RLS using Cognito

We are using Cognito instead of IAM and am trying to implement RLS. I have tried several versions of UserName and GroupName but cannot get it working. I have tried:

  • IAM Role Name/Email
  • Cognito Identity Pool Name/Email
  • QuickSight Group Name
  • QuickSight User Name

What could be the issue?

@pyi ,

RLS rules are applied to QuickSight users/groups regardless of how they authenticate (Cognito, Okta, IAM etc). I beleive you are using an IAM role that Cognito users assume to access QuickSight, so your QuickSight usernames should be in the format ‘<Cognito_IAM_Role>/<Cognito_email_or_username>’. Please correct me if I am wrong.

Do you see any error when using QuickSight username in RLS? Or the rules don’t apply?

Can you try UserARN or GroupARN instead?

UserArn
arn:aws:quicksight:us-east-1:123456789012:user/default/QSCognitoRole/TestUser

1 Like

I actually figured out what my problem was! I was just testing out the functionality using a spreadsheet. When I couldn’t get the naming convention right, I simply deleted the temp RLS file I created and uploaded a new one (since I couldn’t refresh in place). I assumed because it was using the same name, that it would pick up the same file automatically. When you delete the file, it breaks the link to the RLS file from the main dataset. You have to manually go back and re-apply the RLS dataset every time you update the RLS file.

But yes it is the IAMRole/email.