The aws:quicksight/dataSet:DataSet resource, part of the Pulumi AWS provider, defines a QuickSight dataset: its data source connection, schema, import mode, and access controls. This guide focuses on three capabilities: SPICE import from S3, column-level and row-level security, and dataset permissions.
Datasets require pre-existing QuickSight data sources and reference users or groups for permission assignment. The examples are intentionally small. Combine them with your own data sources, transformation logic, and organizational structure.
Load data from S3 into SPICE
QuickSight datasets connect to data sources and define schemas. SPICE import mode loads data into QuickSight’s in-memory engine for fast queries.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.DataSet("example", {
dataSetId: "example-id",
name: "example-name",
importMode: "SPICE",
physicalTableMaps: [{
physicalTableMapId: "example-id",
s3Source: {
dataSourceArn: exampleAwsQuicksightDataSource.arn,
inputColumns: [{
name: "Column1",
type: "STRING",
}],
uploadSettings: {
format: "JSON",
},
},
}],
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.DataSet("example",
data_set_id="example-id",
name="example-name",
import_mode="SPICE",
physical_table_maps=[{
"physical_table_map_id": "example-id",
"s3_source": {
"data_source_arn": example_aws_quicksight_data_source["arn"],
"input_columns": [{
"name": "Column1",
"type": "STRING",
}],
"upload_settings": {
"format": "JSON",
},
},
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewDataSet(ctx, "example", &quicksight.DataSetArgs{
DataSetId: pulumi.String("example-id"),
Name: pulumi.String("example-name"),
ImportMode: pulumi.String("SPICE"),
PhysicalTableMaps: quicksight.DataSetPhysicalTableMapArray{
&quicksight.DataSetPhysicalTableMapArgs{
PhysicalTableMapId: pulumi.String("example-id"),
S3Source: &quicksight.DataSetPhysicalTableMapS3SourceArgs{
DataSourceArn: pulumi.Any(exampleAwsQuicksightDataSource.Arn),
InputColumns: quicksight.DataSetPhysicalTableMapS3SourceInputColumnArray{
&quicksight.DataSetPhysicalTableMapS3SourceInputColumnArgs{
Name: pulumi.String("Column1"),
Type: pulumi.String("STRING"),
},
},
UploadSettings: &quicksight.DataSetPhysicalTableMapS3SourceUploadSettingsArgs{
Format: pulumi.String("JSON"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.DataSet("example", new()
{
DataSetId = "example-id",
Name = "example-name",
ImportMode = "SPICE",
PhysicalTableMaps = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapArgs
{
PhysicalTableMapId = "example-id",
S3Source = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceArgs
{
DataSourceArn = exampleAwsQuicksightDataSource.Arn,
InputColumns = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceInputColumnArgs
{
Name = "Column1",
Type = "STRING",
},
},
UploadSettings = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs
{
Format = "JSON",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.DataSet;
import com.pulumi.aws.quicksight.DataSetArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataSet("example", DataSetArgs.builder()
.dataSetId("example-id")
.name("example-name")
.importMode("SPICE")
.physicalTableMaps(DataSetPhysicalTableMapArgs.builder()
.physicalTableMapId("example-id")
.s3Source(DataSetPhysicalTableMapS3SourceArgs.builder()
.dataSourceArn(exampleAwsQuicksightDataSource.arn())
.inputColumns(DataSetPhysicalTableMapS3SourceInputColumnArgs.builder()
.name("Column1")
.type("STRING")
.build())
.uploadSettings(DataSetPhysicalTableMapS3SourceUploadSettingsArgs.builder()
.format("JSON")
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:quicksight:DataSet
properties:
dataSetId: example-id
name: example-name
importMode: SPICE
physicalTableMaps:
- physicalTableMapId: example-id
s3Source:
dataSourceArn: ${exampleAwsQuicksightDataSource.arn}
inputColumns:
- name: Column1
type: STRING
uploadSettings:
format: JSON
The physicalTableMaps property defines the data source connection. The s3Source block specifies the data source ARN, column schema via inputColumns, and file format through uploadSettings. Setting importMode to “SPICE” loads data into QuickSight’s in-memory engine rather than querying the source directly.
