I have recently transitioned our AWS accounts from using assumed IAM roles (with a source IAM user in a source account) to AWS sessions initiated by logging in with an external identity provider (idP) - Okta.
Previously, users who accessed QuickSight in the AWS Console would be prompted to enter their email for first time access, and would have their accounts created as ADMIN accounts by default. This was undesirable in most cases as most of the time they would only need to be a READER.
To solve this, I would delete their accounts and re-create them using the AWS CLI and assigning the READER role - then when they accessed the QS console, they would not need to re-enter their email as their identity already existed. (Of course I also managed migrating existing resources etc before deleting)
Now with Okta initiated logins, there is no IAM role assigned to users. Users login via Okta, and AWS Identity Center (successor to IAM) in a main account, and are given federated access into sub-accounts.
When they access QuickSight they are given a username auto-generated such as:
Now when I try to use the CLI to register users (after deleting their auto-generated ADMIN accounts first), I get an invalid error:
An error occurred (InvalidParameterValueException) when calling the RegisterUser operation: Invalid resource identifiers provided. Please check the documentation.
The command I would previously use to register users who used Assumed IAM roles is:
aws quicksight register-user --session-name "email@example.com" --iam-arn arn:aws:iam::123456789012:role/Developer --email "firstname.lastname@example.org" --identity-type IAM --user-role READER --aws-account-id 123456789012 --namespace default
However now I don’t have a --iam-arn value for Okta federated AWS users, and it seems like register-user requires this parameter.
Can someone assist here? I would prefer not to have to setup another direct idP integration of Okta straight to QuickSight (and instead use the fact that QuickSight can be accessed from the AWS Console which is where Okta users already have access).