How to create IAM SSO user from API

mikepargeter · April 12, 2024, 1:10pm

Hi

I’m new to QuickSight and have been trying to register a new user via the API.

Using the console our users can register themselves as admins using our IAM SSO logins fine. However when I try to replicate this using the API to create a reader I get an error:

aws quicksight register-user --aws-account-id 999999999999 --namespace default --identity-type IAM --email user.name@test.email --user-role READER --iam-arn arn:aws:sts::999999999999:assumed-role/AWSReservedSSO_ROLENAME_xxxxxxxxxxxxxxxx/User.Name

An error occurred (InvalidParameterValueException) when calling the RegisterUser operation: Invalid resource identifiers provided. Please check the documentation.

I’m assuming it’s an issue with the --iam-arn and I’ve not quite used the right format.

For the admin users that have been created, listing users gives their ARNs with this format: arn:aws:quicksight:eu-west-2:999999999999:user/default/AWSReservedSSO_ROLENAME_xxxxxxxxxxxxxxxx/User.Name

So I tried that, and also arn:aws:sts::999999999999:user/default/AWSReservedSSO_ROLENAME_xxxxxxxxxxxxxxxx/User.Name but still get the same message.

Any advice would be much appreciated, thanks.

duncan · April 12, 2024, 8:16pm

Hello @mikepargeter , welcome to the QuickSight community!

I have a hunch that you may need to add the session-name:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/quicksight/register-user.html#:~:text=with%20Amazon%20QuickSight.-,--session-name,-(string)

Can you try applying this and let me know if you still run into that error?

mikepargeter · April 15, 2024, 9:50am

Many thanks Duncan. I tried that just now, using all three variants with “–session-name xxxx” but the error message was the same as before for all of them.

duncan · April 23, 2024, 4:29pm

Hello @mikepargeter !

I’m sorry about the late reply!

After digging abit more, I believe you may be able to follow the steps laid out here:

mikepargeter · April 24, 2024, 2:45pm

Many thanks @duncan that was very helpful! After a little more experimentation the thing I needed to do was use the ARN of the role, not the user, and the user name as the session name. So for my original example, where I’ve already created the user “User.Name” and given it access to role “ROLENAME”, this command creates the QuickSight user:

aws quicksight register-user --aws-account-id 999999999999 --namespace default --identity-type IAM --email user.name@test.email --user-role READER --iam-arn arn:aws:iam::999999999999:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_ROLENAME_xxxxxxxxxxxxxxxx --session-name User.Name

When I then login to the console as that SSO user and navigate to QuickSight it doesn’t create another user, but gives me an empty dashboard for the SSO user, exactly as I’d hoped

Thanks again for pointing me in the right direction!

duncan · April 30, 2024, 3:41pm

Hey @mikepargeter,

Well done on figuring that one out, and thank you for sharing this in the community! I’m sure that will help someone else out in the future.