How do I resolve permission errors in QuickSight when I generate an embedded QuickSight dashboard URL for unregistered users?

2 minute read
0

I want to generate an embedded Amazon QuickSight dashboard URL for unregistered QuickSight users so that I can embed the dashboard into a web application. But, I receive permission errors.

Short description

The AWS Identity and Access Management (IAM) user or role that the backend or web server uses must have permission to generate an embedded QuickSight dashboard URL for unregistered users. If the IAM user or role doesn't have the correct permission, then you receive the following errors:

IAM user

An error occurred (AccessDeniedException) when calling the GenerateEmbedUrlForAnonymousUser operation: User: arn:aws:iam::XXXXXXXXXXX:user/user1 is not authorized to perform: quicksight:GenerateEmbedUrlForAnonymousUser on resource: arn:aws:quicksight:region:XXXXXXXXXXX:namespace/default because no identity-based policy allows the quicksight:GenerateEmbedUrlForAnonymousUser action

IAM role

An error occurred (AccessDeniedException) when calling the GenerateEmbedUrlForAnonymousUser operation: User: arn:aws:sts::XXXXXXXXXXX:user:assumed-role/role-name/policy-name is not authorized to perform: quicksight:GenerateEmbedUrlForAnonymousUser on resource: arn:aws:quicksight:region:XXXXXXXXXXX:user:namespace/default because no identity-based policy allows the quicksight:GenerateEmbedUrlForAnonymousUser action

To resolve these errors, you must attach an IAM policy with the required permission.

Resolution

Attach the following IAM policy for the quicksight:GenerateEmbedUrlForAnonymousUser action to the IAM user or role that's used to call the GenerateEmbedUrlForAnonymousUser API:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "quicksight:GenerateEmbedUrlForAnonymousUser",
      "Resource": [
        "arn:aws:quicksight:<region>:<AWS Account ID>:namespace/<namespace>",
        "arn:aws:quicksight:<region>:<AWS Account ID>:dashboard/<Dashboard ID>"
      ]
    }
  ]
}

Note: Session capacity pricing must be active on the QuickSight account to embed the QuickSight dashboard URL for unregistered users. If it's not active, then the user receives the error UnsupportedPricingPlanException.


Related information

Embedding QuickSight data dashboards for everyone

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago