AWS IAM / QuickSight-用户无权执行:quicksight:资源上的GetDashboardEmbedUrl

时间:2019-03-03 06:42:09

标签: amazon-web-services amazon-iam amazon-quicksight

我正在尝试在ASP.NET MVC项目中使用嵌入的QuickSight仪表板URL函数。为了进行测试,我只是尝试将嵌入的URL输出到字符串。这是我的代码的主要部分:

    var awsCredentials = new BasicAWSCredentials("redacted", "redacted");

    AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(awsCredentials);
    var tokenServiceRequest = stsClient.GetSessionToken();

    var client = new AmazonQuickSightClient(
        tokenServiceRequest.Credentials.AccessKeyId,
        tokenServiceRequest.Credentials.SecretAccessKey,
        tokenServiceRequest.Credentials.SessionToken,
        Amazon.RegionEndpoint.APSoutheast2);
    try
    {
        string machineTypeEmbedUrl =
            client.GetDashboardEmbedUrlAsync(new GetDashboardEmbedUrlRequest
            {
                AwsAccountId = "redacted",
                DashboardId = "redacted",
                IdentityType = IdentityType.IAM,
                ResetDisabled = true,
                SessionLifetimeInMinutes = 100,
                UndoRedoDisabled = false
            }).Result.EmbedUrl;
    }
    catch (Exception ex)
    {
        return new HttpStatusCodeResult(HttpStatusCode.BadRequest,ex.Message);
    }

为了支持所需的权限,我设置了一个IAM用户,其STS假定角色如下所示:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1551593192075",
            "Action": [
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::redacted:role/assume-quicksight-role"
        }
    ]
}

我已经使用以下权限设置了上面指定的角色,并设置了其信任策略,以便上方的IAM用户可以承担该角色。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "quicksight:RegisterUser",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "quicksight:GetDashboardEmbedUrl",
            "Resource": "arn:aws:quicksight:ap-southeast-2:redacted:dashboard/redacted",
            "Effect": "Allow"
        }
    ]
}

据我所知这应该可行。调试显示,我确实获得了传递到embedUrl请求的会话令牌,但是出现以下错误:

  

InnerException = {“用户:   arn:aws:iam ::: user / api-dev-quicksight-用户未获得授权   执行:对资源的quicksight:GetDashboardEmbedUrl:   arn:aws:quicksight:ap-southeast-2 :: dashboard /“}

我不确定为什么会这样吗?我有一个可以担当正确角色的用户,并且该角色对所涉及的仪表板具有正确的权限。我在这里想念什么?

1 个答案:

答案 0 :(得分:0)

尝试这样更改您的角色(请注意::前的dashboard双冒号):

...
"Action": "quicksight:GetDashboardEmbedUrl", 
"Resource": "arn:aws:quicksight:ap-southeast-2::dashboard/*", 
"Effect": "Allow"
...

这应该允许用户访问仪表板下的所有子资源。

要遵循AWS的Least Privilege principle建议,您应该列出所有资源:

...
"Resource": [
    "arn:aws:quicksight:ap-southeast-2::dashboard/", 
    "arn:aws:quicksight:ap-southeast-2::dashboard/redacted"]
...