I’m working on embedding Amazon QuickSight Q into our web application using the registered users embedding option.
I understand that with registered embedding, the user must be authenticated and the access is limited to specific users. My question is:
Do I need to generate a new embed URL each time a registered user accesses the application, or can I generate a single embed URL and reuse it across all authenticated users within the app?
Does generating an anonymous user URL produce a single static URL?
I’m trying to figure out the best approach for performance and scalability, so any clarification or best practices would be really helpful.
Also, if it is a static URL, how will I be able to share a single user’s created Q topic with other registered users or especially users with readerPro role
@Francis_Joel ,
Embed URL (for both registered and anonymous users) is valid only for 5 mins after creation. You can use it only once for embedding into your website. Once embedded, it can be used for duration mentioned in Session Life time parameter.
Please check the links:
For Q Topic sharing:
Q topic can be shared from QuickSight console.
However, can you please elaborate on this Q topic requirement?
I want to embed the Generative Q&A experience into my application. The embedded component is accessed by multiple users through the application.
Specifically, I want to give them the ability to generate visuals by typing natural language queries.
I need clarification on how the URL accessed by users works:
Is it user-specific, meaning do I need to generate a new URL each time a user wants to access it?
Or can I use a static URL embedded in the application, allowing any user who accesses it to use it?
Additionally, if a topic is created by a single user and shared as a Q&A experience via an embedded URL, will newly provisioned users from application (or users accessing it through the application) be able to interact with it?
I have about 2,000 customers. I’ve created a topic that contains their data. When a user accesses the Generative Q&A experience and submits a query, they should only see visuals constrained to their customer ID.
Which approach would be most feasible for this scenario?
In addition to what Madhavi has mentioned - For embedding the Amazon Q in QuickSight Generative Q&A experience in your application, you need to generate a unique URL for each user session. The URL is user-specific and must be generated each time a user wants to access the experience. Link
These URLs are valid for only 5 minutes, and the resulting session is valid for up to 10 hours.
There are two approaches for embedding the Generative Q&A experience based on your user authentication needs:
For registered users (users who have QuickSight accounts):
Use the GenerateEmbedUrlForRegisteredUser API operation
When a user accesses your app, your application assumes an IAM role on their behalf
The app adds the user to QuickSight if they don’t already exist and passes an identifier as the unique role session ID
This ensures each viewer is uniquely provisioned in QuickSight and enforces per-user settings like row-level security
For anonymous (unregistered) users:
Use the GenerateEmbedUrlForAnonymousUser API operation
Tag-based row-level security can be used for anonymous user embedding
For your scenario with 2,000 customers needing data constrained to their customer ID, row-level security would be the appropriate approach.
This ensures that when users access the Generative Q&A experience and submit queries, they only see visuals constrained to their specific customer ID.
To implement this, you would need to:
Create an IAM role with appropriate permissions
Generate unique embedding URLs for each user session
Ensure proper user provisioning in QuickSight
Configure row-level security based on customer IDs
The Row Level security applied in the dataset will respected in the Q&A experience as well.