amazon-archives / amazon-quicksight-embedding-sample Goto Github PK

Hi

I am using Angular for embedding the dashboard. I have used the index js code from this sample . When I am trying to register the assume role user as a quickisght user.

I am getting the below error

zone.js:3243 OPTIONS https://quicksight.us-east-1.amazonaws.com/accounts/000000000/namespaces/default/users 403
bbef8678.ngrok.io/:1 Access to XMLHttpRequest at 'https://quicksight.us-east-1.amazonaws.com/accounts/00000000/namespaces/default/users' from origin 'https://bbef8643.ngrok.io' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Could you please help me with this error?

I successfully retrieve my embed URL from my lambda function. What is weird is that I can embed some of my dashboards but I get a 403 error on other dashboards.

Is there a piece I'm missing? How should I configure the "share" permissions on the QuickSight dashboard?

Hello,

I am running this command listed in the readme

aws cognito-idp admin-respond-to-auth-challenge --user-pool-id <> --client-id <> --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses NEW_PASSWORD=<>,USERNAME=<>,userAttributes.name=<> --session “output_of_previous_command"

It prompts me in bash (on MAC) after I run this command and I am not sure what to put in the prompts. Any help you can give about this would really help me.

Thanks!

Dan

I am using Quicksight Authentication (Identity Type: QUICKSIGHT) and used the CF stacks to build the components. I also updaloded the lambda code as suggested. However, while I try to test the same from API gateway it gives me error saying -

arn:aws:sts::xxxxxxxxxxxx:assumed-role/QuicksightEmbedStack-LambdaExecutionRole-5Z4UVE5XMDBG/GetDashboardEmbedURL is not authorized to perform: quicksight:GetAuthCode on resource: arn:aws:quicksight:region:xxxxxxxxxxxxxxx:user/default/username
at Object.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:51:27)
at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request. (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request. (/var/task/node_modules/aws-sdk/lib/request.js:685:12) {
code: 'AccessDeniedException',
time: 2020-06-04T16:07:14.479Z,
requestId: '689b160c-d5b4-49ec-a1e7-5385d705bdd0',
statusCode: 403,
retryable: false,
retryDelay: 85.70687671139328

Looking into the error it seems that the Lambda function does not have a the permission to perform quicksight:GetAuthcode on the quicksight user. But, I see from the policy attached to the lambda role clearly mentions about the quicksight:GetAuthCode (created through CF stack). I am not sure what exactly am I missing here. I am stuck at this point and any help is much appreciated.

Thanks

Hi,

Please help me.I am new to quicksight.I want to integrate my code to Quicksight URL(Once I publish the dashboard result).

When I am checking two options are mean while available one is send mail and share to quick sight users.
Please suggest is it possible to like s3 we can able to enable hosting that way dashboard publish.

Please help me ASAP.

Hi, I have followed the steps. The quicksight embedded dashboard doesn't show up and getting the badrequest error after the user login via cognito.
Can someone please help to address this issue and to make the dashboaard appear on the page.

https://cognito-idp.us-east-1.amazonaws.com/
{"code":"BadRequest","message":"The server did not understand the operation that was requested.","type":"client"}
error

screenshot attached

The embedding requires a re-authentication every 10 hours. This means that from our UI the user has to put in their password to access a dashboard, frequently. Is there a way to pass the JWT from a web app that the user might already be logged into? This way the experience for end customers using our dashboard is better. They don't have to re-input their password to view different dashboards. They should just be able to log into our web app, see a list of available dashboards, then click on the one they want to view. Also, I think the embed URL will return faster this way.

I am using S3 hosting with CloudFront distribution and listed the CloudFront URL in QuickSight domain. When using sample code i am seeing error:
Access to 'https://.cloudfront.net/embed-dashboard.bundle.df397614c8bc1dae4be8.14.js' from origin 'https://us-east-1.quicksight.aws.amazon.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

Below is my CloudFront setting:
Origin Custom header:
Access-Control-Allow-Origin: https://.cloudfront.net
Allowed HTTP methods:
GET, HEAD, OPTIONS
Whitelisted headers:
Access-Control-Request-Headers
Access-Control-Request-Method
Origin

kindly guide.

apiGatewayGetDashboardEmbedUrl is taking the parameters as GET request. Though its not an issue for the time being in this case, posting tokens as part of URL is a bad design. Again I know, the token in this case cannot do much, but still.

Please add GetDashboardEmbedURLPostRequest to API cloudformation script.

Embedding URL's don't work on local host for development. This is annoying because I can't test locally. I have to push to our development URL and wait for cloudformation to get around to refreshing the cache. Any recommendations?

I think I've set this all up according to the instructions, and my user account can retreive session info from the aws cognito-idp admin-initiate-auth command, but whenever I test the API in Gateway, I get a 502 error.

I've tried testing the lambda function directly and get:
2019-02-21T16:57:20.679Z 430b1cf7-15a2-4f58-a6e3-c1ec25f00e92 (node:1) UnhandledPromiseRejectionWarning: ReferenceError: alert is not defined
at Object.onFailure (/var/task/index.js:185:13)
at /var/task/node_modules/amazon-cognito-identity-js/lib/CognitoUser.js:331:27
at /var/task/node_modules/amazon-cognito-identity-js/lib/Client.js:96:18
at
at process._tickDomainCallback (internal/process/next_tick.js:228:7)

Has anyone ever come across this:

Refused to display 'https://us-east-...' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors https://www.[url].com".

The embed URL returns fine, and works in its own browser. I have added headers to my nginx.conf file like: add_header Content-Security-Policy "frame-ancestors https:";

When launching the CF it will fail with the error message that nodejs8.10 is no longer supported.
Use nodejs12.x instead.

Hi, I'm working to embed a dashboard in an application that utilizes a Cognito User Pool as its federated identity provider, and to further control access to AWS resources, those users are assigned to Cognito groups that are associated with a Role. This setup requires that the identity pool's Authenticated Role Selection is set to "Choose Role From Token". However, when I attempt to get the Open ID token in my web application using the CognitoIdentity.getOpenIdToken API from the AWS SDK, the following error occurs: "Basic (classic) flow is not supported with RoleMappings, please use enhanced flow."

I did attempt modifying the embedding sample's OpenID Lambda script to leverage the ID token that's provided by Cognito (rather than the Open ID token) and calling CognitoIdentity.getCredentialsForIdentity rather than STS.assumeRoleWithWebIdentity to obtain the access keys to use with QuickSight, but upon executing the Lambda I get the error "QuickSightUserNotFoundException: Could not find user information in QuickSight". I don't have insight into what username it's actually looking for though to know how to correct my approach. Perhaps since the script is no longer using assumeRoleWithWebIdentity the role name is not prefixed to the username?

The "Allow Basic (Classic) Flow" option is enabled for the identity pool, but that does not resolve it. It does seem that this option needs to be enabled for the Lambda example to work as it is, but I use the enhanced flow everywhere else in my application, so being able to embed the dashboard without requiring the basic flow to be enabled would be ideal.

Any insight is appreciated as I'd really prefer to continue using the enhanced flow and token-based role mapping with this application.

Thanks!

I have whitelisted my domain, and I do get the embeded url from a lambda function. But the Https web page returns a web page with the following error We can't display this page (Insufficient permissions).

When trying to follow the template to create the Cognito Resources there is no way to specify an existing UserPool.

According to the AWS documentation about available Cloudformation template values related to Cognito UserPools there is no way to specify the Pool ID as is not is the documentation.

This is problematic as Quicksight is usually an addition to an existing project that probably has many users in a pool already.