-
Notifications
You must be signed in to change notification settings - Fork 33
How to Add or Remove Users and User Groups in AWS Quicksight
- How to Add or Remove Users and User Groups in AWS Quicksight
- Access to the BFD AWS Account
- IAM permissions to decrypt sensitive SSM parameters
- An installation of the AWS CLI that is configured properly for access to the BFD/CMS AWS account
- An installation of the
terraform
CLI- Using a tool like
tfenv
allows for multiple installations of Terraform and automatic version management
- Using a tool like
- Your
EDITOR
environment variable set to a proper editor- You can set this variable in your
.bashrc
(if you're usingbash
) or.zshrc
(if you're usingzsh
) like so:export EDITOR=<your editor executable here>
. Other shells may have a different syntax for setting environment variables or a different configuration file
- You can set this variable in your
- This repository,
beneficiary-fhir-data
, pulled down locally
Adding or removing users and user groups from AWS Quicksight will require modifying the mgmt
environment. You will need to follow the steps below prior to making any modifications.
-
In your terminal, navigate to the root of your local copy of the
beneficiary-fhir-data
repository usingcd
-
In your terminal, relative to the root of this repository,
cd
to the directory associated with themgmt
Terraform module:cd ops/terraform/env/mgmt
-
Initialize the Terraform state locally:
terraform init
-
Once initialized, view the Terraform plan and verify that Terraform is able to load state for all of the resources managed by the
mgmt
module and that no changes are necessary:terraform plan
-
Navigate into the
base_config
module's directory:cd base_config
-
Ensure you are authenticated with AWS and are able to run AWS CLI commands
-
Open the encrypted yaml
mgmt.eyaml
for editing using theedit-eyaml.sh
script using the commands below. This will decrypt the encryptedmgmt.eyaml
file and open it in your definedEDITOR
. The script will wait until the file is closed by your editor, at which point it will re-encryptmgmt.eyaml
with your changes and save itchmod +x scripts/edit-eyaml.sh scripts/edit-eyaml.sh mgmt
-
You will see the following keys grouped together in the format shown below.
/bfd/mgmt/quicksight/sensitive/principal_admin_arn: str /bfd/mgmt/quicksight/sensitive/users: encoded JSON Array /bfd/mgmt/quicksight/sensitive/groups: encoded JSON Array
-
principal_admin_arn
is the fall-back arn of the user or group that will become the owner of assets that are solely owned by any user being deleted. -
users
is an encoded JSON array of Quicksight users expected to adhere to the following format:
[{"email":"[email protected]", "user_role":"AUTHOR|ADMIN|READER", "identity_type":"QUICKSIGHT|IAM","groups":[""]}]
If
IAM
is specified as theidentity_type
, theniam_arn
must be provided as an attribute. IfQUICKSIGHT
is specified as theidentity_type
, thenuser_name
must be provided as an attribute.-
groups
is an encoded JSON array of Quicksight groups expected to adhere to the following format:
[{"group_name":"abbrv-readers"}]
group_name
should have a prefix describing the org or partner and a suffix describing the group's role (i.e.-readers
,-owners
-
-
Refer to the instructions below and follow its steps to add or remove users and user groups from AWS Quicksight.
It is recommended that you read the following
README
s for more information on the SSM configuration scheme used by BFD before continuing:Additionally:
- You will need to know the user's email and IAM (if the user has one). IAM is not a requirement.
- You will need to know the assets that the user will need access to via their assigned group(s). E.g.,
bcda
,bfd
, etc.- You will need to know the user's role -
READER
orAUTHOR
orADMIN
- After following the instructions to modify the
mgmt
environment outlined in the prerequisites above, append the new user in its correctjson
format to the array defined in/bfd/mgmt/quicksight/sensitive/users
- Close the file. This should immediately update the encrypted
mgmt.eyaml
with your new changes - Refer to How to Apply Your Changes to complete the addition.
- If the user you've added is NOT an
IAM
user, you will need to send an invitation to the user's email. The only way to do so is via the AWS Quicksight console.- Sign-in to the AWS Quicksight Console
- In the upper-right corner, click on the user icon
- Select "Manage Quicksight"
- Find the new user and click their corresponding
Reset password
link. The user should receive an email with the subjectInvitation to Join QuickSight
. They will have 7 days to accept the invitation.
It is recommended that you read the following
README
s for more information on the SSM configuration scheme used by BFD before continuing:
- After following the instructions to modify the
mgmt
environment outlined in the prerequisites above, find the user's correspondingjson
object in/bfd/mgmt/quicksight/sensitive/users
by their email or IAM. - Simply remove the user's
json
object from thejson
array. - Close the file. This should immediately update the encrypted
mgmt.eyaml
with your new changes - Refer to How to Apply Your Changes to complete the removal.
It is recommended that you read the following
README
s for more information on the SSM configuration scheme used by BFD before continuing:
- After following the instructions to modify the
mgmt
environment outlined in the prerequisites above, append the new group in its correctjson
format to the array defined in/bfd/mgmt/quicksight/sensitive/groups
- Close the file. This should immediately update the encrypted
mgmt.eyaml
with your new changes - Refer to How to Apply Your Changes to complete the addition.
It is recommended that you read the following
README
s for more information on the SSM configuration scheme used by BFD before continuing:
- After following the instructions to modify the
mgmt
environment outlined in the prerequisites above, find the group's correspondingjson
object in/bfd/mgmt/quicksight/sensitive/groups
- Simply remove the group's
json
object from thejson
array. - Close the file. This should immediately update the encrypted
mgmt.eyaml
with your new changes - Refer to How to Apply Your Changes to complete the removal.
It is recommended that you read the following
README
s for more information on the SSM configuration scheme used by BFD before continuing:Additionally:
- The arn of the user or group that will become the owner of assets that are solely owned by any user being deleted.
- After following the instructions to modify the
mgmt
environment outlined in the prerequisites above, simply update the arn forprincipal_admin_arn
. - Close the file. This should immediately update the encrypted
mgmt.eyaml
with your new changes - Refer to How to Apply Your Changes to complete the update.
-
Return to the
mgmt
module:cd ..
-
Plan the changes to the Terraform state and verify that there are only removals from the state and that these removals correspond to the changes made in step #9:
terraform plan
-
Open a new Pull Request with the changes to all configuration in the associated branch
-
Once approved, the changes to
mgmt
can be applied:-
From the root of the repository,
cd
into themgmt
module:cd ops/terraform/env/mgmt
-
Apply the changes to configuration ensuring that there are no unexpected changes:
terraform apply
-
- Home
- For BFD Users
- Making Requests to BFD
- API Changelog
- Migrating to V2 FAQ
- Synthetic and Synthea Data
- BFD SAMHSA Filtering