Enabling trusted identity propagation in QuickSight - Amazon QuickSight

Enabling trusted identity propagation in QuickSight

To configure QuickSight to connect to Amazon Redshift data sources with trusted identity propagation, configure Amazon Redshift OAuth scopes to your QuickSight account.

To add a scope that allows QuickSight to authorize identity propagation to Amazon Redshift, specify the AWS account ID of the QuickSight account and the service that you want to authorize identity propagation with, in this case 'REDSHIFT'.

Specify the IAM Identity Center application ARN of the Amazon Redshift cluster that you are authorizing Amazon QuickSight to propagate user identities to. This information can be found in the Amazon Redshift console. If you don't specify authorized targets for the Amazon Redshift scope, QuickSight authorizes users from any Amazon Redshift cluster that share the same IAM Identity Center instance. The example below configures QuickSight to connect to Amazon Redshift data sources with trusted identity propagation.

aws quicksight update-identity-propagation-config --aws-account-id "AWSACCOUNTID" --service "REDSHIFT" --authorized-targets "arn:aws:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXX/apl-XXXXXXXXXXXX" "arn:aws:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXX/apl-XXXXXXXXXXXX"

The following example deletes OAuth scopes from a QuickSight account.

aws quicksight delete-identity-propagation-config --aws-account-id "AWSACCOUNTID" --service "REDSHIFT" --authorized-targets "arn:aws:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXXapl-XXXXXXXXXXXX "arn:aws:sso::XXXXXXXXXXXX:application/ssoins-XXXXXXXXXXXX/apl-XXXXXXXXXXXX"

The following example lists all OAuth scopes that are currently on a QuickSight account.

aws quicksight list-identity-propagation-configs --aws-account-id "AWSACCOUNTID"