With custom namespace, how can a user log in QuickSight and author visuals?

tbdori · February 8, 2024, 3:25pm

I have been using a hybrid login with the default namespace.
General users are accessing QuickSight visuals via embedded analytics as IAM users (all readers). Some handsful authors use direct QuickSight login user/pass. - All good so far.

Recently, I just created a custom namespace(xx). And created a user on that namespace with group and custom permission. I see a shared dataset/analysis/ dashboard from the default namespace. So, all good.

When I create a user with a custom namespace in CLI, I get an invitation url but it doesn’t work.

aws quicksight register-user --namespace xx --identity-type QUICKSIGHT --user-role AUTHOR --region $sourceRegion --custom-permissions-name xxPermission --email=xx@gmail.com --user-name xx@gmail.com --aws-account-id $sourceAccountId

Then, I found this sentence from the online doc saying ‘direct QuickSight user/pass login’ won’t work with a custom namespace.

Custom namespaces—those that are not the default namespace—are only accessible to IAM Federated Single-Sign-On users. (Supporting multitenancy with isolated namespaces - Amazon QuickSight)

Then, why does the above CLI output a non-working URL?

Let me assume that’s what it is. Then, how can I achieve what I want?

For user A in namespace XX, how can he/she create/update the analysis and publish it?
Does he have to use embedded authoring and do it from the App side, not from QuickSight directly?

Currently, I am not using SSO with QuickSight. User won’t come to QuickSight directly from Okta. They will access it only from embedded dashboards. Do I need to make SSO enable for this?

Koushik_Muthanna · February 9, 2024, 8:48am

Can you try the following
( Workshop Studio )

Federated users, IAM users and QuickSight managed users can all be created in secondary namespaces. However, only Federated and IAM users in secondary namespace will be able to access QuickSight console directly. You can user QuickSight managed users with secondary namespaces if your use case requires only embedded access. Both dashboard and session/author embedding is possible with QuickSight managed users in secondary namespaces.

The QuickSight managed user which you created in the secondary namespace is still valid.
Go ahead and test generating a console based experience ( generate-embed-url-for-registered-user — AWS CLI 2.15.18 Command Reference ) ( Search for “QuickSightConsole” )

If the above works, then you handle secondary namespaces as part of your application code. Based on the user who is accessing the application, the embedding url will also require the userarn and this can be the user in a custom namespace.

Kind regards,
Koushik

tbdori · February 11, 2024, 9:19pm

The workshop was very helpful.
In summary, with a custom namespace, users can author visuals using

embedded authoring experience
in the QuickSight console directly

For the #2 option, I need to create a user from IAM first.
Then, from QS CLI, I register this user with the ‘IAM’ identity-type.

aws quicksight register-user --aws-account-id $sourceAccountId --namespace $namespace --identity-type IAM --iam-arn arn:aws:iam::$sourceAccountId:user/$userName --user-role AUTHOR --email xxx@xx.com --region $sourceRegion --custom-permissions-name snoPermission

For a user to access QS for authoring, the user still opens the QuickSight login page (https://quicksight.aws.amazon.com/). Then enter the correct account name.
The screen will be redirected to the IAM login page. Type in the IAM user’s username and password.
The screen will redirect to the QuickSight console.