AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-04-19 · Documentation low

File: cli/latest/reference/quicksight/create-data-source.md

Summary

Added documentation for new S3_TABLES data source type and ConsumerAccountRoleArn parameter for cross-account Athena access with role-chaining

Security assessment

The change adds documentation for a new feature (ConsumerAccountRoleArn) that enables cross-account Athena access through role-chaining, which is a security-related feature for managing access control across AWS accounts. This is not fixing a security issue but rather documenting a new security capability.

Diff

diff --git a/cli/latest/reference/quicksight/create-data-source.md b/cli/latest/reference/quicksight/create-data-source.md
index 5e14b31fe..f2e2160d0 100644
--- a//cli/latest/reference/quicksight/create-data-source.md
+++ b//cli/latest/reference/quicksight/create-data-source.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »
@@ -152,0 +153 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/quicks
+>   * `S3_TABLES`
@@ -221,0 +223,11 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/quicks
+>> 
+>> ConsumerAccountRoleArn -> (string)
+>>
+>>> Use `ConsumerAccountRoleArn` to perform cross-account Athena access. This is an IAM role ARN in the same AWS account as the Athena resources you want to access. Provide this along with `RoleArn` to enable role-chaining, where Amazon Quick Sight first assumes the `RoleArn` and then assumes the `ConsumerAccountRoleArn` to access Athena resources.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `20`
+>>>   * max: `2048`
+>>> 
+
@@ -698,0 +711,14 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/quicks
+> 
+> S3TablesParameters -> (structure)
+>
+>> The parameters for S3 Tables.
+>> 
+>> TableBucketArn -> (string)
+>>
+>>> The Amazon Resource Name (ARN) of the S3 Tables bucket.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * pattern: `^(arn:aws[-a-z0-9]*:[a-z0-9]+:[-a-z0-9]*:[0-9]{12}:bucket/[a-zA-Z0-9-_]{3,63})$`
+>>> 
+
@@ -1433,0 +1460 @@ JSON Syntax:
+        "ConsumerAccountRoleArn": "string",
@@ -1505,0 +1533,3 @@ JSON Syntax:
+      "S3TablesParameters": {
+        "TableBucketArn": "string"
+      },
@@ -1696,0 +1727,11 @@ JSON Syntax:
+>>>>> 
+>>>>> ConsumerAccountRoleArn -> (string)
+>>>>>
+>>>>>> Use `ConsumerAccountRoleArn` to perform cross-account Athena access. This is an IAM role ARN in the same AWS account as the Athena resources you want to access. Provide this along with `RoleArn` to enable role-chaining, where Amazon Quick Sight first assumes the `RoleArn` and then assumes the `ConsumerAccountRoleArn` to access Athena resources.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `20`
+>>>>>>   * max: `2048`
+>>>>>> 
+
@@ -2173,0 +2215,14 @@ JSON Syntax:
+>>>> 
+>>>> S3TablesParameters -> (structure)
+>>>>
+>>>>> The parameters for S3 Tables.
+>>>>> 
+>>>>> TableBucketArn -> (string)
+>>>>>
+>>>>>> The Amazon Resource Name (ARN) of the S3 Tables bucket.
+>>>>>> 
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * pattern: `^(arn:aws[-a-z0-9]*:[a-z0-9]+:[-a-z0-9]*:[0-9]{12}:bucket/[a-zA-Z0-9-_]{3,63})$`
+>>>>>> 
+
@@ -3035,0 +3091 @@ JSON Syntax:
+              "ConsumerAccountRoleArn": "string",
@@ -3107,0 +3164,3 @@ JSON Syntax:
+            "S3TablesParameters": {
+              "TableBucketArn": "string"
+            },
@@ -3569 +3628 @@ Status -> (integer)
-  * [AWS CLI 2.34.29 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.32 Command Reference](../../index.html) »