Restrict column access by user or group
Datasets with sensitive columns need column-level security to control field visibility in analyses and dashboards.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.DataSet("example", {
dataSetId: "example-id",
name: "example-name",
importMode: "SPICE",
physicalTableMaps: [{
physicalTableMapId: "example-id",
s3Source: {
dataSourceArn: exampleAwsQuicksightDataSource.arn,
inputColumns: [{
name: "Column1",
type: "STRING",
}],
uploadSettings: {
format: "JSON",
},
},
}],
columnLevelPermissionRules: [{
columnNames: ["Column1"],
principals: [exampleAwsQuicksightUser.arn],
}],
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.DataSet("example",
data_set_id="example-id",
name="example-name",
import_mode="SPICE",
physical_table_maps=[{
"physical_table_map_id": "example-id",
"s3_source": {
"data_source_arn": example_aws_quicksight_data_source["arn"],
"input_columns": [{
"name": "Column1",
"type": "STRING",
}],
"upload_settings": {
"format": "JSON",
},
},
}],
column_level_permission_rules=[{
"column_names": ["Column1"],
"principals": [example_aws_quicksight_user["arn"]],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewDataSet(ctx, "example", &quicksight.DataSetArgs{
DataSetId: pulumi.String("example-id"),
Name: pulumi.String("example-name"),
ImportMode: pulumi.String("SPICE"),
PhysicalTableMaps: quicksight.DataSetPhysicalTableMapArray{
&quicksight.DataSetPhysicalTableMapArgs{
PhysicalTableMapId: pulumi.String("example-id"),
S3Source: &quicksight.DataSetPhysicalTableMapS3SourceArgs{
DataSourceArn: pulumi.Any(exampleAwsQuicksightDataSource.Arn),
InputColumns: quicksight.DataSetPhysicalTableMapS3SourceInputColumnArray{
&quicksight.DataSetPhysicalTableMapS3SourceInputColumnArgs{
Name: pulumi.String("Column1"),
Type: pulumi.String("STRING"),
},
},
UploadSettings: &quicksight.DataSetPhysicalTableMapS3SourceUploadSettingsArgs{
Format: pulumi.String("JSON"),
},
},
},
},
ColumnLevelPermissionRules: quicksight.DataSetColumnLevelPermissionRuleArray{
&quicksight.DataSetColumnLevelPermissionRuleArgs{
ColumnNames: pulumi.StringArray{
pulumi.String("Column1"),
},
Principals: pulumi.StringArray{
exampleAwsQuicksightUser.Arn,
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.DataSet("example", new()
{
DataSetId = "example-id",
Name = "example-name",
ImportMode = "SPICE",
PhysicalTableMaps = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapArgs
{
PhysicalTableMapId = "example-id",
S3Source = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceArgs
{
DataSourceArn = exampleAwsQuicksightDataSource.Arn,
InputColumns = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceInputColumnArgs
{
Name = "Column1",
Type = "STRING",
},
},
UploadSettings = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs
{
Format = "JSON",
},
},
},
},
ColumnLevelPermissionRules = new[]
{
new Aws.Quicksight.Inputs.DataSetColumnLevelPermissionRuleArgs
{
ColumnNames = new[]
{
"Column1",
},
Principals = new[]
{
exampleAwsQuicksightUser.Arn,
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.DataSet;
import com.pulumi.aws.quicksight.DataSetArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs;
import com.pulumi.aws.quicksight.inputs.DataSetColumnLevelPermissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataSet("example", DataSetArgs.builder()
