小贝子编程

AWS IAM / Quicksight-用户无权执行:QuickSight:GetDashboardEmbedUrl资



我正在尝试在我的ASP.NET MVC项目中使用嵌入的快速仪表板URL函数。对于测试,我只是尝试将嵌入URL输出到字符串中。这是我代码的主要部分:

    var awsCredentials = new BasicAWSCredentials("redacted", "redacted");
    AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(awsCredentials);
    var tokenServiceRequest = stsClient.GetSessionToken();
    var client = new AmazonQuickSightClient(
        tokenServiceRequest.Credentials.AccessKeyId,
        tokenServiceRequest.Credentials.SecretAccessKey,
        tokenServiceRequest.Credentials.SessionToken,
        Amazon.RegionEndpoint.APSoutheast2);
    try
    {
        string machineTypeEmbedUrl =
            client.GetDashboardEmbedUrlAsync(new GetDashboardEmbedUrlRequest
            {
                AwsAccountId = "redacted",
                DashboardId = "redacted",
                IdentityType = IdentityType.IAM,
                ResetDisabled = true,
                SessionLifetimeInMinutes = 100,
                UndoRedoDisabled = false
            }).Result.EmbedUrl;
    }
    catch (Exception ex)
    {
        return new HttpStatusCodeResult(HttpStatusCode.BadRequest,ex.Message);
    }

为了支持所需的权限,我设置了一个具有STS的IAM用户,假定角色允许如下:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1551593192075",
            "Action": [
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::redacted:role/assume-quicksight-role"
        }
    ]
}

我已经设置了上面指定的角色,并设置其信任策略,以便上面的IAM用户可以假设。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "quicksight:RegisterUser",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "quicksight:GetDashboardEmbedUrl",
            "Resource": "arn:aws:quicksight:ap-southeast-2:redacted:dashboard/redacted",
            "Effect": "Allow"
        }
    ]
}

据我所知,这应该有效。调试显示我确实得到了一个会话令牌,该令牌将传递给embedurl请求,但是我会收到以下错误:

innerexception = {"用户: ARN:AWS:IAM ::: USER/API-DEV-QUICKSIGHT-USER未经授权 要执行:Quicksight:getDashboardEmbedurl资源: ARN:AWS:QuickSight:ap-southeast-2 :: dashboard/"}

我不确定为什么会发生这种情况?我有一个可以扮演正确角色的用户,并且该角色对所讨论的仪表板具有正确的权限。我在这里想念什么?

尝试这样更改您的角色(请在dashboard之前注意::双结肠):

...
"Action": "quicksight:GetDashboardEmbedUrl", 
"Resource": "arn:aws:quicksight:ap-southeast-2::dashboard/*", 
"Effect": "Allow"
...

这应该允许用户访问仪表板下方的所有子资源。

要遵循AWS建议的最低特权原则,您应该列出所有资源:

...
"Resource": [
    "arn:aws:quicksight:ap-southeast-2::dashboard/", 
    "arn:aws:quicksight:ap-southeast-2::dashboard/redacted"]
...

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium