问题描述
我正在尝试在lambda函数中获得Quicksight嵌入URL,
I'm trying to get a Quicksight embed URL in a lambda function,
lambda函数从使用aws amplify在react应用程序上创建的前端接收jwtToken,所有的cognito设置都可以正常工作(用户池和身份池),用户收到的角色为"arn:aws:iam :: xx:role/Cognito_qa1_Admin"
The lambda function receives a jwtToken from the frontend created on a react app using aws amplify, all the cognito setup works well (userpool and identity pool), the user receives the role "arn:aws:iam::xx:role/Cognito_qa1_Admin" when logging in,
该角色有权访问quicksight:registerUser和quicksight:getDashboardEmbedUrl
The role has permissions to quicksight:registerUser and quicksight:getDashboardEmbedUrl
var cognitoIdentity = new AWS.CognitoIdentity();
var params = {
IdentityPoolId: "eu-west-2:xxx-291d-xx-b9a7-8b27c73c796c", // your identity pool id here
Logins: {
// your logins here
"cognito-idp.eu-west-2.amazonaws.com/eu-west-2_xxx": event.jwtToken,
},
};
// Get cognito identity from jwtToken
cognitoIdentity.getId(params, function (err, data) {
if (err) {
return callback(err);
}
var roleArn = "arn:aws:iam::xx:role/Cognito_qa1_Admin"; // your cognito authenticated role arn here
data.Logins = params.Logins;
// Get credentials for the identity (it also does the AssumeRoleWithWebIdentity)
cognitoIdentity.getCredentialsForIdentity(data, function (err, data) {
console.log(data);
if (err) {
return callback(err);
}
// update credentials with web identity ones
AWS.config.update({
region: "eu-west-2",
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretKey,
sessionToken: data.Credentials.SessionToken,
expiration: data.Credentials.Expiration,
});
const quicksight = new AWS.QuickSight();
var getDashboardParams = {
AwsAccountId: "xx",
DashboardId: "a048efb6-3d3c-xx-8920-xxx",
IdentityType: "IAM",
ResetDisabled: false,
SessionLifetimeInMinutes: 100,
UndoRedoDisabled: false,
};
var registerUserParams = {
AwsAccountId: "xxx",
Email: event.userEmail,
IdentityType: "IAM",
Namespace: "default",
UserRole: "READER",
IamArn: roleArn,
SessionName: event.payloadSub,
};
// register user, this one works well
quicksight.registerUser(registerUserParams, function (err, data) {
if (err) {
if (err.code !== "ResourceExistsException") {
console.log("error registering user");
return callback(err);
}
console.log("user already exists");
}
console.log("User registration data", data);
// Get dashboard url, this is the one failing with QuickSightUserNotFoundException
quicksight.getDashboardEmbedUrl(getDashboardParams, function (
err,
data
) {
if (err) {
console.log("getDashboardEmbedUrl error", err);
return callback(err);
}
callback(null, data);
});
});
});
});
一切顺利,检索Web身份的凭据并将其设置为config,registerUser调用注册用户(或返回用户已经存在的错误)
Everything goes smooth, the credentials for the web identity are retrieved and set to the config, the registerUser call registers the user (or returns user already exists error)
但是 getDashboardEmbedUrl 失败,并出现QuickSightUserNotFoundException:在QuickSight中找不到用户信息
But the getDashboardEmbedUrl fails with QuickSightUserNotFoundException: Could not find user information in QuickSight
如果我在设置凭据后调用 sts.getCallerIdentity ,我会得到
If I call sts.getCallerIdentity after setting the credentials I get this
{
ResponseMetadata: { RequestId: 'd5cb26f1-f2f5-4148-87e5-74d6c998fb91' },
UserId: 'AROAU63RLM5WIRTFDRETQ:CognitoIdentityCredentials',
Account: 'xxx',
Arn: 'arn:aws:sts::xxx:assumed-role/Cognito_qa1_Admin/CognitoIdentityCredentials'
}
有什么主意吗?提前谢谢
Any idea? Thanks a lot in advance
推荐答案
注册用户时, IdentityType 必须为 IAM ,但对于getDashboardEmbedUrl,必须输入 QUICKSIGHT ,您需要传递 UserArn ,您可以在 registerUser
When registering the user the IdentityType has to be IAM but for getDashboardEmbedUrl it has to be type QUICKSIGHT and you need to pass UserArn which you can find in the response from registerUser
这篇关于QuickSightUserNotFoundException当使用cognito用户获取AWS Quicksight嵌入URL时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!