AWS IAM / QuickSight-用户无权执行:quicksight:资源上的GetDashboardEmbedUrl
[英]AWS IAM / QuickSight - user is not authorized to perform: quicksight:GetDashboardEmbedUrl on resource
问题描述
I am trying to use the embed QuickSight dashboard URL function in my ASP.NET MVC project. 
我正在尝试在ASP.NET MVC项目中使用嵌入的QuickSight仪表板URL函数。 For testing, I'm simply trying to output the embed URL to a string. 为了进行测试,我只是尝试将嵌入的URL输出到字符串。 Here is the main part of my code: 这是我的代码的主要部分:
var awsCredentials = new BasicAWSCredentials("redacted", "redacted");
AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(awsCredentials);
var tokenServiceRequest = stsClient.GetSessionToken();
var client = new AmazonQuickSightClient(
tokenServiceRequest.Credentials.AccessKeyId,
tokenServiceRequest.Credentials.SecretAccessKey,
tokenServiceRequest.Credentials.SessionToken,
Amazon.RegionEndpoint.APSoutheast2);
try
{
string machineTypeEmbedUrl =
client.GetDashboardEmbedUrlAsync(new GetDashboardEmbedUrlRequest
{
AwsAccountId = "redacted",
DashboardId = "redacted",
IdentityType = IdentityType.IAM,
ResetDisabled = true,
SessionLifetimeInMinutes = 100,
UndoRedoDisabled = false
}).Result.EmbedUrl;
}
catch (Exception ex)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest,ex.Message);
}
In order to support the permissions required, I have set up an IAM user with the STS Assume Role allowed as follows: 为了支持所需的权限,我已经设置了具有STS假定角色的IAM用户,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1551593192075",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::redacted:role/assume-quicksight-role"
}
]
}
I have set up the role specified above with the following permissions, and set its trust policy so that the IAM user above can assume it. 我已经使用以下权限设置了上面指定的角色,并设置了其信任策略,以便上述IAM用户可以承担该角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2:redacted:dashboard/redacted",
"Effect": "Allow"
}
]
}
So as far as I can tell this should work. 据我所知这应该工作。 Debug reveals I do get a session token which is passed to the embedUrl request, however I get the following error: 调试显示我确实获得了会话令牌,该令牌已传递到embedUrl请求,但是出现以下错误:
InnerException = {"User: arn:aws:iam:::user/api-dev-quicksight-user is not authorized to perform: quicksight:GetDashboardEmbedUrl on resource: arn:aws:quicksight:ap-southeast-2::dashboard/"}
I'm not sure why this happens? 我不确定为什么会这样? I have a user that can assume the right role, and the role has the right permissions to the dashboard in question. 我有一个可以担当正确角色的用户,并且该角色对所涉及的仪表板具有正确的权限。 What am I missing here? 我在这里想念什么?
1 个解决方案
解决方案1
0 2019-03-03 08:07:41
Try to change your role like this (notice the :: double colon before dashboard ): 尝试像这样更改您的角色(注意:: dashboard前的::双冒号):
...
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2::dashboard/*",
"Effect": "Allow"
...
This should allow the user to access all the sub-resources under the dashboard. 这应该允许用户访问仪表板下的所有子资源。
To follow the Least Privilege principle recommend by AWS, you should list all your resources: 要遵循AWS建议的最低特权原则 ,您应该列出所有资源:
...
"Resource": [
"arn:aws:quicksight:ap-southeast-2::dashboard/",
"arn:aws:quicksight:ap-southeast-2::dashboard/redacted"]
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.