Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Using OpenSearch permissions

Focus mode
Using OpenSearch permissions - Amazon QuickSight

After you configure QuickSight to connect to OpenSearch Service, you might need to enable permissions in OpenSearch. For this part of the setup process, you can use the OpenSearch Dashboards link for each OpenSearch domain. Use the following list to help determine what permissions you need:

  1. For domains that use fine-grained access control, configure permissions in the form of a role. This process is similar to using scoped-down policies in QuickSight.

  2. For each domain that you create a role for, add a role mapping.

For more information, see following.

If your OpenSearch domain has fine-grained access control enabled, there are some permissions to configure so the domain is accessible from QuickSight. Perform these steps for each domain that you want to use.

The following procedure uses OpenSearch Dashboards, which is an open-source tool that works with OpenSearch. You can find the link to Dashboards on the domain dashboard on the OpenSearch Service console.

To add permissions to a domain to allow access from QuickSight
  1. Open OpenSearch Dashboards for the OpenSearch domain that you want to work with. The URL is opensearch-domain-endpoint/dashboards/.

  2. Choose Security from the navigation pane.

    If you don't see the navigation pane, open it by using the menu icon at upper left. To keep the menu open, choose Dock navigation at lower left.

  3. Choose Roles, Create role.

  4. Name the role quicksight_role.

    You can choose a different name, but we recommend this one because we use it in our documentation and it's thus easier to support.

  5. Under Cluster permissions, add the following permissions:

    • cluster:monitor/main

    • cluster:monitor/health

    • cluster:monitor/state

    • indices:data/read/scroll

    • indices:data/read/scroll/clear,

  6. Under Index permissions specify * as the index pattern.

  7. For Index permissions, add the following permissions:

    • indices:admin/get

    • indices:admin/mappings/get

    • indices:admin/mappings/fields/get*

    • indices:data/read/search*

    • indices:monitor/settings/get

  8. Choose Create.

  9. Repeat this procedure for each OpenSearch domain that you're planning to use.

Use the following procedure to add a role mapping for the permissions that you added in the previous procedure. You might find it more efficient to add the permissions and the role mapping as part of a single process. These instructions are separate for clarity.

To create a role mapping for the IAM role you added
  1. Open OpenSearch Dashboards for the OpenSearch domain that you want to work with. The URL is opensearch-domain-endpoint/dashboards/.

  2. Choose Security from the navigation pane.

  3. Search for and open quicksight_role from the list.

  4. On the Mapped users tab, choose Manage mapping.

  5. In the Backend roles section, enter the ARN of the AWS-managed IAM role for QuickSight. Following is an example.

    arn:aws:iam::AWS-ACCOUNT-ID:role/service-role/aws-quicksight-service-role-v0
  6. Choose Map.

  7. Repeat this procedure for each OpenSearch domain that you want to use.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.