.xml`. You need this file in the next procedure.
The contents of the file look similar to the following.
```
MIIDpjCCAo6gAwIBAgIGAXVjA82hMA0GCSqGSIb3DQEBCwUAMIGTMQswCQYDVQQGEwJVUzETMBEG
.
. (certificate content omitted)
.
QE/6cRdPQ6v/eaFpUL6Asd6q3sBeq+giRG4=
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
```
1. After you have the XML file saved, scroll to the bottom of the Okta page, and choose **Done**.
1. Keep this browser window open, if possible. You need it later in the tutorial.
Next, you create an identity provider in your AWS account.
**To create a SAML provider in AWS Identity and Access Management (IAM)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Identity providers**, **Create Provider**.
1. Enter the following settings:
+ **Provider Type** – Choose **SAML** from the list.
+ **Provider Name** – Enter **Okta**.
+ **Metadata Document** – Upload the XML file `manifest.xml` from the previous procedure.
1. Choose **Next Step**, **Create**.
1. Locate the IdP that you created and choose it to view the settings. Note the **Provider ARN**. You need this to finish the tutorial.
1. Verify that the identity provider is created with your settings. In IAM, choose **Identity providers**, **Okta** (the IdP you added), **Download metadata**. The file should be the one that you recently uploaded.
Next, you create an IAM role to enable the SAML 2.0 federation to act as a trusted entity in your AWS account. For this step, you need to choose how you want to provision users in Amazon Quick. You can do one of the following:
+ Grant permission to the IAM role so that first-time visitors become Amazon Quick users automatically.
**To create an IAM role for a SAML 2.0 federation as a trusted entity**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**, **Create Role**.
1. For **Select type of trusted entity**, choose the card labeled **SAML 2.0 federation**.
1. For **SAML provider**, select the IdP that you created in the previous procedure, for example `Okta`.
1. Enable the option **Allow programmatic and AWS Management Console access**.
1. Choose **Next: Permissions**.
1. Paste the following policy into the editor.
In the policy editor, update the JSON with your provider's Amazon Resource Name (ARN).
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithSAML",
"Resource": "arn:aws:iam::111111111111:saml-provider/Okta",
"Condition": {
"StringEquals": {
"saml:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
```
1. Choose **Review policy**.
1. For **Name**, enter **QuicksightOktaFederatedPolicy**, and then choose **Create policy**.
1. Choose **Create policy**, **JSON** a second time.
1. Paste the following policy into the editor.
In the policy editor, update the JSON with your AWS account ID. It should be the same account ID that you used in the previous policy in the provider ARN.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Action": [
"quicksight:CreateReader"
],
"Effect": "Allow",
"Resource": [
"arn:aws:quicksight::111111111111:user/${aws:userid}"
]
}
]
}
```
You can omit the AWS Region name in the ARN, as shown following.
```
arn:aws:quicksight::111111111111:user/$${aws:userid}
```
1. Choose **Review policy**.
1. For **Name**, enter **QuicksightCreateReader**, and then choose **Create policy**.
1. Refresh the list of policies by choosing the refresh icon at right.
1. For **Search**, enter **QuicksightOktaFederatedPolicy**. Choose the policy to enable it (![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/checkbox-on.png)).
If you don't want to use automatic provisioning, you can skip the following step.
To add a Amazon Quick user, use [register-user](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_RegisterUser.html). To add a Amazon Quick group, use [create-group](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_CreateGroup.html). To add users to the Amazon Quick group, use [create-group-membership](https://docs.aws.amazon.com/quicksight/latest/APIReference/API_CreateGroupMembership.html).
1. (Optional) For **Search**, enter **QuicksightCreateReader**. Choose the policy to enable it (![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/checkbox-on.png)).
Do this step if you want to provision Amazon Quick users automatically, rather than using the Amazon Quick API.
The `QuicksightCreateReader` policy activates automatic provisioning by allowing use of the `quicksight:CreateReader` action. Doing this grants dashboard subscriber (reader-level) access to first-time users. A Amazon Quick administrator can later upgrade them from the Amazon Quick profile menu, **Manage Amazon Quick**, **Manage users**.
1. To continue attaching the IAM policy or policies, choose **Next: Tags**.
1. Choose **Next: Review**.
1. For **Role name**, enter **QuicksightOktaFederatedRole**, and choose **Create role**.
1. Verify that you completed this successfully by taking these steps:
1. Return to the main page of the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). You can use your browser's **Back** button.
