Quicksight user self-provisioning using quicksight:RegisterUser

Hello, I am trying to achieve user self provisioning in QuickSight Enterprise.
QuikSight is set with federated users as identity source. Auth0 is used as IdP with SAML addon.

I was following this guide initially:
Tutorial: Amazon QuickSight and IAM identity federation - Amazon QuickSight and set up role with policies to allow
user to quicksight:CreateReader based on user id arn:aws:quicksight::111111111111:user/${aws:userid}. This worked fine and new users would be created(for example
Auth0FederatedRole/661567b2fe773bfc442e3). Email sync is also turned on so email is the same as in IdP.

The next step was to isolate users based on some attribute. I mapped custom organization field to aws:PrincipalTag/Organization.
I first wanted to try with hardcoded organization. Here is an example policy:

{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"quicksight:CreateReader"
			],
			"Resource": [
				"arn:aws:quicksight:eu-central-1:111111111111:user/test1/${aws:userid}"
			]
		}

Users might exist in different namespaces as per quicksight namespaces.
So it would make sense to restrict user based on their aws:PrincipalTag/Organization.
However this approach does not work and user cannot self-provision themselves in a namespace.
I found that quicksight:RegisterUser is required to provision user in a namespace(Multiple SSO idp providers with custom namespaces).
The next policy I tried was the following:

{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"quicksight:RegisterUser"
			],
			"Resource": [
				"arn:aws:quicksight:eu-central-1:111111111111:user/test1/${aws:userid}",
			]
		}

To no avail unfortunately. Error I am getting:
User: arn:aws:sts::111111111111:assumed-role/Auth0FederatedRole/66143c3efe773bfc442d49b5 is not authorized to perform: quicksight:RegisterUser on resource: arn:aws:quicksight:eu-central-1:111111111111:user/test1/Auth0FederatedRole/66143c3efe773bfc442d49b5 because no identity-based policy allows the quicksight:RegisterUser action

CLI command I am running:

aws quicksight register-user --identity-type "IAM" \
               --email "redacted@mail.com" \
               --user-role "READER" \
               --iam-arn "arn:aws:iam::111111111111:role/Auth0FederatedRole" \
               --session-name "66143c3efe773bfc442d49b5" \ #Session name from SAML response
               --aws-account-id "111111111111" \
               --region "eu-central-1" \
               --namespace "test1"

This command returns success when issued by IAM admin user.

Does anyone know what is wrong with mentioned way of provisioning users? Or it it would be better to provision using admin rights?

Hey @gleb.cher , welcome to the QuickSight community!

If I understand your use case correctly I believe that it would be easier to assign your target users admin permissions.

To clarify, do you want IAM users of a specific namespace to be able to self-provision or do you want any IAM user to be able to self-provision access in QuickSight?

Hello @duncan . Thanks for your response.

“If I understand your use case correctly I believe that it would be easier to assign your target users admin permissions.” - It would be easier yes, but those are external users(coming from external auth provider) and we want them to have as minimal permissions as possible.

My use case is having multiple namespaces and each IAM federated user will have access only to a specific namespace restricted by aws:PrincipalTag/Organization. The first flow (when user is granted CreateReader permission) is quite convenient as it does not involve additional actions from backend. User just logs in and Quicksight identity is automatically created.

Unfortunately I wasn’t able to make it work with RegisterUser. So my guess is that provisioning has to be done from backend unless there is something I am missing.

Hey @gleb.cher, I believe you’re correct and will need to do this in the backend.