.dataSetId("example-id")
.name("example-name")
.importMode("SPICE")
.physicalTableMaps(DataSetPhysicalTableMapArgs.builder()
.physicalTableMapId("example-id")
.s3Source(DataSetPhysicalTableMapS3SourceArgs.builder()
.dataSourceArn(exampleAwsQuicksightDataSource.arn())
.inputColumns(DataSetPhysicalTableMapS3SourceInputColumnArgs.builder()
.name("Column1")
.type("STRING")
.build())
.uploadSettings(DataSetPhysicalTableMapS3SourceUploadSettingsArgs.builder()
.format("JSON")
.build())
.build())
.build())
.columnLevelPermissionRules(DataSetColumnLevelPermissionRuleArgs.builder()
.columnNames("Column1")
.principals(exampleAwsQuicksightUser.arn())
.build())
.build());
}
}
resources:
example:
type: aws:quicksight:DataSet
properties:
dataSetId: example-id
name: example-name
importMode: SPICE
physicalTableMaps:
- physicalTableMapId: example-id
s3Source:
dataSourceArn: ${exampleAwsQuicksightDataSource.arn}
inputColumns:
- name: Column1
type: STRING
uploadSettings:
format: JSON
columnLevelPermissionRules:
- columnNames:
- Column1
principals:
- ${exampleAwsQuicksightUser.arn}
The columnLevelPermissionRules property restricts which columns specific users can see. Each rule lists columnNames to protect and principals (user or group ARNs) who cannot access those columns. This operates independently of dataset-level permissions.
Grant dataset access to users and groups
Datasets require explicit permissions to control who can view, update, or share them.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.DataSet("example", {
dataSetId: "example-id",
name: "example-name",
importMode: "SPICE",
physicalTableMaps: [{
physicalTableMapId: "example-id",
s3Source: {
dataSourceArn: exampleAwsQuicksightDataSource.arn,
inputColumns: [{
name: "Column1",
type: "STRING",
}],
uploadSettings: {
format: "JSON",
},
},
}],
permissions: [{
actions: [
"quicksight:DescribeDataSet",
"quicksight:DescribeDataSetPermissions",
"quicksight:PassDataSet",
"quicksight:DescribeIngestion",
"quicksight:ListIngestions",
],
principal: exampleAwsQuicksightUser.arn,
}],
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.DataSet("example",
data_set_id="example-id",
name="example-name",
import_mode="SPICE",
physical_table_maps=[{
"physical_table_map_id": "example-id",
"s3_source": {
"data_source_arn": example_aws_quicksight_data_source["arn"],
"input_columns": [{
"name": "Column1",
"type": "STRING",
}],
"upload_settings": {
"format": "JSON",
},
},
}],
permissions=[{
"actions": [
"quicksight:DescribeDataSet",
"quicksight:DescribeDataSetPermissions",
"quicksight:PassDataSet",
"quicksight:DescribeIngestion",
"quicksight:ListIngestions",
],
"principal": example_aws_quicksight_user["arn"],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewDataSet(ctx, "example", &quicksight.DataSetArgs{
DataSetId: pulumi.String("example-id"),
Name: pulumi.String("example-name"),
ImportMode: pulumi.String("SPICE"),
PhysicalTableMaps: quicksight.DataSetPhysicalTableMapArray{
&quicksight.DataSetPhysicalTableMapArgs{
PhysicalTableMapId: pulumi.String("example-id"),
S3Source: &quicksight.DataSetPhysicalTableMapS3SourceArgs{
DataSourceArn: pulumi.Any(exampleAwsQuicksightDataSource.Arn),
InputColumns: quicksight.DataSetPhysicalTableMapS3SourceInputColumnArray{
&quicksight.DataSetPhysicalTableMapS3SourceInputColumnArgs{
