How to use generateEmbedUrlForRegisteredUser

Good day.

I tried getDashboardEmbedUrl() and it works fine with the UserArn set to the ADMIN user in my Quicksight account. Now I am trying to use the generateEmbedUrlForRegisteredUser(). But it gives the following error:

Error executing "GenerateEmbedUrlForRegisteredUser" on "https://quicksight.eu-west-1.amazonaws.com/accounts/971170084134/embed-url/registered-user"; AWS HTTP error: Client error: `POST https://quicksight.eu-west-1.amazonaws.com/accounts/xxxxxxxxxxxx/embed-url/registered-user` resulted in a `404 Not Found` response:
{"Message":"User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist.","RequestId":"5c310250- (truncated...)
 ResourceNotFoundException (client): User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist. - {"Message":"User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist.","RequestId":"5c310250-a1bb-413f-b2d7-f07fdb91e027","ResourceType":null}

GenerateEmbedUrlForRegisteredUser Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "quicksight:GenerateEmbedUrlForRegisteredUser",
                "quicksight:RegisterUser"
            ],
            "Resource": "*"
        }
    ]
}

EmbeddingQuicksightAssumeRole policy:

{
    "Version": "2012-10-17",
    "Statement": 
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::971170084134:role/GenerateEmbedUrlForRegisteredUser"
        }
}

Also attempted to create a new Quicksight user, but no luck. The URL generation error is the same. What could I be doing wrong? Thanks.

Regards. Jarrett

Solution

The error message says the user does not exist: User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist

You need to register the user with Quicksight before that user can do anything with Quicksight. Requesting a dashboard and registering users are separate methods with separate permissions.

For example:

client.register_user(
    AwsAccountId=AWS_ACCOUNT_ID,
    Namespace="default",
    IdentityType="IAM",
    IamArn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:role/{QUICKSIGHT_DASHBOARD_ROLE_NAME}",
    UserRole="READER",
    SessionName=user.email,
    Email=user.email
)

QUICKSIGHT_DASHBOARD_ROLE_NAME is a role that is allowed to embed a dashboard (such as GenerateEmbedUrlForRegisteredUser).

To get a dashboard URL

assume the role and get credentials
use credentials to get the dashboard embed URL

response = client.assume_role(
    RoleArn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:role/{QUICKSIGHT_DASHBOARD_ROLE_NAME}",
    RoleSessionName=user.email
)
creds = response["Credentials"]
# get the access key, the secret key, and the session token from the response
client = boto3.client(
    "quicksight",
    region_name=QUICKSIGHT_REGION,
    aws_access_key_id=creds["AccessKeyId"],
    aws_secret_access_key=creds["SecretAccessKey"],
    aws_session_token=creds["SessionToken"],
)
response = client.get_dashboard_embed_url(
    AwsAccountId=AWS_ACCOUNT_ID,
    DashboardId=dashboard_id,
    IdentityType="IAM",
    SessionLifetimeInMinutes=60,
)
url = response.get("EmbedUrl")