We are searching for proper secure way to generate pre-signed URL for users to take them to the QuickSight Home page
We tried using GetFederationTokenRequest:
here is the code piece which we used
StsClient stsClient = StsClient.builder()
.region(Region.AP_SOUTH_1)
.credentialsProvider(StaticCredentialsProvider.create(AwsBasicCredentials.create("ACCESS_KEY", "SECRET_KEY")))
.build();
GetFederationTokenRequest federationTokenRequest = GetFederationTokenRequest.builder()
.durationSeconds(1800)
.name("JAVA-SDK-TEST-USER")
.policy("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"quicksight:ListDashboards\",\"Effect\":\"Allow\",\"Resource\":\"*\"}]}")
.tags(Tag.builder().key("PrincipalTag:Email").value("user@example.com").build())
.build();
GetFederationTokenResponse federationTokenResponse = stsClient.getFederationToken(federationTokenRequest);
Credentials federatedCredentials = federationTokenResponse.credentials();
String sessionJson = String.format(
"{\"%1$s\":\"%2$s\",\"%3$s\":\"%4$s\",\"%5$s\":\"%6$s\"}",
"sessionId", federatedCredentials.accessKeyId(),
"sessionKey", federatedCredentials.secretAccessKey(),
"sessionToken", federatedCredentials.sessionToken());
String signInUrl = "https://signin.aws.amazon.com/federation";
String getSigninTokenUrl = signInUrl + "?Action=getSigninToken&DurationSeconds=43200&Session="
+ URLEncoder.encode(sessionJson, StandardCharsets.UTF_8);
URL url = new URL(getSigninTokenUrl);
URLConnection conn = url.openConnection();
BufferedReader bufferReader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String returnContent = bufferReader.readLine();
log.info("Response received: {}", returnContent);
String signinToken = objectMapper.readTree(returnContent).get("SigninToken").asText();
String issuerURL = "https://app.domain.com/"; // Your issuer URL
String destinationURL = "https://ap-south-1.quicksight.aws.amazon.com/sn/start"; // QuickSight Home URL
String loginURL = signInUrl + "?Action=login"
+ "&SigninToken=" + URLEncoder.encode(signinToken, StandardCharsets.UTF_8)
+ "&Issuer=" + URLEncoder.encode(issuerURL, StandardCharsets.UTF_8)
+ "&Destination=" + URLEncoder.encode(destinationURL, StandardCharsets.UTF_8);
log.info("Federated login URL for QuickSight: {}", loginURL);
stsClient.close();
When we use the generated login url we are getting the following error
The AWS principal tag corresponding to "PrincipalTag:Email" in your SAML assertion or OIDC token is either an invalid email or not present. Please reach out to your QuickSight account's admin to ensure that the email address for this AWS principal tag is correct.
Had someone faced a similar issue, or are we missing any steps?
Thanks
Sai