Name: pulumi.String("Column1"),
Type: pulumi.String("STRING"),
},
},
UploadSettings: &quicksight.DataSetPhysicalTableMapS3SourceUploadSettingsArgs{
Format: pulumi.String("JSON"),
},
},
},
},
Permissions: quicksight.DataSetPermissionArray{
&quicksight.DataSetPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("quicksight:DescribeDataSet"),
pulumi.String("quicksight:DescribeDataSetPermissions"),
pulumi.String("quicksight:PassDataSet"),
pulumi.String("quicksight:DescribeIngestion"),
pulumi.String("quicksight:ListIngestions"),
},
Principal: pulumi.Any(exampleAwsQuicksightUser.Arn),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.DataSet("example", new()
{
DataSetId = "example-id",
Name = "example-name",
ImportMode = "SPICE",
PhysicalTableMaps = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapArgs
{
PhysicalTableMapId = "example-id",
S3Source = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceArgs
{
DataSourceArn = exampleAwsQuicksightDataSource.Arn,
InputColumns = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceInputColumnArgs
{
Name = "Column1",
Type = "STRING",
},
},
UploadSettings = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs
{
Format = "JSON",
},
},
},
},
Permissions = new[]
{
new Aws.Quicksight.Inputs.DataSetPermissionArgs
{
Actions = new[]
{
"quicksight:DescribeDataSet",
"quicksight:DescribeDataSetPermissions",
"quicksight:PassDataSet",
"quicksight:DescribeIngestion",
"quicksight:ListIngestions",
},
Principal = exampleAwsQuicksightUser.Arn,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.DataSet;
import com.pulumi.aws.quicksight.DataSetArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataSet("example", DataSetArgs.builder()
.dataSetId("example-id")
.name("example-name")
.importMode("SPICE")
.physicalTableMaps(DataSetPhysicalTableMapArgs.builder()
.physicalTableMapId("example-id")
.s3Source(DataSetPhysicalTableMapS3SourceArgs.builder()
.dataSourceArn(exampleAwsQuicksightDataSource.arn())
.inputColumns(DataSetPhysicalTableMapS3SourceInputColumnArgs.builder()
.name("Column1")
.type("STRING")
.build())
.uploadSettings(DataSetPhysicalTableMapS3SourceUploadSettingsArgs.builder()
.format("JSON")
.build())
.build())
.build())
.permissions(DataSetPermissionArgs.builder()
.actions(
"quicksight:DescribeDataSet",
"quicksight:DescribeDataSetPermissions",
"quicksight:PassDataSet",
"quicksight:DescribeIngestion",
"quicksight:ListIngestions")
.principal(exampleAwsQuicksightUser.arn())
.build())
.build());
}
}
resources:
example:
type: aws:quicksight:DataSet
properties:
dataSetId: example-id
name: example-name
importMode: SPICE
physicalTableMaps:
- physicalTableMapId: example-id
s3Source:
dataSourceArn: ${exampleAwsQuicksightDataSource.arn}
inputColumns:
- name: Column1
type: STRING
uploadSettings:
format: JSON
permissions:
- actions:
- quicksight:DescribeDataSet
- quicksight:DescribeDataSetPermissions
- quicksight:PassDataSet
- quicksight:DescribeIngestion
- quicksight:ListIngestions
principal: ${exampleAwsQuicksightUser.arn}
The permissions property defines what users can do with the dataset. The actions array lists QuickSight API operations (DescribeDataSet, PassDataSet, etc.), and principal specifies the user or group ARN. Without these permissions, users cannot access the dataset even if they have column or row-level access.