1. Choose **Roles**.
1. For **Search**, enter Okta. Choose **QuicksightOktaFederatedRole** from the search results.
1. On the **Summary** page for the policy, examine the **Permissions** tab. Verify that the role has the policy or policies that you attached to it. It should have `QuicksightOktaFederatedPolicy`. If you chose to add the ability to create users, it should also have `QuicksightCreateReader`.
1. Use the ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/caret-right-filled.png) icon to open each policy. Verify that the text matches what is shown in this procedure. Double-check that you added your own AWS account number in place of the example account number 111111111111.
1. On the **Trust relationships** tab, verify that the **Trusted entities** field contains the ARN for the identity provider. You can double-check the ARN in the IAM console by opening **Identity providers**, **Okta**.
**To create an access key for Okta**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Add a policy that allows Okta to display a list of IAM roles to the user. To do this, choose **Policy**, **Create policy**.
1. Choose **JSON**, then enter the following policy.
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListAccountAliases"
],
"Resource": "*"
}
]
}
```
1. Choose **Review Policy**.
1. For **Name**, enter **OktaListRolesPolicy**. Then choose **Create policy**.
1. Add a user so you can provide Okta with an access key.
In the navigation pane, choose **Users**, **Add User**.
1. Use the following settings:
+ For **User name**, enter `OktaSSOUser`.
+ For **Access type**, enable **Programmatic access**.
1. Choose **Next: Permissions**.
1. Choose **Attach existing policies directly**.
1. For **Search**, enter **OktaListRolesPolicy**, and choose **OktaListRolesPolicy** from the search results.
1. Choose **Next: Tags**, and then choose **Next: Review**.
1. Choose **Create user**. Now you can get the access key.
1. Download the key file by choosing **Download .csv**. The file contains the same access key ID and secret access key that displays on this screen. However, because AWS doesn't display this information a second time, make sure to download the file.
1. Verify that you completed this step correctly by doing the following:
1. Open the IAM console, and choose **Users**. Search for **OktaSSOUser**, and open it by choosing the username from the search results.
1. On the **Permissions** tab, verify that the **OktaListRolesPolicy** is attached.
1. Use the ![\[alt text not found\]](http://docs.aws.amazon.com/quick/latest/userguide/images/caret-right-filled.png) icon to open the policy. Verify that the text matches what is shown in this procedure.
1. On the **Security credentials** tab, you can check the access key, although you already downloaded it. You can return to this tab to create an access key when you need a new one.
In the following procedure, you return to Okta to provide the access key. The access key works with your new security settings to allow AWS and the Okta IdP to work together.
**To finish configuring the Okta application with AWS settings**
1. Return to your Okta dashboard. If requested to do so, sign in. If the developer console is no longer open, choose **Admin** to reopen it.
1. If you have to reopen Okta, you can return to this section by following these steps:
1. Sign in to Okta. Choose **Applications**.
1. Choose **AWS Account Federation - Amazon Quick**—the application that you created at the beginning of this tutorial.
1. Choose the **Sign On** tab, between **General** and **Mobile**.
1. Scroll to **Advanced Sign-On Settings**.
1. For **Identity Provider ARN (Required only for SAML IAM federation)**, enter the provider ARN from the previous procedure, for example:
```
arn:aws:iam::111122223333:saml-provider/Okta
```
1. Choose **Done** or **Save**. The name of the button varies depending if you are creating or editing the application.
1. Choose the **Provisioning** tab, and at the lower part of the tab, choose **Configure API Integration**.
1. Turn on **Enable API integration** to display the settings.
1. For **Access Key** and **Secret Key**, provide the access key and secret key that you downloaded previously to a file named **OktaSSOUser**`_credentials.csv`.
1. Choose **Test API Credentials**. Look above the **Enable API integration** setting for a message confirming that **AWS Account Federation was verified successfully**.
1. Choose **Save**.
1. Make sure that **To App** is highlighted at left, and choose **Edit** at right.
1. For **Create Users**, turn on the option **Enable**.
1. Choose **Save**.
1. On the **Assignments** tab, near **Provisioning** and **Import**, choose **Assign**.
1. Do one or more of the following to enable federated access:
+ To work with individual users, choose **Assign to People**.
+ To work with IAM groups, choose **Assign to Groups**. You can choose specific IAM groups or **Everyone (All users in your organization)**.
