Hello, I am trying to achieve user self provisioning in QuickSight Enterprise.
QuikSight is set with federated users as identity source. Auth0 is used as IdP with SAML addon.
I was following this guide initially:
Tutorial: Amazon QuickSight and IAM identity federation - Amazon QuickSight and set up role with policies to allow
user to quicksight:CreateReader based on user id arn:aws:quicksight::111111111111:user/${aws:userid}. This worked fine and new users would be created(for example
Auth0FederatedRole/661567b2fe773bfc442e3). Email sync is also turned on so email is the same as in IdP.
The next step was to isolate users based on some attribute. I mapped custom organization field to aws:PrincipalTag/Organization.
I first wanted to try with hardcoded organization. Here is an example policy:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"quicksight:CreateReader"
],
"Resource": [
"arn:aws:quicksight:eu-central-1:111111111111:user/test1/${aws:userid}"
]
}
Users might exist in different namespaces as per quicksight namespaces.
So it would make sense to restrict user based on their aws:PrincipalTag/Organization.
However this approach does not work and user cannot self-provision themselves in a namespace.
I found that quicksight:RegisterUser is required to provision user in a namespace(Multiple SSO idp providers with custom namespaces).
The next policy I tried was the following:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"quicksight:RegisterUser"
],
"Resource": [
"arn:aws:quicksight:eu-central-1:111111111111:user/test1/${aws:userid}",
]
}
To no avail unfortunately. Error I am getting:
User: arn:aws:sts::111111111111:assumed-role/Auth0FederatedRole/66143c3efe773bfc442d49b5 is not authorized to perform: quicksight:RegisterUser on resource: arn:aws:quicksight:eu-central-1:111111111111:user/test1/Auth0FederatedRole/66143c3efe773bfc442d49b5 because no identity-based policy allows the quicksight:RegisterUser action
CLI command I am running:
aws quicksight register-user --identity-type "IAM" \
--email "redacted@mail.com" \
--user-role "READER" \
--iam-arn "arn:aws:iam::111111111111:role/Auth0FederatedRole" \
--session-name "66143c3efe773bfc442d49b5" \ #Session name from SAML response
--aws-account-id "111111111111" \
--region "eu-central-1" \
--namespace "test1"
This command returns success when issued by IAM admin user.
Does anyone know what is wrong with mentioned way of provisioning users? Or it it would be better to provision using admin rights?