CreateAccountSubscription API not creating account

japeter89 · November 15, 2023, 7:46pm

I have this Node code to create a QuickSight account. It contains all of the required fields for the api. The response.status is 200. But the response.data says “your web browser must have javascript enabled in order for this application to display correctly”.I do indeed have it enabled. I navigate to the aws console and then to QuickSight and it is wanting me to create the account so it clearly didn’t work. Anybody have any clue as to why it didn’t work? Thank you. (I did not disclose any personal information such as the accountId, email, or account name. But I assure you they are correct.) My guess is the endpoint is incorrect, or its because I am using node server side? if so, could someone provide help? Thanks

const response = await axios.post(
          `https://quicksight.aws.amazon.com/account/123456789`,
          {
            AccountName: "myprojectthatIwontdisclose-quicksight-account",
            AuthenticationMethod: "IAM_AND_QUICKSIGHT",
            Edition: "ENTERPRISE",
            EmailAddress: "myemailherethatIdontwanttodisclose@gmail.com",
          }
        );

duncan · November 17, 2023, 9:43pm

Hello @japeter89 !

Can you share an anonymized view of the command that you ran that created this status error?

japeter89 · November 20, 2023, 9:21pm

everything I have for creating quicksight account:

const quicksightLambdaRole = new Role(this, "quicksightLambdaRole", {
      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
    });

    quicksightLambdaRole.addToPolicy(
      new PolicyStatement({
        resources: ["*"],
        effect: Effect.ALLOW,
        actions: [
          "quicksight:*",
          "logs:*",
          "iam:*",
          "s3:*",
          "athena:*",
          "sso:*",
          "lambda:*",
        ],
      })
    );
    quicksightLambdaRole.addToPolicy(
      new PolicyStatement({
        resources: [`arn:aws:quicksight:us-east-1:${config.AWSAccountID}:*`],
        effect: Effect.ALLOW,
        actions: ["quicksight:CreateAccountSubscription"],
      })
    );
    // create lambda that will create the quicksight account. It must have role attached
    const qsApiName = "createQuickSightAccount";
    const quicksightAccountLambda = new NodejsFunction(this, qsApiName, {
      logRetention: 7,
      entry: join(
        __dirname,
        "../lambdas/src/endpoints",
        "createQuickSightAccount.ts"
      ),
      ...nodeJsFunctionProps,
      environment: {
        SF_HOST: config.sfHost,
      },
      runtime: Runtime.NODEJS_20_X,
      role: quicksightLambdaRole,
      timeout: Duration.minutes(5),
    });
    // add 'createQuickSightAccount' api to api gateway
    const quicksightIntegration = new LambdaIntegration(
      quicksightAccountLambda
    );
    const quicksightEntry = apiRoute.addResource(qsApiName);
    quicksightEntry.addMethod("POST", quicksightIntegration);
    addCorsOptions(quicksightEntry);

and my lambda function:

import { APIGatewayProxyHandler, APIGatewayProxyResult } from "aws-lambda";
import {
  QuickSightClient,
  CreateAccountSubscriptionCommand,
  CreateAccountSubscriptionResponse,
  CreateAccountSubscriptionRequest,
} from "@aws-sdk/client-quicksight"; // Update with actual types

export const handler: APIGatewayProxyHandler = async (
  event
): Promise<APIGatewayProxyResult> => {
  try {
    console.log(event);
    const client = new QuickSightClient({ region: "us-east-1" });
    const command = new CreateAccountSubscriptionCommand({
      Edition: "ENTERPRISE",
      AuthenticationMethod: "IAM_AND_QUICKSIGHT",
      AwsAccountId: "my account id",
      AccountName: "my account name",
      NotificationEmail: "my email",
      EmailAddress: "my email",
    });

    // Use try-catch to handle errors
    const response: CreateAccountSubscriptionResponse = await client.send(
      command
    );
    console.log(response);
    // Return a successful response
    return {
      statusCode: 200,
      body: JSON.stringify(response), // or any other response format you prefer
    };
  } catch (error) {
    // Return an error response
    console.log(error);
    return {
      statusCode: 500,
      body: JSON.stringify({ error: error.message }),
    };
  }
};

I am currently getting this specific error: The provided account name is not available. I entered a unique one So i dont think that is the actual issue

duncan · November 21, 2023, 10:25pm

Hey @japeter89 !

Can you use the command in the following documentation:

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/QuickSight.html#createAccountSubscription-property

japeter89 · November 27, 2023, 4:00pm

I figured it out. I needed this roles with these actions:

const quicksightLambdaRole = new Role(this, "quicksightLambdaRole", {
      managedPolicies: [
        ManagedPolicy.fromManagedPolicyArn(
          this,
          "quicksight-AWSLambdaBasicExecutionRole",
          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        ),
      ],
      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
    });
    quicksightLambdaRole.addToPolicy(
      new PolicyStatement({
        resources: ["*"],
        effect: Effect.ALLOW,
        actions: [
          "quicksight:*",
          "iam:AttachRolePolicy",
          "iam:DetachRolePolicy",
          "iam:ListAttachedRolePolicies",
          "iam:GetPolicy",
          "iam:CreatePolicyVersion",
          "iam:DeletePolicyVersion",
          "iam:GetPolicyVersion",
          "iam:ListPolicyVersions",
          "iam:DeleteRole",
          "iam:CreateRole",
          "iam:GetRole",
          "iam:ListRoles",
          "iam:CreatePolicy",
          "iam:ListEntitiesForPolicy",
          "iam:listPolicies",
          "s3:ListAllMyBuckets",
          "athena:ListDataCatalogs",
          "athena:GetDataCatalog",
          "sso:GetManagedApplicationInstance",
          "sso:CreateManagedApplicationInstance",
          "sso:GetManagedApplicationInstance",
          "sso:DeleteManagedApplicationInstance",
          "sso:GetManagedApplicationInstance",
          "sso:SearchGroups",
          "sso:GetProfile",
          "sso:AssociateProfile",
          "sso:DisassociateProfile",
          "sso:ListProfiles",
          "sso:ListDirectoryAssociations",
          "sso:DescribeRegisteredRegions",
          "ds:AuthorizeApplication",
          "ds:UnauthorizeApplication",
          "ds:CheckAlias",
          "ds:CreateAlias",
          "ds:DescribeDirectories",
          "ds:DescribeTrusts",
          "ds:DeleteDirectory",
          "ds:CreateIdentityPoolDirectory",
          "iam:ListAccountAliases",
        ],
      })
    );