Issue Embedding Q Topics for Dynamically Created QuickSight Users

We’ve recently started using QuickSight and embedding it into our system.

We successfully embedded dashboards, but we’re now trying to embed Q Topics and have hit a problem.

Specifically:
:white_check_mark: When I generate an embedded URL using my own user (UserName), everything works fine.
:cross_mark: But when we register a user on the fly (programmatically), we assign these permissions:

['quicksight:DescribeTopic', 'quicksight:DescribeTopicRefresh', 'quicksight:ListTopicRefreshSchedules', 'quicksight:DescribeTopicRefreshSchedule', 'quicksight:DeleteTopic', 'quicksight:UpdateTopic', 'quicksight:CreateTopicRefreshSchedule', 'quicksight:DeleteTopicRefreshSchedule', 'quicksight:UpdateTopicRefreshSchedule', 'quicksight:DescribeTopicPermissions', 'quicksight:UpdateTopicPermissions']

for the specific topicId we want them to access.

However, when we generate an embedded URL for this on-the-fly user, we only see a blank page.
I can confirm that the user does have access to the topic via the dashboard, but for some reason, the embedded Q Topic view doesn’t work.

Could anyone advise what additional setup or configuration we need to make this work?

Thanks!

Hello @kolodnydan, is this issue only occurring during the first load? Like if the user returns to the embedded platform after reauthenticating, are they able to see the Topic or is it still not showing?

Also, how are you displaying the topic in the embedded environment. Can you share screen shots of the embedded view when the topic is working?

My initial thought is that there is a lag between the user being registered, adding the permissions, and the topic being called. When the API call is run to retrieve the embedded URL, you may want to run an asynchronous function to await the updated user permissions.

Hello @kolodnydan, I wanted to check in since we have not heard back from you. If you could please follow up on the questions in my last response, I can help guide you further. If we do not receive a reply in 3 days, I will close out this topic. Thank you!

Hi Dylan,

After further investigation, I have a couple of questions regarding the QuickSight user creation and access:

Regarding Programmatic User Creation:
I notice that when creating a user programmatically (using the code shared above), the user needs to receive an email, approve it, and set up a password. Is this mandatory, or is there a way to automate this process?

Regarding User Access to Topics:
I've identified some access discrepancies that might be related to the underlying IAM structure:

My AWS IAM user can access the topic in the embedded website (possibly because it's leveraging my actual IAM user credentials)
A QuickSight-only user, which only has an ARN but no associated IAM user, cannot access the topic in the embedded website, even after:
    Completing email verification
    Setting up password
    Being manually added to the topic
Interestingly, this same QuickSight-only user can access the topic through the QuickSight console when activated manually

This suggests the issue might be related to authentication/authorization differences between IAM users vs QuickSight-only users when accessing embedded content.

quickSightClient = new QuickSightClient({
      region: AWS_DEFAULT_REGION,
    })

    await ensureUser({
      orgId: 'test',
      quickSightClient,
    })

    const userArn = `arn:aws:quicksight:${AWS_DEFAULT_REGION}:${AWS_ACCOUNT_ID}:user/${AWS_NAMESPACE}/example-user-name

    const embedCmd = new GenerateEmbedUrlForRegisteredUserCommand({
      AwsAccountId: AWS_ACCOUNT_ID,
      SessionLifetimeInMinutes: SESSION_LIFETIME_IN_MINUTES,
      UserArn: userArn,
      AllowedDomains: [QUICKSIGHT_ALLOWED_DOMAIN],
      ExperienceConfiguration: {
        QSearchBar: {
          InitialTopicId: 'XXXXXXXXXXXXXXXXXXXXXX',
        },
      },
    })

    logger.info('Generation embed URL')

    const embedResponse = await quickSightClient.send(embedCmd)

Hello @kolodnydan

To my knowledge, even if you programmatically create a QuickSight user they need to create a password.

Based on what you’ve described above, users need to be IAM users to access the Q topics in the embedded application. My assumption is also based on the documentation that discusses registering these users via IAM:

@kolodnydan
In an embedded scenario, you are registering the user programatically. No invitation email is sent to the user and this is not required . Why ? Because the user will only access the QuickSight dashboard or Q topic through your embedded application. So for that, the user would first login to your application with their username and password or SSO , however it is setup. Then your application handles the embed url generation where you will pass the QuickSight user arn as part of the GenerateEmbedUrlForRegisteredUserCommand API call. Your application is embedding the url in the iframe which loads the QuickSight experience for the user.

Review the sample code in our workshop ( Workshop Studio ) .

Kind regards,
Koushik

1 Like