Greetings!
I am developing an Amplify Gen 2 application which embeds a Quick Sight dashboard.
Since it uses Microsoft Entra as IdP, we want to manage permissions on the Azure side and map them to session tags for GenerateEmbedUrlForAnonymousUser.
The dashboard has two custom themes, to reflect both the light and dark modes of the app, but calling setTheme on the frontend returns a 404 error on the related API call even though the ARN is correct - and the response is just {errorCode: null, message: ""}.
I tried to solve it by adding a policy to the Amplify user role, but it didn’t help either:
backend.auth.resources.authenticatedUserIamRole.addToPrincipalPolicy(
new PolicyStatement({
actions: ['quicksight:DescribeTheme'],
resources: ['*'],
}),
);
What could possibly be the cause for this?
Hello @ElSaico, okay, so I am curious when this error is occuring and how this functions from the application. Does the dashboard load with a default theme option (either light or dark) and then throw an error when a user switches between the 2 or does it never work on load and throws the error immediately?
Also, are you able to provide more theme and dashboard related permissions that you have applied? It is not well documented which permissions would be required for this, so with a little more information I can think of some possible solutions.
Thank you!
Hello @DylanM, thank you for answering!
About your first question, it’s the former; it loads with the default theme (the light one) but throws an error upon switching.
And this is the IAM policy for the API call that generates the embed URL:
apiLambda.addToRolePolicy(new PolicyStatement({
sid: 'AllowQuicksight',
actions: [
'quicksight:DescribeDashboard',
'quicksight:DescribeTheme',
'quicksight:GenerateEmbedUrlForAnonymousUser'
],
resources: [
apiStack.formatArn({ service: 'quicksight', resource: '*' }),
],
}));
Inspect mode shows the embedding SDK making a series of API calls that go seamlessly, such as:
https://us-east-1.quicksight.aws.amazon.com/embed/<snip>/api/expressions/evaluate?Operation=EvaluateExpressions&mbtc=<snip>
https://us-east-1.quicksight.aws.amazon.com/embed/<snip>/api/dashboards/<dashboard guid>/customActions?Operation=ListCustomActionsInDashboard&mbtc=<snip>
https://us-east-1.quicksight.aws.amazon.com/embed/<snip>/api/dashboards/<dashboard guid>/alerts?Operation=GetAlertsForDashboard&mbtc=<snip>
.
However, the equivalent call to fetch the theme displays only the error mentioned above:
https://us-east-1.quicksight.aws.amazon.com/embed/<snip>/api/themes/<theme guid>?Operation=DescribeTheme&requestData=%7B%22themeType%22%3A%22CUSTOM%22%7D&mbtc=<snip>
I begin to wonder if it’s not an issue with the embed API itself…
UPDATE: after rereading the documentation for a separate embedding… I found out that, for the anonymous variant, the themes have to be declared on AuthorizedResourceArns as well. Problem solved!
1 Like