I’m exploring ways to streamline AWS QuickSight API interactions in my application, and I’m considering using a service account user to act as a proxy for multiple end-users. Here’s the context:
Context:
Application:
A web application embeds QuickSight dashboards for users based on their roles and permissions.
Authentication:
Users authenticate via SSO (Okta) for application access, but I don’t want each user to require individual QuickSight user provisioning.
Objective:
I want to use a service account user to:
Centralize API interactions for all users without provisioning individual QuickSight accounts.
Act as a proxy for users while maintaining role-based access to dashboards (e.g., applying row-level security filters).
Hi @Sreepad - Welcome to the community. If you want to keep users out of quicksight, then you can explore using anonymous embedding options. By using anonymous embedding, you can use the authentication mechanism your application uses today and use Tag based Row Level security to manage access to quicksight dashboards.
Also, please review the service term 40.4. Copy pasted below…
" 40.4. QuickSight Readers. Readers (as defined in the QuickSight documentation) that are used for automatically or programmatically refreshing dashboards for near real-time use cases must choose capacity pricing. For readers under user pricing, each reader is limited to manual use by one individual only."
What if we create service account user [ reader user ] in AWS QuickSight and then use this user to access the dashboards for any users in web app ? Can we use this approach and use api call GenerateEmbedUrlForRegisteredUser to get dashboard url to embed into web app . Here service account user will act as proxy .
@Sreepad – Technically, that will work. But, you should review this piece from the FAQ –
“QuickSight Reader user pricing applies to interactive consumption of data by individual end users in an organization. Reader sessions under capacity pricing are designed to be used in 30-minute intervals. A fair use policy applies, and any abuse of the system will result in the Reader being metered as an Author.”
Best practice, in your case, will be to use anonymous user embedding. If you want to use registered user embedding, then that user should be provisioned to quicksight for the service to appropriately bill the usage.