Register-user as READER via AWS CLI for users who login to AWS via iDP (Okta)

root · August 16, 2023, 4:51pm

Hi there,

I have recently transitioned our AWS accounts from using assumed IAM roles (with a source IAM user in a source account) to AWS sessions initiated by logging in with an external identity provider (idP) - Okta.

Previously, users who accessed QuickSight in the AWS Console would be prompted to enter their email for first time access, and would have their accounts created as ADMIN accounts by default. This was undesirable in most cases as most of the time they would only need to be a READER.

To solve this, I would delete their accounts and re-create them using the AWS CLI and assigning the READER role - then when they accessed the QS console, they would not need to re-enter their email as their identity already existed. (Of course I also managed migrating existing resources etc before deleting)

Now with Okta initiated logins, there is no IAM role assigned to users. Users login via Okta, and AWS Identity Center (successor to IAM) in a main account, and are given federated access into sub-accounts.

When they access QuickSight they are given a username auto-generated such as:

AWSReservedSSO_some_permission_set_name_12f1840c2136a23b/username@example.com

Now when I try to use the CLI to register users (after deleting their auto-generated ADMIN accounts first), I get an invalid error:

An error occurred (InvalidParameterValueException) when calling the RegisterUser operation: Invalid resource identifiers provided. Please check the documentation.

The command I would previously use to register users who used Assumed IAM roles is:

aws quicksight register-user --session-name "user@example.com" --iam-arn arn:aws:iam::123456789012:role/Developer --email "user@example.com" --identity-type IAM --user-role READER --aws-account-id 123456789012 --namespace default

However now I don’t have a --iam-arn value for Okta federated AWS users, and it seems like register-user requires this parameter.

Can someone assist here? I would prefer not to have to setup another direct idP integration of Okta straight to QuickSight (and instead use the fact that QuickSight can be accessed from the AWS Console which is where Okta users already have access).

Wakana · August 17, 2023, 2:06am

hi @root

Welcome to QuickSight Community. thank you for posting your inquiry!

for federated users first time accessing to QuickSight, IAM policy associated to a user does a trick to create user as READER/AUTHOR/ADMIN. also the email prompt can be disabled by syncing with the IdP email setting.
it seems you are using IAM Identity Center(IdC) to log into QuickSight. in order to make it work, you have to create QuickSight application on the IdC portal requiring to configure attributes(IAM Role…etc). all the points I mentioned are described in the blog below (it is not Okta being used for external identity store for IdC but it is AzureAD, but the configuration between IdC and QuickSight is the same)

if you don’t want to use self-provisioning, you can take the action off from IAM Policy and you can use CLI command that you described. you should be able to use once you register QuickSight application on IdC.

also the below is new feature announcement made this week for IdC integration with QuickSight.

hope this helps.

kind regards,
Wakana