Filter rows based on user tags
Row-level security ensures users only see data they’re authorized to access by matching column values against session tags.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.DataSet("example", {
dataSetId: "example-id",
name: "example-name",
importMode: "SPICE",
physicalTableMaps: [{
physicalTableMapId: "example-id",
s3Source: {
dataSourceArn: exampleAwsQuicksightDataSource.arn,
inputColumns: [{
name: "Column1",
type: "STRING",
}],
uploadSettings: {
format: "JSON",
},
},
}],
rowLevelPermissionTagConfiguration: {
status: "ENABLED",
tagRules: [{
columnName: "Column1",
tagKey: "tagkey",
matchAllValue: "*",
tagMultiValueDelimiter: ",",
}],
},
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.DataSet("example",
data_set_id="example-id",
name="example-name",
import_mode="SPICE",
physical_table_maps=[{
"physical_table_map_id": "example-id",
"s3_source": {
"data_source_arn": example_aws_quicksight_data_source["arn"],
"input_columns": [{
"name": "Column1",
"type": "STRING",
}],
"upload_settings": {
"format": "JSON",
},
},
}],
row_level_permission_tag_configuration={
"status": "ENABLED",
"tag_rules": [{
"column_name": "Column1",
"tag_key": "tagkey",
"match_all_value": "*",
"tag_multi_value_delimiter": ",",
}],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewDataSet(ctx, "example", &quicksight.DataSetArgs{
DataSetId: pulumi.String("example-id"),
Name: pulumi.String("example-name"),
ImportMode: pulumi.String("SPICE"),
PhysicalTableMaps: quicksight.DataSetPhysicalTableMapArray{
&quicksight.DataSetPhysicalTableMapArgs{
PhysicalTableMapId: pulumi.String("example-id"),
S3Source: &quicksight.DataSetPhysicalTableMapS3SourceArgs{
DataSourceArn: pulumi.Any(exampleAwsQuicksightDataSource.Arn),
InputColumns: quicksight.DataSetPhysicalTableMapS3SourceInputColumnArray{
&quicksight.DataSetPhysicalTableMapS3SourceInputColumnArgs{
Name: pulumi.String("Column1"),
Type: pulumi.String("STRING"),
},
},
UploadSettings: &quicksight.DataSetPhysicalTableMapS3SourceUploadSettingsArgs{
Format: pulumi.String("JSON"),
},
},
},
},
RowLevelPermissionTagConfiguration: &quicksight.DataSetRowLevelPermissionTagConfigurationArgs{
Status: pulumi.String("ENABLED"),
TagRules: quicksight.DataSetRowLevelPermissionTagConfigurationTagRuleArray{
&quicksight.DataSetRowLevelPermissionTagConfigurationTagRuleArgs{
ColumnName: pulumi.String("Column1"),
TagKey: pulumi.String("tagkey"),
MatchAllValue: pulumi.String("*"),
TagMultiValueDelimiter: pulumi.String(","),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.DataSet("example", new()
{
DataSetId = "example-id",
Name = "example-name",
ImportMode = "SPICE",
PhysicalTableMaps = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapArgs
{
PhysicalTableMapId = "example-id",
S3Source = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceArgs
{
DataSourceArn = exampleAwsQuicksightDataSource.Arn,
InputColumns = new[]
{
new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceInputColumnArgs
{
Name = "Column1",
Type = "STRING",
},
},
UploadSettings = new Aws.Quicksight.Inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs
{
Format = "JSON",
},
},
},
},
RowLevelPermissionTagConfiguration = new Aws.Quicksight.Inputs.DataSetRowLevelPermissionTagConfigurationArgs
{
Status = "ENABLED",
TagRules = new[]
{
new Aws.Quicksight.Inputs.DataSetRowLevelPermissionTagConfigurationTagRuleArgs
{
ColumnName = "Column1",
TagKey = "tagkey",
MatchAllValue = "*",
TagMultiValueDelimiter = ",",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.DataSet;
import com.pulumi.aws.quicksight.DataSetArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceArgs;
import com.pulumi.aws.quicksight.inputs.DataSetPhysicalTableMapS3SourceUploadSettingsArgs;
import com.pulumi.aws.quicksight.inputs.DataSetRowLevelPermissionTagConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataSet("example", DataSetArgs.builder()
.dataSetId("example-id")
.name("example-name")
.importMode("SPICE")
.physicalTableMaps(DataSetPhysicalTableMapArgs.builder()
.physicalTableMapId("example-id")
.s3Source(DataSetPhysicalTableMapS3SourceArgs.builder()
.dataSourceArn(exampleAwsQuicksightDataSource.arn())
.inputColumns(DataSetPhysicalTableMapS3SourceInputColumnArgs.builder()
.name("Column1")
.type("STRING")
.build())
.uploadSettings(DataSetPhysicalTableMapS3SourceUploadSettingsArgs.builder()
.format("JSON")
.build())
.build())
.build())
.rowLevelPermissionTagConfiguration(DataSetRowLevelPermissionTagConfigurationArgs.builder()
.status("ENABLED")
.tagRules(DataSetRowLevelPermissionTagConfigurationTagRuleArgs.builder()
.columnName("Column1")
.tagKey("tagkey")
.matchAllValue("*")
.tagMultiValueDelimiter(",")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:quicksight:DataSet
properties:
dataSetId: example-id
name: example-name
importMode: SPICE
physicalTableMaps:
- physicalTableMapId: example-id
s3Source:
dataSourceArn: ${exampleAwsQuicksightDataSource.arn}
inputColumns:
- name: Column1
type: STRING
uploadSettings:
format: JSON
rowLevelPermissionTagConfiguration:
status: ENABLED
tagRules:
- columnName: Column1
tagKey: tagkey
matchAllValue: '*'
tagMultiValueDelimiter: ','
The rowLevelPermissionTagConfiguration property enables tag-based row filtering. Each tagRule maps a columnName to a tagKey from the user’s session. When a user queries the dataset, QuickSight filters rows where the column value matches their tag value. The matchAllValue wildcard grants access to all rows for users with that tag.