1. For each IAM user or group, do the following:
1. Choose **Assign**, **Role**.
1. Select **QuicksightOktaFederatedRole** from the list of IAM roles.
1. For **SAML User Roles**, enable **QuicksightOktaFederatedRole**.
1. Choose **Save and Go Back**, and then choose **Done**.
1. Verify that you completed this step correctly by choosing the **People** or **Groups** filter at left, and checking the users or groups that you entered. If you can't complete this process because the role that you created doesn't appear in the list, return to the previous procedures to verify the settings.
**To sign in to Amazon Quick using Okta (IdP to service provider sign-in)**
1. If you are using an Okta administrator account, switch to user mode.
1. Sign in to your Okta Applications dashboard with a user that has been granted federated access. You should see a new application with your label, for example **AWS Account Federation - Amazon Quick**.
1. Choose the application icon to launch **AWS Account Federation - Amazon Quick**.
You can now manage identities using Okta and use federated access with Quick.
The following procedure is an optional part of this tutorial. If you follow its steps, you authorize Amazon Quick to forward authorizations requests to the IdP on behalf of your users. Using this method, users can sign in to Amazon Quick with no need to sign in using the IdP page first.
**(Optional) To set up Amazon Quick to send authentication requests to Okta**
1. Open Amazon Quick, and choose **Manage Amazon Quick** from your profile menu.
1. Choose **Single sign-on (IAM federation)** from the navigation pane.
1. For **Configuration**, **IdP URL**, enter the URL that your IdP provides to authenticate users, for example https://dev-*1-----0*.okta.com/home/amazon\$1aws/*0oabababababaGQei5d5/282*. You can find this in your Okta app page, on the **General** tab, in **Embed Link**.
1. For **IdP URL**, enter `RelayState`.
1. Do one of the following:
+ To test signing in with your identity provider first, use the custom URL provided in **Test starting with your IdP**. You should arrive at the start page for Amazon Quick, for example https://quicksight.aws.amazon.com/sn/start.
+ To test signing in with Amazon Quick first, use the custom URL provided in **Test the end-to-end experience**. The `enable-sso` parameter is appended to the URL. If `enable-sso=1`, IAM federation attempts to authenticate. If `enable-sso=0`, Amazon Quick doesn't send the authentication request, and you sign in to Amazon Quick as before.
1. For **Status**, choose **ON**.
1. Choose **Save** to keep your settings.
You can create a deep link to a Amazon Quick dashboard to allow users to use IAM federation to connect directly to specific dashboards. To do this, you append the relay state flag and dashboard URL to the Okta single sign-on URL, as described following.
**To create a deep link to a Amazon Quick dashboard for single sign-on**
1. Locate the Okta application’s single sign-on (IAM federation) URL in the `metadata.xml` file that you downloaded beginning of the tutorial. You can find the URL near the bottom of the file, in the element named `md:SingleSignOnService`. The attribute is named `Location` and the value ends with `/sso/saml`, as shown in the following example.
```
```
1. Take the value of the IAM federation URL and append `?RelayState=` followed by the URL of your Amazon Quick dashboard. The `RelayState` parameter relays the state (the URL) that the user was in when they were redirected to the authentication URL.
1. To the new IAM federation with the relay state added, append the URL of your Amazon Quick dashboard. The resulting URL should resemble the following.
```
https://dev-1-----0.okta.com/app/amazon_aws/abcdef2hATwiVft645d5/sso/saml?RelayState=https://us-west-2.quicksight.aws.amazon.com/sn/analyses/12a12a2a-121a-212a-121a-abcd12abc1ab
```
1. If the link you create doesn't open, check that you are using the most recent IAM federation URL from the `metadata.xml`. Also check that the username you use to sign in isn't assigned in more than one IAM federation Okta app.
# Using Active Directory with Amazon Quick Enterprise edition
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
Amazon Quick Enterprise edition supports both [AWS Directory Service for Microsoft Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html) and [Active Directory Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html).
To create a new directory to be your identity manager for Quick, use AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD. This is an Active Directory host in the AWS Cloud that offers most of the same functionality of Active Directory. Currently, you can connect to Active Directory in any AWS Region supported by Amazon Quick, except for Asia Pacific (Singapore). When you create a directory, you use it with a virtual private cloud (VPC). For more information, see [VPC](https://docs.aws.amazon.com/quicksight/latest/user/vpc-amazon-virtual-private-cloud.html).
If you have an existing directory that you want to use for Quick, you can use Active Directory Connector. This service redirects directory requests to your Active Directory—in another AWS Region or on-premises—without caching any information in the cloud.
