![](/img/trans.png)
[英]AWS IAM / QuickSight - User: arn:aws:sts::xxxxxxxx:assumed-role/yyyy/nnnnnn is not authorized to perform: quicksight:RegisterUser on resource
[英]AWS IAM / QuickSight - user is not authorized to perform: quicksight:GetDashboardEmbedUrl on resource
我正在嘗試在ASP.NET MVC項目中使用嵌入的QuickSight儀表板URL函數。 為了進行測試,我只是嘗試將嵌入的URL輸出到字符串。 這是我的代碼的主要部分:
var awsCredentials = new BasicAWSCredentials("redacted", "redacted");
AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(awsCredentials);
var tokenServiceRequest = stsClient.GetSessionToken();
var client = new AmazonQuickSightClient(
tokenServiceRequest.Credentials.AccessKeyId,
tokenServiceRequest.Credentials.SecretAccessKey,
tokenServiceRequest.Credentials.SessionToken,
Amazon.RegionEndpoint.APSoutheast2);
try
{
string machineTypeEmbedUrl =
client.GetDashboardEmbedUrlAsync(new GetDashboardEmbedUrlRequest
{
AwsAccountId = "redacted",
DashboardId = "redacted",
IdentityType = IdentityType.IAM,
ResetDisabled = true,
SessionLifetimeInMinutes = 100,
UndoRedoDisabled = false
}).Result.EmbedUrl;
}
catch (Exception ex)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest,ex.Message);
}
為了支持所需的權限,我已經設置了具有STS假定角色的IAM用戶,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1551593192075",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::redacted:role/assume-quicksight-role"
}
]
}
我已經使用以下權限設置了上面指定的角色,並設置了其信任策略,以便上述IAM用戶可以承擔該角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2:redacted:dashboard/redacted",
"Effect": "Allow"
}
]
}
據我所知這應該工作。 調試顯示我確實獲得了會話令牌,該令牌已傳遞到embedUrl請求,但是出現以下錯誤:
InnerException = {“用戶:arn:aws:iam :::: user / api-dev-quicksight-用戶無權執行:資源上的quicksight:GetDashboardEmbedUrl:arn:aws:quicksight:ap-southeast-2 :: dashboard / “}
我不確定為什么會這樣? 我有一個可以擔當正確角色的用戶,並且該角色對所涉及的儀表板具有正確的權限。 我在這里想念什么?
嘗試像這樣更改您的角色(注意::
dashboard
前的::
雙冒號):
...
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2::dashboard/*",
"Effect": "Allow"
...
這應該允許用戶訪問儀表板下的所有子資源。
要遵循AWS建議的最低特權原則 ,您應該列出所有資源:
...
"Resource": [
"arn:aws:quicksight:ap-southeast-2::dashboard/",
"arn:aws:quicksight:ap-southeast-2::dashboard/redacted"]
...
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.