The aws:quicksight/user:User resource, part of the Pulumi AWS provider, registers QuickSight users and maps them to IAM identities or QuickSight-native accounts. This guide focuses on three capabilities: IAM role authentication, IAM user authentication, and QuickSight-native identity management with namespace isolation.
Users with IAM identity types require existing IAM roles or users with appropriate QuickSight permissions. The examples are intentionally small. Combine them with your own IAM configuration and permission policies.
Register users with IAM role authentication
Organizations using IAM for identity management can grant QuickSight access through IAM roles, enabling centralized permission management and role-based access control.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.User("example", {
email: "author1@example.com",
identityType: "IAM",
userRole: "AUTHOR",
iamArn: "arn:aws:iam::123456789012:role/AuthorRole",
sessionName: "author1",
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.User("example",
email="author1@example.com",
identity_type="IAM",
user_role="AUTHOR",
iam_arn="arn:aws:iam::123456789012:role/AuthorRole",
session_name="author1")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewUser(ctx, "example", &quicksight.UserArgs{
Email: pulumi.String("author1@example.com"),
IdentityType: pulumi.String("IAM"),
UserRole: pulumi.String("AUTHOR"),
IamArn: pulumi.String("arn:aws:iam::123456789012:role/AuthorRole"),
SessionName: pulumi.String("author1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.User("example", new()
{
Email = "author1@example.com",
IdentityType = "IAM",
UserRole = "AUTHOR",
IamArn = "arn:aws:iam::123456789012:role/AuthorRole",
SessionName = "author1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.User;
import com.pulumi.aws.quicksight.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.email("author1@example.com")
.identityType("IAM")
.userRole("AUTHOR")
.iamArn("arn:aws:iam::123456789012:role/AuthorRole")
.sessionName("author1")
.build());
}
}
resources:
example:
type: aws:quicksight:User
properties:
email: author1@example.com
identityType: IAM
userRole: AUTHOR
iamArn: arn:aws:iam::123456789012:role/AuthorRole
sessionName: author1
When identityType is “IAM”, the iamArn property points to an IAM role that the user assumes to access QuickSight. The sessionName property uniquely identifies each user’s session when multiple users share the same role. The userRole property sets the QuickSight permission level (READER, AUTHOR, ADMIN, or their PRO variants).
Register users with IAM user authentication
Teams can map IAM users directly to QuickSight roles without requiring role assumption.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.User("example", {
email: "authorpro1@example.com",
identityType: "IAM",
userRole: "AUTHOR_PRO",
iamArn: "arn:aws:iam::123456789012:user/authorpro1",
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.User("example",
email="authorpro1@example.com",
identity_type="IAM",
user_role="AUTHOR_PRO",
iam_arn="arn:aws:iam::123456789012:user/authorpro1")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewUser(ctx, "example", &quicksight.UserArgs{
Email: pulumi.String("authorpro1@example.com"),
IdentityType: pulumi.String("IAM"),
UserRole: pulumi.String("AUTHOR_PRO"),
IamArn: pulumi.String("arn:aws:iam::123456789012:user/authorpro1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.User("example", new()
{
Email = "authorpro1@example.com",
IdentityType = "IAM",
UserRole = "AUTHOR_PRO",
IamArn = "arn:aws:iam::123456789012:user/authorpro1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.User;
import com.pulumi.aws.quicksight.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.email("authorpro1@example.com")
.identityType("IAM")
.userRole("AUTHOR_PRO")
.iamArn("arn:aws:iam::123456789012:user/authorpro1")
.build());
}
}
resources:
example:
type: aws:quicksight:User
properties:
email: authorpro1@example.com
identityType: IAM
userRole: AUTHOR_PRO
iamArn: arn:aws:iam::123456789012:user/authorpro1
This configuration is simpler than role-based authentication because it doesn’t require a sessionName. The iamArn points directly to an IAM user rather than a role. Each IAM user maps to exactly one QuickSight user.
Create QuickSight-native users in custom namespaces
Organizations managing multiple QuickSight environments can isolate users into separate namespaces, each with its own user directory independent of IAM.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.User("example", {
email: "reader1@example.com",
identityType: "QUICKSIGHT",
userRole: "READER",
namespace: "example",
userName: "reader1",
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.User("example",
email="reader1@example.com",
identity_type="QUICKSIGHT",
user_role="READER",
namespace="example",
user_name="reader1")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewUser(ctx, "example", &quicksight.UserArgs{
Email: pulumi.String("reader1@example.com"),
IdentityType: pulumi.String("QUICKSIGHT"),
UserRole: pulumi.String("READER"),
Namespace: pulumi.String("example"),
UserName: pulumi.String("reader1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.User("example", new()
{
Email = "reader1@example.com",
IdentityType = "QUICKSIGHT",
UserRole = "READER",
Namespace = "example",
UserName = "reader1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.User;
import com.pulumi.aws.quicksight.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.email("reader1@example.com")
.identityType("QUICKSIGHT")
.userRole("READER")
.namespace("example")
.userName("reader1")
.build());
}
}
resources:
example:
type: aws:quicksight:User
properties:
email: reader1@example.com
identityType: QUICKSIGHT
userRole: READER
namespace: example
userName: reader1
When identityType is “QUICKSIGHT”, you manage users within QuickSight rather than through IAM. The userName property sets the QuickSight username, and the namespace property isolates users into separate directories. QuickSight returns a userInvitationUrl that users visit to complete registration and set their password.
Beyond these examples
These snippets focus on specific user registration features: IAM and QuickSight identity types, role-based and user-based IAM authentication, and namespace isolation. They’re intentionally minimal rather than complete identity management solutions.
The examples reference pre-existing infrastructure such as IAM roles or users with QuickSight permissions. They focus on user registration rather than provisioning the underlying IAM resources.
To keep things focused, common user management patterns are omitted, including:
- IAM Identity Center integration (IAM_IDENTITY_CENTER identity type)
- Role permission configuration and trust policies
- User invitation workflow and password setup
- Multi-user registration with shared IAM roles
These omissions are intentional: the goal is to illustrate how each identity type is wired, not provide drop-in user management modules. See the QuickSight User resource reference for all available configuration options.
Let's manage AWS QuickSight Users
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Identity & Authentication
iamArn. QUICKSIGHT identity type creates QuickSight-managed users, requires userName, and provides a userInvitationUrl for password setup.userName only for QUICKSIGHT identity type. Use iamArn only for IAM identity type to specify the IAM user or role ARN.sessionName only when registering users with an assumed IAM role. Each user sharing the same IAM role must have a unique sessionName.userInvitationUrl output that they visit to complete registration and set their password.User Roles & Permissions
READER, AUTHOR, ADMIN, READER_PRO, AUTHOR_PRO, ADMIN_PRO, RESTRICTED_AUTHOR, and RESTRICTED_READER.Configuration & Limitations
awsAccountId, identityType, userRole, iamArn, namespace, and sessionName.default namespace unless you specify a different value for the namespace property.sessionName when sharing the same IAM role.IAM (AWS IAM users/roles), QUICKSIGHT (QuickSight-managed users), and IAM_IDENTITY_CENTER (AWS IAM Identity Center).Using a different cloud?
Explore analytics guides for other cloud providers: