Granting QuickSight access to Secrets Manager and selected secrets

If you're an administrator and you have secrets in Secrets Manager, you can grant Amazon QuickSight read-only access to selected secrets.

To grant QuickSight access to Secrets Manager and selected secrets

In QuickSight, choose your user icon on the upper right, and then choose Manage QuickSight.
Choose Security & permissions on the left.
Choose Manage in QuickSight access to AWS resources.
In Allow access and autodiscovery for these resources, choose AWS Secrets Manager, Select secrets.

The AWS Secrets Manager secrets page opens.
Select the secrets that you want to grant QuickSight read-only access to.

Secrets in your QuickSight sign-up Region are shown automatically. To select secrets outside your home Region, choose Secrets in Other AWS Regions, and then enter the Amazon Resource Names (ARNs) for those secrets.
When you're done, choose Finish.

QuickSight creates an IAM role called aws-quicksight-secretsmanager-role-v0 in your account. It grants users in the account read-only access to the specified secrets and looks similar to the following:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:region:accountId:secret:secret_name"
      ]
    }
  ]
}
```
When QuickSight users create analyses from or view dashboards that use a data source with secrets, QuickSight assumes this Secrets Manager IAM role. For more information about secret permissions policies, see Authentication and access control for AWS Secrets Manager in the AWS Secrets Manager User Guide.

The specified secret in the QuickSight IAM role may have an additional resource policy that denies access. For more information, see Attach a permissions policy to a secret in the AWS Secrets Manager User Guide.

If you're using an AWS managed AWS KMS key to encrypt your secret, QuickSight doesn't require any additional permissions setup in Secrets Manager.

If you're using a customer managed key to encrypt your secret, ensure that the QuickSight IAM role, aws-quicksight-secretsmanager-role-v0 has kms:Decrypt permissions. For more information, see Permissions for the KMS key in the AWS Secrets Manager User Guide.

For more information about the types of keys used in AWS Key Management Service, see Customer keys and AWS keys in the AWS Key Management Service guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using Secrets Manager secrets instead of database credentials

Creating or updating a data source with secret credentials using the QuickSight API