Beyond these examples
These snippets focus on specific dataset features: SPICE import from S3 data sources, column-level and row-level security, and dataset permissions and field organization. They’re intentionally minimal rather than full analytics solutions.
The examples rely on pre-existing infrastructure such as QuickSight data sources (S3, RDS, Redshift, etc.), QuickSight users and groups for permission assignment, and S3 buckets with data files matching defined schemas. They focus on dataset configuration rather than provisioning the surrounding infrastructure.
To keep things focused, common dataset patterns are omitted, including:
- Logical table transformations (joins, calculated fields, filters)
- Direct query mode for live database connections
- Field folders for organizing columns in the UI
- Refresh schedules for SPICE datasets
- Column groups for geospatial hierarchies
These omissions are intentional: the goal is to illustrate how each dataset feature is wired, not provide drop-in analytics modules. See the QuickSight DataSet resource reference for all available configuration options.
Let's create AWS QuickSight Data Sets
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Data Import & Refresh
What are the import modes for QuickSight datasets?
QuickSight datasets support two import modes:
SPICE (in-memory) for faster queries and DIRECT_QUERY for real-time data access.Why can't I configure refresh properties for my dataset?
Refresh properties are only valid when
importMode is set to SPICE. Direct query datasets don’t support refresh configuration.How do I configure an S3 data source for my dataset?
Use
physicalTableMaps with s3Source, specifying dataSourceArn, inputColumns (with name and type), and uploadSettings (with format like JSON or CSV).Security & Permissions
How do I set up column-level permissions?
Use
columnLevelPermissionRules with columnNames (array of column names) and principals (array of user or group ARNs).How do I configure row-level security with tags?
Use
rowLevelPermissionTagConfiguration with status set to ENABLED and tagRules specifying columnName, tagKey, matchAllValue, and optionally tagMultiValueDelimiter.Can I use row-level permission tags for all embedding scenarios?
No, row-level security tags are currently supported for anonymous embedding only. For other scenarios, use
rowLevelPermissionDataSet instead.What QuickSight actions can I grant in dataset permissions?
Common actions include
quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:PassDataSet, quicksight:DescribeIngestion, and quicksight:ListIngestions. You can configure up to 64 permission items.Data Organization
How do I organize columns into folders?
Use
fieldFolders with fieldFoldersId, a columns array, and an optional description to group related columns together.What are output columns in a dataset?
Output columns represent the final set of columns available for analyses and dashboards after all data preparation and transformation steps have been applied. This is a computed field showing your dataset’s final schema.
Configuration & Limits
What properties can't be changed after creating a dataset?
Both
awsAccountId and dataSetId are immutable. Changing either property will force replacement of the entire dataset.How many logical table maps can I configure?
You can configure a maximum of 1 logical table map entry. Logical table maps define how data from physical tables is combined and transformed.
Using a different cloud?
Explore analytics guides for other cloud providers: