I have been using a hybrid login with the default namespace.
General users are accessing QuickSight visuals via embedded analytics as IAM users (all readers). Some handsful authors use direct QuickSight login user/pass. - All good so far.
Recently, I just created a custom namespace(xx). And created a user on that namespace with group and custom permission. I see a shared dataset/analysis/ dashboard from the default namespace. So, all good.
When I create a user with a custom namespace in CLI, I get an invitation url but it doesn’t work.
aws quicksight register-user --namespace xx --identity-type QUICKSIGHT --user-role AUTHOR --region $sourceRegion --custom-permissions-name xxPermission --email@example.com --user-name firstname.lastname@example.org --aws-account-id $sourceAccountId
Then, I found this sentence from the online doc saying ‘direct QuickSight user/pass login’ won’t work with a custom namespace.
Then, why does the above CLI output a non-working URL?
Let me assume that’s what it is. Then, how can I achieve what I want?
For user A in namespace XX, how can he/she create/update the analysis and publish it?
Does he have to use embedded authoring and do it from the App side, not from QuickSight directly?
Currently, I am not using SSO with QuickSight. User won’t come to QuickSight directly from Okta. They will access it only from embedded dashboards. Do I need to make SSO enable for this?
Can you try the following
( Workshop Studio )
Federated users, IAM users and QuickSight managed users can all be created in secondary namespaces. However, only Federated and IAM users in secondary namespace will be able to access QuickSight console directly. You can user QuickSight managed users with secondary namespaces if your use case requires only embedded access. Both dashboard and session/author embedding is possible with QuickSight managed users in secondary namespaces.
The QuickSight managed user which you created in the secondary namespace is still valid.
Go ahead and test generating a console based experience ( generate-embed-url-for-registered-user — AWS CLI 2.15.18 Command Reference ) ( Search for “QuickSightConsole” )
If the above works, then you handle secondary namespaces as part of your application code. Based on the user who is accessing the application, the embedding url will also require the userarn and this can be the user in a custom namespace.
The workshop was very helpful.
In summary, with a custom namespace, users can author visuals using
- embedded authoring experience
- in the QuickSight console directly
For the #2 option, I need to create a user from IAM first.
Then, from QS CLI, I register this user with the ‘IAM’ identity-type.
aws quicksight register-user --aws-account-id $sourceAccountId --namespace $namespace --identity-type IAM --iam-arn arn:aws:iam::$sourceAccountId:user/$userName --user-role AUTHOR --email email@example.com --region $sourceRegion --custom-permissions-name snoPermission
For a user to access QS for authoring, the user still opens the QuickSight login page (https://quicksight.aws.amazon.com/). Then enter the correct account name.
The screen will be redirected to the IAM login page. Type in the IAM user’s username and password.
The screen will redirect to the QuickSight console.