The aws:quicksight/user:User resource, part of the Pulumi AWS provider, registers QuickSight users and links them to authentication providers: IAM roles, IAM users, or QuickSight-managed identities. This guide focuses on three capabilities: IAM role and user authentication, QuickSight-managed identities, and namespace organization.
QuickSight users require an active QuickSight subscription. Users with IAM identity types reference existing IAM roles or users. The examples are intentionally small. Combine them with your own IAM infrastructure and QuickSight account configuration.
Register users with IAM role authentication
Organizations using IAM for identity management often link QuickSight users to IAM roles, enabling centralized access control through AWS IAM policies.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.User("example", {
email: "author1@example.com",
identityType: "IAM",
userRole: "AUTHOR",
iamArn: "arn:aws:iam::123456789012:role/AuthorRole",
sessionName: "author1",
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.User("example",
email="author1@example.com",
identity_type="IAM",
user_role="AUTHOR",
iam_arn="arn:aws:iam::123456789012:role/AuthorRole",
session_name="author1")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewUser(ctx, "example", &quicksight.UserArgs{
Email: pulumi.String("author1@example.com"),
IdentityType: pulumi.String("IAM"),
UserRole: pulumi.String("AUTHOR"),
IamArn: pulumi.String("arn:aws:iam::123456789012:role/AuthorRole"),
SessionName: pulumi.String("author1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.User("example", new()
{
Email = "author1@example.com",
IdentityType = "IAM",
UserRole = "AUTHOR",
IamArn = "arn:aws:iam::123456789012:role/AuthorRole",
SessionName = "author1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.User;
import com.pulumi.aws.quicksight.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.email("author1@example.com")
.identityType("IAM")
.userRole("AUTHOR")
.iamArn("arn:aws:iam::123456789012:role/AuthorRole")
.sessionName("author1")
.build());
}
}
resources:
example:
type: aws:quicksight:User
properties:
email: author1@example.com
identityType: IAM
userRole: AUTHOR
iamArn: arn:aws:iam::123456789012:role/AuthorRole
sessionName: author1
When identityType is set to “IAM”, the iamArn property points to an IAM role that authenticates the user. The sessionName property uniquely identifies this user when multiple users share the same IAM role. The userRole property determines QuickSight permissions: AUTHOR can create dashboards, READER can only view them.
Register users with IAM user authentication
Teams can link QuickSight users directly to IAM users rather than roles for individual user-level access control.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.User("example", {
email: "authorpro1@example.com",
identityType: "IAM",
userRole: "AUTHOR_PRO",
iamArn: "arn:aws:iam::123456789012:user/authorpro1",
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.User("example",
email="authorpro1@example.com",
identity_type="IAM",
user_role="AUTHOR_PRO",
iam_arn="arn:aws:iam::123456789012:user/authorpro1")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewUser(ctx, "example", &quicksight.UserArgs{
Email: pulumi.String("authorpro1@example.com"),
IdentityType: pulumi.String("IAM"),
UserRole: pulumi.String("AUTHOR_PRO"),
IamArn: pulumi.String("arn:aws:iam::123456789012:user/authorpro1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.User("example", new()
{
Email = "authorpro1@example.com",
IdentityType = "IAM",
UserRole = "AUTHOR_PRO",
IamArn = "arn:aws:iam::123456789012:user/authorpro1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.User;
import com.pulumi.aws.quicksight.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.email("authorpro1@example.com")
.identityType("IAM")
.userRole("AUTHOR_PRO")
.iamArn("arn:aws:iam::123456789012:user/authorpro1")
.build());
}
}
resources:
example:
type: aws:quicksight:User
properties:
email: authorpro1@example.com
identityType: IAM
userRole: AUTHOR_PRO
iamArn: arn:aws:iam::123456789012:user/authorpro1
This configuration uses an IAM user ARN instead of a role ARN. The sessionName property is omitted because IAM users don’t require session disambiguation. The AUTHOR_PRO role grants additional capabilities beyond the basic AUTHOR role.
Create QuickSight-managed users in custom namespaces
Organizations that manage identities within QuickSight rather than through IAM can create users in custom namespaces for organizational separation.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.quicksight.User("example", {
email: "reader1@example.com",
identityType: "QUICKSIGHT",
userRole: "READER",
namespace: "example",
userName: "reader1",
});
import pulumi
import pulumi_aws as aws
example = aws.quicksight.User("example",
email="reader1@example.com",
identity_type="QUICKSIGHT",
user_role="READER",
namespace="example",
user_name="reader1")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/quicksight"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := quicksight.NewUser(ctx, "example", &quicksight.UserArgs{
Email: pulumi.String("reader1@example.com"),
IdentityType: pulumi.String("QUICKSIGHT"),
UserRole: pulumi.String("READER"),
Namespace: pulumi.String("example"),
UserName: pulumi.String("reader1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Quicksight.User("example", new()
{
Email = "reader1@example.com",
IdentityType = "QUICKSIGHT",
UserRole = "READER",
Namespace = "example",
UserName = "reader1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.quicksight.User;
import com.pulumi.aws.quicksight.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new User("example", UserArgs.builder()
.email("reader1@example.com")
.identityType("QUICKSIGHT")
.userRole("READER")
.namespace("example")
.userName("reader1")
.build());
}
}
resources:
example:
type: aws:quicksight:User
properties:
email: reader1@example.com
identityType: QUICKSIGHT
userRole: READER
namespace: example
userName: reader1
When identityType is “QUICKSIGHT”, the userName property becomes required and iamArn is omitted. The namespace property isolates users into separate organizational units within your QuickSight account. QuickSight-managed users receive an invitation URL (via the userInvitationUrl output) to complete registration and set a password.
Beyond these examples
These snippets focus on specific user registration features: IAM-based authentication (roles and users), QuickSight-managed identities, and namespace organization. They’re intentionally minimal rather than complete user management solutions.
The examples reference pre-existing infrastructure such as IAM roles or users for IAM identity type, and an active QuickSight account subscription. They focus on user registration rather than provisioning the surrounding IAM or QuickSight infrastructure.
To keep things focused, common user management patterns are omitted, including:
- IAM Identity Center integration (IAM_IDENTITY_CENTER)
- User invitation workflow (userInvitationUrl output)
- Multi-user registration with shared IAM roles
- Cross-account or cross-region user management
These omissions are intentional: the goal is to illustrate how each user registration approach is wired, not provide drop-in user management modules. See the QuickSight User resource reference for all available configuration options.
Let's manage AWS QuickSight Users
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Identity Types & Configuration
identityType, userRole, iamArn, namespace, sessionName, and awsAccountId. Changing any of these requires recreating the user.Requirements vary by identityType:
- IAM: Requires
iamArn(IAM user or role ARN) - QUICKSIGHT: Requires
userName - IAM_IDENTITY_CENTER: No additional required fields beyond the base requirements
iamArn, but IAM roles support sessionName for dashboard embedding scenarios. IAM users don’t use sessionName.IAM Integration
sessionName. This is required when using assumed IAM roles for multiple QuickSight users.identityType of QUICKSIGHT receive a userInvitationUrl to complete registration and set their password.Resource Limitations
Using a different cloud?
Explore analytics guides for other cloud providers: