Many AWS customers use a multi-account strategy to host applications for different departments within the same company. However, you might deploy services like Amazon QuickSight using a single-account approach, which raises challenges when you need to use QuickSight in combination with Amazon Athena to build reports and dashboards. With the recently announced built-in support for cross-account Data Catalogs in Athena, you can now use AWS Glue Data Catalogs in different accounts to create datasets, and build reports and dashboards from a single AWS account using QuickSight and Athena – creating a serverless data visualization solution that lets you share insights from all your data to all your users.

In this post, I show you how to use this new feature to set up cross-account access to Athena for QuickSight.

Solution overview

To set up cross-account access, you complete the following steps:

  1. Grant QuickSight cross-account access to an AWS Glue Data Catalog.
  2. Register the Data Catalog in Athena.
  3. Grant QuickSight cross-account access to an Amazon Simple Storage Service (Amazon S3) bucket.
  4. Add the shared bucket to QuickSight.
  5. Connect QuickSight to Athena.

The following architecture shows the deployment steps.

athena-quicksight-cross-account-architecture

Grant cross-account access for the Data Catalog

QuickSight uses a service role to interact with other AWS services. QuickSight creates this role for you under the name aws-quicksight-s3-consumers-role-v0. You need this role to allow access to the Data Catalog cross-account share. To allow the QuickSight service role (Account A, the borrower account) to access the Data Catalog (Account B, the owner account), you need to grant cross-account access by updating the AWS Glue resource policy.

In the AWS account of the Data Catalog, complete the following steps:

  1. On the AWS Glue console, choose Settings in the navigation pane.
  2. Under Permissions, enter the following resource policy:
    { “Version” : “2012-10-17”, “Statement” : [
    { “Effect” : “Allow”, “Principal” : { “AWS” : “arn:aws:iam::<Account A>:role/service-role/aws-quicksight-s3-consumers-role-v0” }, “Action”: [ “glue:SearchTables”, “glue:GetDatabase”, “glue:GetPartition”, “glue:GetTables”, “glue:GetDatabases”, “glue:GetTable” ], “Resource” : [ “arn:aws:glue:<region>:<Account B>:catalog”, “arn:aws:glue:<region>:<Account B>:database/*”, “arn:aws:glue:<region>:<Account B>:table/*” ] } ]
    }
    

  3. Choose Save.

The resource policy gives QuickSight access to all the databases and tables in the Data Catalog. You can further scope it down by adding the name of the tables and databases to the resource element.

The following screenshot shows the Settings page on the AWS Glue console and the catalog UI for updating the resource permission.

glue-catalog-screenshot-ui

Register the Data Catalog in Athena

Now you need to register the shared Data Catalog with Athena in the AWS account (borrower) that hosts QuickSight.

  1. On the Athena console, choose Data sources in the navigation pane.
  2. Choose Connect data source.
  3. For Choose where your data is located, select Query data in Amazon S3.
  4. For Choose a metadata catalog, select AWS Glue Data Catalog.
    athena-add-catalog-ui
  5. Choose AWS Glue Data Catalog in another account.
  6. For Connection details, enter a Data Catalog name, optional description, and the Data Catalog owner’s AWS account ID.
  7. Choose Register.

When you complete these steps, you can see the borrowed catalog on the Data sources page on the Athena console.

 borrowed-catalog-athena-ui

Grant QuickSight cross-account access to an S3 bucket

Creating a resource policy on the Data Catalog to allow cross-account access for QuickSight is not sufficient. You also need to grant QuickSight access to the S3 bucket where the data is stored. You use the same QuickSight service role that we used for the Data Catalog to update the S3 bucket policy.

In the account of the Data Catalog, complete the following steps:

  1. On the Amazon S3 console, choose Buckets.
  2. Choose the bucket that you want to create a policy for, or whose policy you want to edit.
  3. Choose Permissions.
  4. Enter the following policy:
    { "Version": "2012-10-17", "Id": "Policy1621366959711", "Statement": [
    { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account A>:role/service-role/aws-quicksight-s3-consumers-role-v0" }, "Action": ["s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<name-of-bucket>", "arn:aws:s3:::<name-of-bucket>/*" ] } ]
    }

  5. Choose Save changes.

Add the shared S3 bucket to QuickSight

The last step before you can connect QuickSight to Athena is to add the S3 bucket (Account B) as a resource that the QuickSight service role (Account A) can access. To allow your QuickSight service role access to the S3 bucket in another account, perform the following steps:

  1. On the QuickSight console, on the account drop-down menu, choose Manage QuickSight.
  2. Choose Security & permissions.
  3. Choose Add or remove.
  4. Choose Details.
  5. Choose Select S3 buckets.
  6. Under Use a different bucket, add your bucket.
  7. Choose Finish.

Connect QuickSight to Athena

After you set up the necessary permissions, you can follow the instruction in this section to add a dataset in Athena by using the remote (borrowed) Data Catalog.

  1. On the Athena console, choose Datasets in the navigation pane.
  2. Choose New dataset.
  3. Create a new connection profile by providing a data source name and Athena workgroup.
  4. Choose Validate connection.
  5. Choose Create data source.
  6. In the Choose your table section, for Catalog, choose the catalog you created in Athena.
    quicksight-shared-catalog-ui
  7. Choose a database and table and click on Select.
  8. Choose Edit/Preview data.
  9. To create a dataset and analyse the data using the table, choose Visualize.

Conclusion

This post showed how to use the built-in support for a cross-account Data Catalog in Athena with Quicksight when the Data Catalog and the S3 bucket containing the data are in a different account. This feature greatly reduces operational overhead by having a single account managing the Data Catalog and its data.

After you set up your data sources, you can join your data across these various sources. You can also use these new data sources to gain further insights from your data by setting up ML Insights in QuickSight and set graphical representations of your data using QuickSight visuals.


authorLotfi is a Senior Solutions Architect working for the Public Sector team with Amazon Web Services. He helps public sector customers across EMEA realize their ideas, build new services, and innovate for citizens. In his spare time, Lotfi enjoys cycling and running.

Categories: Big Data