Users are not populating in Shared Folder dialog
This happens in some namespaces but not others. We have confirmed there are users the namespace and we have relaxed all permissions to ensure it is not a permissions issue. In addition this user is an ADMIN.
Are there any other debugging steps I can take? What could be the issue here? Any help would be grateful.
Have you tried to paste in the ARN?
Also, to confirm, is this quicksight embedded instance is in the same namespace as the person you are trying to share with?
Hey Max, thanks again for the replay (as always) … we discovered some new things this afternoon.
Here’s an example of my users:
Username
realm1/therock Dwayne Johnson djohnson@gmail.com
realm1/hklum Heidi Klum hklume@gmail.com
Results:
Searching for therock returns no results
Searching for realm1 returns no results
Searching for realm1/therock returns no results
Searching for djohnson returns realm1/therock (matching on email)
Searching for hklum returns realm1/hklum (probably matching on email)
So my speculation is the user search is broken when using the username. It may be specific to a multi tenant environment where you prefix a role with [roleArn short name]/ (if I’m understanding this right).
Also I tried pasting the ARN but it does not work; but I wouldn’t expect it to since the UI hint says “username, group, or email address”
After looking at code and reading documentation it looks like we are not setting the username but rather the session name.
response = quickSightIdentity.register_user(
AwsAccountId = aws_account_id,
Namespace = formatted_name,
IdentityType ='IAM',
IamArn = 'arn:aws:iam::_____:role/'+company, # company=realm1
# Cognito UserName
SessionName = userName, # userName=realm1/therock
# Cognito Email
Email = email, # email=djohnson@gmail.com
UserRole = dashboardRole,
ExternalLoginFederationProviderType = 'COGNITO',
# Cognito sub
ExternalLoginId = sub
)
But the describeUser API call seems to still return the session-name as the user-name
{
"arn": "arn:aws:quicksight:us-east-1:_____:user/realm1/realm1/therock",
"userName": "realm1/therock",
"email": "djohnson@gmail.com",
"role": "ADMIN",
"identityType": "IAM",
"active": true,
"principalId": "federated/iam/_____:_____",
"customPermissionsName": null,
"externalLoginFederationProviderType": "CUSTOM_OIDC",
"externalLoginFederationProviderUrl": "https://cognito-idp.us-east-1.amazonaws.com/_____",
"externalLoginId": "_____"
}
Note the response doesn’t include session-name … so this is a little confusing.
Documentation:
Hope this helps shed light on why the search may not be working in all cases.
As a side question; how do I know if I should even be using an assumed IAM role for my users?
Are you talking about the identityType?
One area we found some issue with using a QuickSight identityType instead of an IAM identityType, is when we were using CloudFormation to attach a principal to a QuickSight resource.
For some reason I think that was causing issues.
But if you use them as an IAM identityTpe then it works fine.
Let me know if that’s helps at all.
