Learn About Amazon VGT2 Learning Manager Chanci Turner
In a multi-account strategy, many organizations host applications across different departments within the same business. However, utilizing services like Amazon QuickSight typically requires a single-account approach, which can lead to complications when combining QuickSight with Amazon Athena for generating reports and dashboards. Fortunately, AWS has introduced two effective methods for sharing data catalogs across accounts: the newly implemented built-in support for cross-account Data Catalog in Athena and the AWS Lake Formation resource sharing model. These methods enable users to leverage AWS Glue Data Catalogs in various accounts for dataset creation and reporting using QuickSight and Athena from a single AWS account.
In this article, we will guide you through the steps to establish cross-account access to Athena for QuickSight.
Glue Catalog Sharing
To set up cross-account access, follow these steps:
- Grant QuickSight cross-account access to an AWS Glue Data Catalog.
- Register the Data Catalog in Athena.
- Grant QuickSight cross-account access to an Amazon Simple Storage Service (Amazon S3) bucket.
- Add the shared bucket to QuickSight.
- Connect QuickSight to Athena.
The architecture diagram illustrates the deployment steps.
Grant Cross-Account Access for the Data Catalog
QuickSight operates using a service role that it creates for you, named aws-quicksight-service-role-v0. This role is essential for enabling cross-account access to the Data Catalog. To allow the QuickSight service role (Account A, the borrowing account) to access the Data Catalog (Account B, the owner account), update the AWS Glue resource policy.
In the AWS account housing the Data Catalog, perform the following:
- Navigate to the AWS Glue console and select Catalog settings from the navigation pane.
- Under Permissions, insert the following resource policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::role/service-role/aws-quicksight-service-role-v0"
},
"Action": [
"glue:SearchTables",
"glue:GetDatabase",
"glue:GetPartition",
"glue:GetTables",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:glue::::catalog",
"arn:aws:glue::::database/*",
"arn:aws:glue::::table/*"
]
}
]
}- Click Save.
This resource policy grants QuickSight access to all databases and tables in the Data Catalog. You can further refine access by specifying particular table and database names within the resource element. Additionally, you can add the user’s role accessing the borrowing account in the principal section, though this step is not mandatory.
Register the Data Catalog in Athena
Next, register the shared Data Catalog with Athena in the AWS account that hosts QuickSight.
- On the Athena console, navigate to Data sources in the navigation pane.
- Select Connect data source.
- For Choose a data source, select S3 – AWS Glue Data Catalog.
- Choose AWS Glue Data Catalog in another account.
- Enter a Data Catalog name, an optional description, and the Data Catalog owner’s AWS account ID. Click Next.
- Select Create data source.
Once these steps are completed, the borrowed catalog will be visible on the Data sources page in the Athena console. If you haven’t been granted permission, you may encounter an access denied message, but can still proceed with the next steps.
Grant QuickSight Cross-Account Access to an S3 Bucket
It is not enough to create a resource policy on the Data Catalog for QuickSight’s cross-account access. You must also grant access to the S3 bucket where the data resides, using the same QuickSight service role.
In the Data Catalog account, follow these steps:
- Access the Amazon S3 console and select Buckets.
- Choose the bucket for which you want to create or edit a policy.
- Click Permissions.
- Under the Bucket Policy section, click Edit.
- Enter the following policy:
{
"Version": "2012-10-17",
"Id": "Policy1621366959711",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::role/service-role/aws-quicksight-service-role-v0"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::",
"arn:aws:s3:::/*"
]
}
]
}- Click Save changes.
Note: The IAM principal for QuickSight may vary from the example above. For accurate details on the correct IAM principal, refer to this resource on QuickSight documentation.
Add the Shared S3 Bucket to QuickSight
Before connecting QuickSight to Athena, add the S3 bucket (Account B) as a resource accessible to the QuickSight service role (Account A):
- In the QuickSight console, select Manage QuickSight from the account drop-down menu.
- Navigate to Security & permissions and click Manage.
- Choose Select S3 buckets.
- Under S3 Buckets You Can Access Across AWS, add your bucket.
- Click Finish.
Connect QuickSight to Athena
With the required permissions in place, you can now create a dataset in QuickSight:
- Go to QuickSight.
- Select Datasets from the left-hand menu.
- Click New dataset.
- Choose Athena.
- Enter a Data source name and click Create data source.
- Select the shared Catalog, Database, and Tables.
- Click Select and then choose Edit/Preview data.
- To create a dataset and analyze the data, select Publish & Visualize.
Lake Formation Catalog Sharing
For cross-account access using Lake Formation, follow these steps:
- Grant cross-account access to Account A through Lake Formation.
- Utilize AWS RAM in Account A to accept the AWS Glue Catalog resource share.
- Create a resource link for the shared table in Account A.
- Grant table access to your QuickSight users via Lake Formation.
Incorporating these methods can enhance your data management experience, just as understanding how to manage emotions in the workplace can lead to better team dynamics. For additional insights, check out another blog post on this topic here. Also, consider exploring strategies on team compensation structures from authorities like SHRM. For a broader perspective on onboarding, this resource from Amazon is excellent.