我正在尝试在ASP.NET MVC项目中使用嵌入的QuickSight仪表板URL函数。为了进行测试,我只是尝试将嵌入的URL输出到字符串。这是我的代码的主要部分:
var awsCredentials = new BasicAWSCredentials("redacted", "redacted");
AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(awsCredentials);
var tokenServiceRequest = stsClient.GetSessionToken();
var client = new AmazonQuickSightClient(
tokenServiceRequest.Credentials.AccessKeyId,
tokenServiceRequest.Credentials.SecretAccessKey,
tokenServiceRequest.Credentials.SessionToken,
Amazon.RegionEndpoint.APSoutheast2);
try
{
string machineTypeEmbedUrl =
client.GetDashboardEmbedUrlAsync(new GetDashboardEmbedUrlRequest
{
AwsAccountId = "redacted",
DashboardId = "redacted",
IdentityType = IdentityType.IAM,
ResetDisabled = true,
SessionLifetimeInMinutes = 100,
UndoRedoDisabled = false
}).Result.EmbedUrl;
}
catch (Exception ex)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest,ex.Message);
}
为了支持所需的权限,我设置了一个IAM用户,其STS假定角色如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1551593192075",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::redacted:role/assume-quicksight-role"
}
]
}
我已经使用以下权限设置了上面指定的角色,并设置了其信任策略,以便上方的IAM用户可以承担该角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2:redacted:dashboard/redacted",
"Effect": "Allow"
}
]
}
据我所知这应该可行。调试显示,我确实获得了传递到embedUrl请求的会话令牌,但是出现以下错误:
InnerException = {“用户: arn:aws:iam ::: user / api-dev-quicksight-用户未获得授权 执行:对资源的quicksight:GetDashboardEmbedUrl: arn:aws:quicksight:ap-southeast-2 :: dashboard /“}
我不确定为什么会这样吗?我有一个可以担当正确角色的用户,并且该角色对所涉及的仪表板具有正确的权限。我在这里想念什么?
答案 0 :(得分:0)
尝试这样更改您的角色(请注意::
前的dashboard
双冒号):
...
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:ap-southeast-2::dashboard/*",
"Effect": "Allow"
...
这应该允许用户访问仪表板下的所有子资源。
要遵循AWS的Least Privilege principle建议,您应该列出所有资源:
...
"Resource": [
"arn:aws:quicksight:ap-southeast-2::dashboard/",
"arn:aws:quicksight:ap-southeast-2::dashboard/redacted"]
...