I’m testing embedding analysis with Identity Center enabled Direct Query datasets.
I used generateEmbedUrlForRegisteredUser operation. When opening the analysis from the embedded page, visuals that source data from IdC-enabled datasets fail to load data with this error message.
Trusted identity propagation datasources require an identity center token to run. Your query failed because no token was available.
Is it a known issue, or is there any solution to workaround this?
I also tried generateEmbedUrlForRegisteredUserWithIdentity API, but the reponse shows this error.
software.amazon.awssdk.services.quicksight.model.AccessDeniedException: User is not authorized for this service call
Hi. Thanks you for your question! Many of our community Experts and folks from our team are on holiday right now. I asked “My Assistant” (universal chat) in Quick, and got this back. @Brett Could you review and validate the answer below on Monday after you return from holiday?
From “My Assistant”:
“Understanding the Problem
This issue occurs because Identity Center-enabled Direct Query datasets require trusted identity propagation (TIP) to pass user identity context through the query chain. The standard generateEmbedUrlForRegisteredUser API doesn’t support this identity propagation for IdC-enabled datasets.
Current Status and Limitations
Unfortunately, based on the available documentation, embedding analyses with Identity Center-enabled Direct Query datasets is not fully supported in the current Quick embedding implementation. The generateEmbedUrlForRegisteredUserWithIdentity API you mentioned appears to be either:
Not yet generally available for your account
Requires specific IAM permissions that haven’t been configured
May have additional prerequisites for Identity Center integration
Potential Workarounds
Use SPICE instead of Direct Query: Import your data into SPICE, which doesn’t require trusted identity propagation for embedded scenarios
Use standard embedding with IAM/Quick Sight identities: If possible, configure your datasets to use IAM-based authentication instead of Identity Center for embedded use cases
Verify IAM permissions: Ensure your IAM role has the necessary permissions for quicksight:GenerateEmbedUrlForRegisteredUser and any Identity Center-related permissions
Check Identity Center configuration: Verify that your Quick account is properly integrated with IAM Identity Center and that users are provisioned correctly
Recommended Next Steps
Since this appears to be a limitation with embedding IdC-enabled Direct Query datasets, I recommend:
Contact AWS Support to confirm whether embedding with Identity Center Direct Query datasets is supported in your region/account
Consider filing a feature request if this capability is critical for your use case
Explore using SPICE datasets as an interim solution”
Hi @hoyeon Did this solution work for you? I am marking this reply as, “Solution,” but let us know if this is not resolved. Thanks for posting your questions on the Quick Community Q&A Forum!
Many of our community Experts and folks from our team are on holiday right now. I asked “My Assistant” (universal chat) in Quick, and got this back.