AWS QuickSight access for resources in different accounts

Hello everyone, I’m back with another good article. Today, I will tell you the usage needs and guide of the AWS QuickSight service. First of all, we will examine what services are used with QuickSight. Later, we will see in detail what we can do to use these services in 2 different accounts. With the help of IAM service, we will assign the Role defined on QuickSight to other services and in this way, we will connect QuickSight and Athena service used in account A to S3, Lambda and Glue services in account B using Role. We will see together how easily these services can be connected to each other, even if there are two different accounts. If you are ready, let’s start a new case together 🙂

Our Case

What is AWS QuickSight service ?🤔

Amazon QuickSight allows everyone in your organization to understand your data by asking questions in natural language, exploring through interactive dashboards, or automatically looking for patterns and outliers powered by machine learning. So QuickSight Service is managed by AWS. QuickSight powers millions of dashboard views weekly for customers, allowing their end-users to make better data-driven decisions.

AWS QuickSight Dashboards

Amazon Quicksight can use Athena for importing data from S3, Glue Service or other Database Services. Sometimes we can use Lambda for getting data from all services. Quicksight is executing some queries with Athena in the Databases. There are lots of dashboard about these datas. All of dashboards is powered by AWS.

What is AWS Athena service ? 🤔

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

AWS Athena Service

Athena is out-of-the-box integrated with AWS Glue Data Catalog, allowing you to create a unified metadata repository across various services, crawl data sources to discover schemas and populate your Catalog with new and modified table and partition definitions, and maintain schema versioning.

What is S3 ? 🤔

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.

What is AWS Glue ?🤔

AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. AWS Glue provides all the capabilities needed for data integration so that you can start analyzing your data.

AWS Glue and Data Catalog using

Data integration is the process of preparing and combining data for analytics, machine learning, and application development. It involves multiple tasks, such as discovering and extracting data from various sources; enriching, cleaning, normalizing, and combining data; and loading and organizing data in databases, data warehouses, and data lakes.

AWS Glue Service can be used by QuickSight and Athena Services.

What is Lambda ?🤔

Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, code monitoring and logging.

Let’s start to our case.

In our case, in the first step, we will attach the Quicksight service to Athena. Later, when we create the Quicksight service, we will connect this service to S3, Glue service and Lambda in other accounts by using the Role given to us. In this way, we will now have access to all services using Athena on Quicksight. We will first see how we connect to Athena through examples. Lets start 😃

Connecting to Athena on QuickSight

In the first step, we need to create a new dataset. We need to enter the information of all the services that we will use and access in the settings section of QuickSight. If we do not want to do this from the settings, we can do it on the default role given to us. Based on the services we will use, this role will be as attached. I will present both steps to you. The first step will be to add the services as attached to Quicksight from the settings tab. When we click on User, we will have to say Manage Quicksight and then click on Security & permissions in the left menu. And here we will have access to the service we want by using Manage button.

Permissions in QuickSight

As you can see here, when we give access to services, the role will be automatically arranged. However, we can define permissions without using any Quciksight service by using the second step over the IAM service. For this, we can define a usage policy in these services for the relevant Role on the IAM service. We can attach the attached policies to the default defined “aws-quicksight-service-role-v0” Role for us.

Policies for QuickSight Default Role

Now we can choose Athena among the Data Sources given for us by saying New Analysis -> New Dataset. After giving access to other services, we will now start using QuickSight service via Athena. Here, it will be enough to select the Athena workgroup.

QuickSight and Athena

Connecting to S3

To connect to S3, we first need a bucket. Then we will need to enter Bucket Policy in the Permissions tab on the bucket. In this way, we will define access permission to the QuickSight service located in a different account.

Bucket Policy in S3

We can define a Policy as in the attachment and enable QuickSight service to access S3. Here IAM Policy is an example Policy. You can update this to suit your own work. It will be enough to add this policy by saying Edit on Bucket Policy. Access will then be complete.

{
    "Version":"2012–10–17",
    "Statement":[
    {
        "Effect":"Allow",
        "Principal":{
        "AWS": "arn:aws:iam::<account_id>:root"
        },
        "Action":[
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads",
            "s3:ListMultipartUploadParts",
            "s3:AbortMultipartUpload",
            "s3:PutObject"
        ],
        "Resource":[
            "arn:aws:s3:::<bucket_name>",
            "arn:aws:s3:::<bucket_name>/*"
        ]
    }]
}

The <account_id> and <bucket_name> used in the example should be arranged according to your case.

Connecting to Glue Service and Data Catalog

Now we will see what we need to do to connect to the Glue service on Quciksight. First of all, we log in to the Glue service. Then click on the Settings tab in the left menu. Here comes the Permissions part of our mix. By entering the Policy here, we will be connected to the Glue service via Quciksight.

Permissions in AWS Glue

Preparing a policy like the attached sample policy will be enough to complete the connection.

{
   "Version" : "2012-10-17",
   "Statement" : [ {
   "Effect" : "Allow",
   "Principal" : {
      "AWS" : "arn:aws:iam::<account_id>:root"
   },
   "Action" : [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetPartition", "glue:GetPartitions", "glue:GetTable", "glue:GetTables" ],
   "Resource" : ["arn:aws:glue:<region>:<accoun_id>:catalog",   "arn:aws:glue:<region>:<account_id>:database/*" ]
  }] 
}

Here we need to fill parameters such as <account_id> and <region> in accordance with the case.

Connecting to Lambda

To connect to Lambda, we need to enter Policy on Resource-Based Policy on Lambda. After saying Add Permissions on the Resource-Based Policy as in the attachment, it will be enough to enter the default Role Arn information given for us by QuickSight over the Principal. Later, when we give lambda:InvokeFunction authorization in the Action section below, QuickSight service will now have access to Lambda in a different account.

Permissions in Lambda

Reference

AWS Quicksight:

Amazon QuickSight - Business Intelligence Service - Amazon Web Services

AWS Athena:

Interactive SQL - Serverless Query Service - Amazon Athena - AWS

AWS Glue:

Serverless Data Integration - AWS Glue - Amazon Web Services

AWS Lambda:

Serverless Computing - AWS Lambda - Amazon Web Services

AWS S3:

Cloud Object Storage - Amazon S3 - Amazon Web Services

After following the instructions, we will now be able to access the S3, Lambda and Glue Data Catalog services in the other account using Athena from the QuickSight service. We will now have access to customer-based information using AI on Quicksight, an AWS managed service, and in this way, Quicksight will now present customer information and new dashboards for us. Thanks to this service, by displaying customer requests on the dashboard, we will now bring new features on our application in line with customer requests.

Today, I have explained step by step how to use Quicksight service and access services in other accounts. I hope it was an article that you will enjoy reading and enjoying. Happy reading already. See you in my next articles… 😊