Quicksight + Athena Federated Query authorisation issue

Hi all, I’m trying to integrate Quicksight with Athena federated query, but facing the challenge of identifying user context inside the connector lambda.

Quicksight user assumes a service role to interact with AWS resources, in this case, athena, and then lambda, what I need is the Quicksight user context inside the connector lambda in order to identify the caller to pass onto the underlying service which seems to be missing in the assumed role. Is there anyway to achieve that?

e.g. Quicksight User => Athena Federated Query => Lambda (quicksight user context is lost here) => custom api (need quicksight user context here)

Hi Weiwarren,

I assume you want to pass the user name to underlying source for purpose of filtering data and returning only data that is relevant to the user. QuickSight’s way of doing this is via Row level security.
The rules you apply will be passed down as part of the where clause if you are using direct query. See if this helps with your use case. If you really want the user name itself, one potential hack I can think of is given below.

  1. Create a dataset that has UserName (as registered in QuickSight) and PassThroughUserName (either same value or equivalent that you want to pass through).
  2. Define a PassThroughUserName dummy column in your AQF table structure.
  3. Create dataset using the AQF table.
  4. Configure row level security for above dataset and apply dataset created in step 1 as the rules dataset.
  5. Decide in your AQF logic how you want to use the username coming through in the where clause.

Arun Santhosh