I’m following the QS embedding guide to embed a dashboard in my web app. When I view the page I get this error: We can't display this page (Not authorized).:
My application’s call to GenerateEmbedUrlForAnonymousUser is returning a URL so that doesn’t seem to be the issue (I’d expect it to fail with AccessDenied if the IAM role didn’t have permission).
I’ve enabled “Share with everyone in this account” in the dashboard sharing settings.
I’ve added my site’s domain to the embedded domains allow-list.
GenerateEmbedUrlForAnonymousUser performs Authorization on Namespace and AuthorizedResourceArns request parameters. If your caller identity does not have permission to perform IAM action quicksight:GenerateEmbedUrlForAnonymousUser on these resources, you will get 403 response code.
Also, if you specify appropriate ARNs in AuthorizedResourceArns parameters, you don’t really need to share the dashboard with everyone (“Share with everyone in this account” option).
We can’t display this page (Not authorized). will be shown if you use different dashboard ID in URL, than the authorized one, or if you don’t have a valid session anymore (i.e. sessionLifeTimeInMinutes have elapsed since you redeemed the URL).
GenerateEmbedUrlForAnonymousUser performs Authorization on Namespace and AuthorizedResourceArns request parameters. If your caller identity does not have permission to perform IAM action quicksight:GenerateEmbedUrlForAnonymousUser on these resources, you will get 403 response code.
So since my GenerateEmbedUrlForAnonymousUser request is returning an EmbedUrl instead of a 403, can I assume that my caller identity’s permissions are correctly configured?
Also, if you specify appropriate ARNs in AuthorizedResourceArns parameters, you don’t really need to share the dashboard with everyone (“Share with everyone in this account” option).
Noted, this was just a guess since nothing else has worked.
We can’t display this page (Not authorized). will be shown if you use different dashboard ID in URL, than the authorized one, or if you don’t have a valid session anymore (i.e. sessionLifeTimeInMinutes have elapsed since you redeemed the URL).
My SessionLifetimeInMinutes is set to 600 when I call GenerateEmbedUrlForAnonymousUser so I don’t think it’s that. To test the dashboardId issue I changed my caller’s permissions to
To test the dashboardId issue I changed my caller’s permissions to …
If the endpoint you are accessing is indeed us-east-1, then you don’t really need any change in policy. quicksight:GenerateEmbedUrlForAnonymousUser action in policy was enough.
It’s not feasible to troubleshoot in forum. Could you please open a case with AWS Support? Please share the Embedding API RequestID, region, and corresponding dashboard ID you are trying to access in browser. If you are able to attach a .har file, that would help too.
Update: The URL was getting encoded on client side, due to which server might have received a dashboard ID (encoded string) that does not exist or user doesn’t have access to. Hence the error message “We can’t display this page (Not Authorized)”
