Hello community,
I am developing a Node.js application where I want to use the PredictQAResults method from QuickSight Q. To authenticate users, I am using Amazon Cognito (User Pool + Identity Pool), and then I initialize the QuickSight client with fromCognitoIdentityPool from the AWS SDK.
My current flow:
- The user authenticates via Cognito User Pool.
- I get the idToken from a successful login.
- I create the credentials using fromCognitoIdentityPool like this:
const credentials = fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: "us-east-1" }),
identityPoolId: "us-east-1:xxxx-xxxx-xxxx-xxxx", // My Identity Pool ID
logins: {
"cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxx": idToken, // idToken obtained from Cognito
},
});
- I initialize the QuickSight client with the Cognito credentials:
const qsClient = new QuickSightClient({
region: "us-east-1",
credentials,
});
- Then, I call the PredictQAResultsCommand:
qsClient.send(
new PredictQAResultsCommand({
AwsAccountId: "xxxxxxxxxxx", // My AWS account ID
QueryText: "sales per month", // Sample query
IncludeQuickSightQIndex: "INCLUDE",
IncludeGeneratedAnswer: "INCLUDE",
MaxTopicsToConsider: 1,
})
).then((data) => {
console.log("Success - PredictQAResultsCommand", data);
}).catch((error) => {
console.log("Error", error);
});
The error I receive is the following:
AccessDeniedException: Failed to fetch IDC user from token
What I have already verified:
- The role assigned in the Identity Pool has the necessary permissions:
- quicksight:PredictQAResults
- quicksight:DescribeUser
- Other necessary permissions for interacting with QuickSight
Example of the policy attached to the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:GetCredentialsForIdentity",
"quicksight:PredictQAResults",
"quicksight:DescribeUser",
"quicksight:GenerateEmbedUrlForRegisteredUser",
"quicksight:ListUsers",
"quicksight:SearchUsers",
"quicksight:ListDashboards",
"quicksight:ListDataSources",
"quicksight:SearchGroups",
"quicksight:UpdateQuickSightQSearchConfiguration",
"quicksight:DescribeQuickSightQSearchConfiguration"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Resource": "*"
}
]
}
The trust relationship of the role includes the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxx-xxxx-xxxx-xxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "quicksight.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The user is correctly registered in QuickSight
- The federated user appears in the list of QuickSight users (ListUsers).
- The user has the ADMIN PRO role in QuickSight.
- QuickSight Q is enabled.
So my question is: Is there any limitation or additional configuration I need to consider when using this method?
I appreciate any help or suggestions to resolve this issue.
Thanks in advance!