For a walkthrough about creating and managing a directory with AWS Managed Microsoft AD, see [Use an AWS Managed Microsoft AD with Quick?](https://aws.amazon.com/premiumsupport/knowledge-center/quicksight-authenticate-active-directory/) in the AWS Knowledge Center.
When you use AWS Directory Service to launch a directory, AWS creates an organizational unit (OU) with the same name as your domain. AWS also creates an administrative account with delegated administrative rights for the OU. You can create accounts, groups, and policies within the OU by using Active Directory users and groups. For more information, see [ Best Practices for AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_best_practices.html) in the *Directory Service Administration Guide.*
After you establish your directory, you use it with Quick by creating groups for users. Amazon Quick has six specific user roles that can be assigned, including Pro versions that provide access to advanced capabilities:
+ **Quick admins** – Admins can change account settings, manage accounts. Admins can also purchase additional Amazon Quick user subscriptions or [SPICE](https://docs.aws.amazon.com/quicksight/latest/user/spice.html) capacity, or cancel the subscription to Amazon Quick for your AWS account. Admin Pro users have additional capabilities including creating content using natural language, building knowledge bases, configuring actions, and accessing advanced automation workflows.
+ **Quick authors** – Amazon Quick authors can create data sources, datasets, analyses, and dashboards. They can share analyses and dashboards with other Amazon Quick users. Author Pro users can additionally create content using natural language, build knowledge bases, configure actions, and access advanced automation capabilities.
+ **Quick readers** – Readers can view and interact with dashboards that were created by someone else. Reader Pro users have access to advanced features including AI chat agents, collaborative spaces, flows, and extensions.
You can add or refine access by applying IAM policies. For example, you can use IAM policies to allow users to subscribe themselves.
When you subscribe to Amazon Quick Enterprise edition and choose Active Directory as your identity provider, you can associate your AD groups with Amazon Quick. You can also add or change your AD groups later on.
**Topics**
+ [
## Directory integration with Quick Enterprise edition
](#directory-integration)
## Directory integration with Quick Enterprise edition
| |
| --- |
| Applies to: Enterprise Edition |
| |
| --- |
| Intended audience: System administrators |
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
Quick Enterprise supports the following options:
+ AWS Directory Service
+ AWS Directory Service with AD Connector
+ On-premises Active Directory with IAM federation or AD Connector
+ IAM federation using AWS IAM Identity Center or another third-party federation service
If you want to use IAM federation with an on-premises Active Directory, you implement AWS Directory Service as a separate Active Directory with a trust relationship to the on-premises Active Directory.
If you want to avoid using a trust relationship, you can deploy a standalone domain for authentication within AWS. Then you can create users and groups in Active Directory. You'd then map them to users and groups in Quick. In this example, users authenticate using their Active Directory login credentials. To make access to Quick transparent to your users, use IAM federation in this scenario.
# Using multi-factor authentication (MFA) with Amazon Quick
| |
| --- |
| Applies to: Enterprise Edition and Standard Edition |
| |
| --- |
| Intended audience: System administrators |
**Important**
Amazon Quick recommends that you integrate new Quick subscriptions with IAM Identity Center for identity management. This IAM identity federation user guide is provided as a reference for existing account configurations. For more information on integrating your Quick account with IAM Identity Center, see [Configure your Quick account with IAM Identity Center](https://docs.aws.amazon.com/quicksight/latest/user/sec-identity-management-identity-center.html).
**Note**
IAM identity federation doesn't support syncing identity provider groups with Amazon Quick.
There are several ways that you can use multi-factor authentication (MFA) with Quick. You can use it with AWS Identity and Access Management (IAM). You can use it with AD Connector or your [AWS Directory Service](https://aws.amazon.com/directoryservice/) for Microsoft Active Directory, also known as AWS Microsoft Active Directory or AWS Managed Microsoft Active Directory. And if you use an external identity provider (IdP), AWS doesn't need to have any information about MFA because that is part of the authentication handled by the IdP.
For more information, see the following:
+ [Using multi-factor authentication (MFA) in AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the IAM User Guide
+ [Enable Multi-Factor Authentication for AWS Managed Microsoft AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/mfa_ad.html) in the AWS Directory Service Administration Guide
+ [Enable Multi-Factor Authentication for AD Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_mfa.html) in the AWS Directory Service Administration Guide
If you're a developer, see the following:
+ [How do I use an MFA token to authenticate access to my AWS resources through the AWS CLI](https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/) in the [AWS Knowledge Center](https://aws.amazon.com/premiumsupport/knowledge-center/)
+ [Configuring MFA-protected API access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the IAM User Guide