[英]AWS IAM / QuickSight - user is not authorized to perform: quicksight:GetDashboardEmbedUrl on resource
我正在嘗試在ASP.NET MVC項目中使用嵌入的QuickSight儀表板URL函數。 為了進行測試,我只是嘗試將嵌入的URL輸出到字符串。 這是我的代碼的主要部分:
var awsCredentials = new BasicAWSCredentials("redacted", "redacted");
AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(awsCredentials);
var tokenServiceRequest = stsClient.GetSessionToken();
var client = new AmazonQuickSightClient(
tokenServiceRequest.Credentials.AccessKeyId,
tokenServiceRequest.Credentials.SecretAccessKey,
tokenServiceRequest.Credentials.SessionToken,
Amazon.RegionEndpoint.APSoutheast2);
try
{
string machineTypeEmbedUrl =
client.GetDashboardEmbedUrlAsync(new GetDashboardEmbedUrlRequest
{
AwsAccountId = "redacted",
DashboardId = "redacted",
IdentityType = IdentityType.IAM,
ResetDisabled = true,
SessionLifetimeInMinutes = 100,
UndoRedoDisabled = false
}).Result.EmbedUrl;
}
catch (Exception ex)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest,ex.Message);
}
為了支持所需的權限,我已經設置了具有STS假定角色的IAM用戶,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1551593192075",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::redacted:role/assume-quicksight-role"
}
]
}
我已經使用以下權限設置了上面指定的角色,並設置了其信任策略,以便上述IAM用戶可以承擔該角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2:redacted:dashboard/redacted",
"Effect": "Allow"
}
]
}
據我所知這應該工作。 調試顯示我確實獲得了會話令牌,該令牌已傳遞到embedUrl請求,但是出現以下錯誤:
InnerException = {“用戶:arn:aws:iam :::: user / api-dev-quicksight-用戶無權執行:資源上的quicksight:GetDashboardEmbedUrl:arn:aws:quicksight:ap-southeast-2 :: dashboard / “}
我不確定為什么會這樣? 我有一個可以擔當正確角色的用戶,並且該角色對所涉及的儀表板具有正確的權限。 我在這里想念什么?
嘗試像這樣更改您的角色(注意:: dashboard前的::雙冒號):
...
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2::dashboard/*",
"Effect": "Allow"
...
這應該允許用戶訪問儀表板下的所有子資源。
要遵循AWS建議的最低特權原則 ,您應該列出所有資源:
...
"Resource": [
"arn:aws:quicksight:ap-southeast-2::dashboard/",
"arn:aws:quicksight:ap-southeast-2::dashboard/redacted"]
...
AWS IAM / QuickSight - 用戶:arn:aws:sts::xxxxxxxx:assumed-role/yyyy/nnnnnn 無權執行:quicksight:RegisterUser on resource
[英]AWS IAM / QuickSight - User: arn:aws:sts::xxxxxxxx:assumed-role/yyyy/nnnnnn is not authorized to perform: quicksight:RegisterUser on resource
AWS:AccessDeniedException:用戶:{user} 無權執行:quicksight:ListDashboards on resource
[英]AWS: AccessDeniedException: User: {user} is not authorized to perform: quicksight:ListDashboards on resource
用戶無權執行:iam:PassRole on resource error in create AWS codepipeline
[英]User not authorized to perform: iam:PassRole on resource error in creating AWS codepipeline
AWS EKS:用戶無權執行:對資源執行 iam:CreateRole
[英]AWS EKS: user is not authorized to perform: iam:CreateRole on resource
AWS boto3 用戶:arn:aws:iam::xxxx:root 無權執行:lambda:AddLayerVersionPermission 對資源
[英]AWS boto3 User: arn:aws:iam::xxxx:root is not authorized to perform: lambda:AddLayerVersionPermission on resource
錯誤代碼:AccessDeniedException。 用戶:arn:aws:iam::xxx:user/xxx 無權執行:lambda:CreateEventSourceMapping on resource:*
[英]Error code: AccessDeniedException. User: arn:aws:iam::xxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *
用戶:arn:aws:iam::AN:user/root 無權執行:dynamodb:DescribeTable 資源:arn:aws:dynamodb:eu-west-1:AN:table/MyTable
[英]User: arn:aws:iam::AN:user/root is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-west-1:AN:table/MyTable
IAM用戶無權執行:在資源xxxx上使用明確拒絕的firehose:CreateDeliveryStream
[英]Iam user not authorized to perform: firehose:CreateDeliveryStream on resource xxxx with an explicit deny
Amazon SES 異常:IAM 用戶無權對資源執行“ses:SendRawEmail”
[英]Amazon SES Exception: IAM User is not authorized to perform `ses:SendRawEmail' on resource
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.