Fix QuickSight import permissions for DataSources and DataSets

your-github-username · your-github-username · commit 4a21e32517f8 · 2025-11-24T15:05:50.000-05:00
- Add wildcard expansion call in import_dashboard()
- Separate permissions for each asset type (Dashboard/DataSource/DataSet)
- Use asset-specific actions instead of reusing Dashboard actions
- Fix account ID wildcard in manifest.yaml to use parameter substitution
- Resolves missing Principals/Actions errors during import
diff --git a/experimental/SMUS-CICD-pipeline-cli/examples/analytic-workflow/dashboard-glue-quick/manifest.yaml b/experimental/SMUS-CICD-pipeline-cli/examples/analytic-workflow/dashboard-glue-quick/manifest.yaml
@@ -75,9 +75,9 @@ stages:
         assets:
         - name: TotalDeathByCountry
           owners:
-          - arn:aws:quicksight:${TEST_DOMAIN_REGION:us-east-1}:*:user/default/Admin/*
+          - arn:aws:quicksight:${TEST_DOMAIN_REGION:us-east-1}:${AWS_ACCOUNT_ID}:user/default/Admin/*
           viewers:
-          - arn:aws:quicksight:${TEST_DOMAIN_REGION:us-east-1}:*:user/default/Admin/*
+          - arn:aws:quicksight:${TEST_DOMAIN_REGION:us-east-1}:${AWS_ACCOUNT_ID}:user/default/Admin/*
         overrideParameters:
           ResourceIdOverrideConfiguration:
             PrefixForAllResources: deployed-{stage.name}-covid-
diff --git a/experimental/SMUS-CICD-pipeline-cli/src/smus_cicd/helpers/quicksight.py b/experimental/SMUS-CICD-pipeline-cli/src/smus_cicd/helpers/quicksight.py
@@ -209,27 +209,69 @@ def import_dashboard(
             job_id = f"import-{timestamp}"
 
         # Build permissions for OverridePermissions (applies to all asset types)
-        asset_permissions = {}
+        dashboard_permissions = {}
+        datasource_permissions = {}
+        dataset_permissions = {}
+        
         if permissions:
             principals = []
-            actions = []
+            dashboard_actions = []
             for perm in permissions:
-                principals.append(perm["principal"])
-                actions.extend(perm["actions"])
-            # Remove duplicates from actions
-            actions = list(set(actions))
-            asset_permissions = {"Principals": principals, "Actions": actions}
+                # Expand wildcards in principal ARNs
+                expanded = expand_principal_wildcards(
+                    perm["principal"], aws_account_id, region
+                )
+                principals.extend(expanded)
+                dashboard_actions.extend(perm["actions"])
+            
+            # Remove duplicates
+            principals = list(set(principals))
+            dashboard_actions = list(set(dashboard_actions))
+            
+            # Build dashboard permissions
+            dashboard_permissions = {"Principals": principals, "Actions": dashboard_actions}
+            
+            # Use standard read/write permissions for DataSources and DataSets
+            datasource_permissions = {
+                "Principals": principals,
+                "Actions": [
+                    "quicksight:DescribeDataSource",
+                    "quicksight:DescribeDataSourcePermissions",
+                    "quicksight:PassDataSource",
+                    "quicksight:UpdateDataSource",
+                    "quicksight:DeleteDataSource",
+                    "quicksight:UpdateDataSourcePermissions"
+                ]
+            }
+            
+            dataset_permissions = {
+                "Principals": principals,
+                "Actions": [
+                    "quicksight:DescribeDataSet",
+                    "quicksight:DescribeDataSetPermissions",
+                    "quicksight:PassDataSet",
+                    "quicksight:DescribeIngestion",
+                    "quicksight:ListIngestions",
+                    "quicksight:UpdateDataSet",
+                    "quicksight:DeleteDataSet",
+                    "quicksight:CreateIngestion",
+                    "quicksight:CancelIngestion",
+                    "quicksight:UpdateDataSetPermissions"
+                ]
+            }
 
         import_params = {
             "AwsAccountId": aws_account_id,
             "AssetBundleImportJobId": job_id,
             "AssetBundleImportSource": {"Body": _download_bundle(bundle_url)},
             "FailureAction": "ROLLBACK",
             "OverridePermissions": {
-                "DataSources": [{"DataSourceIds": ["*"], "Permissions": asset_permissions}],
-                "DataSets": [{"DataSetIds": ["*"], "Permissions": asset_permissions}],
+                "DataSources": [
+                    {"DataSourceIds": ["*"], "Permissions": datasource_permissions}
+                ],
+                "DataSets": [{"DataSetIds": ["*"], "Permissions": dataset_permissions}],
                 "Dashboards": [
-                    {"DashboardIds": ["*"], "Permissions": asset_permissions}
+                    {"DashboardIds": ["*"], "Permissions": dashboard_permissions}
                 ],
             },
         }
