AWS Big Data Blog
Scale Amazon QuickSight embedded analytics with new API-based domain allow listing
Amazon QuickSight is a fully-managed, cloud-native business intelligence (BI) service that makes it easy to connect to your data, create interactive dashboards, and share these with tens of thousands of users, either within QuickSight itself or embedded in apps and portals.
QuickSight Enterprise Edition recently introduced the ability to dynamically allow list the domains where QuickSight content can be embedded. This allows developers to quickly embed dashboards across multiple apps, portals, or websites, without needing to make this change on the QuickSight administrative console every time. Together with QuickSight’s existing dashboard theming and templating capabilities, this new feature allows developers to rapidly develop and deploy QuickSight dashboards and visualizations for a variety of use cases across various applications with ease. Let’s take a look at how this works.
To embed a QuickSight dashboard using APIs, you can use one of the following embedding APIs:
In these APIs, you can now pass the domain where you want to embed your dashboard using the new parameter
You can add up to three domains in a single API call as an array list. All the domains need to be SSL enabled (using HTTPS protocol). If you want to test out the embedded dashboard on your local machine, you can allow list
http://localhost via the
AllowedDomains parameter. For example, if you want to embed a dashboard in your SaaS application called
https://myorders.simplelogistics.com, you set
AllowedDomains to be
https://myorders.simplelogistics.com in the API call. You can also enable sub domains by passing
*, for example,
AllowedDomains is an optional parameter. If you don’t specify any domains via this parameter, you can still use the domains allow listed via the QuickSight console. But if you specify domains via this parameter, then the embedding URL returned as part of the API call is only embeddable in these domains (even if you have a list of static domains entered on the QuickSight console).
Prior to this capability, the Content-Service-Policy in the request header listed all the domains allow listed in QuickSight console. Now when allow listing the domains using the API, the Content-Service-Policy only shows the domains that are allow listed in the API call.
With this new capability, ISVs that have different applications for different customers can allow list specific domains at runtime, enabling them to scale easily for different customers and to hundreds of thousands of end-users.
As an added security, the AWS Identity and Access Management (IAM) admin of your QuickSight account can restrict the domains that can be allow listed. This can be done when your IAM admin sets up permissions for your application or server. As part of this step, you can specify the list of domains that can be allow listed via the embedding APIs. For example, let’s assume you want your developers to only allow list the following domains:
You can set these domains in the
quicksight:AllowedEmbeddingDomain of the permissions setup. The following code is a sample for the
Intelerad improves User Experience
Intelerad, a leading medical system imaging management company, uses this API-based domain allow listing feature to embed QuickSight dashboard directly into web application, reducing operational time and improving user experience.
“Our software exists as a multi-tenant AWS architecture with more than 400 separate private and public cloud instances. This software includes a web application for administration and management of the system. A new feature we are building for this administration application is an embedded QuickSight dashboard showing operational data specific to the installation and its usage. Prior to this new API-based domain allow listing, embedding the dashboard would have required us to manually add all of our tenants’ web server domains to the allowed domains in the QuickSight console. Not only would it have been difficult for us to obtain a list of allowed domains, this list of allowed domains is only modifiable via the console, so it would also have been difficult to maintain over time. With this new API change, we can now send the domain that the clients use to access their web server to the dashboard embedding API and we can show the dashboard directly into their web application. No more list of domains to manage and less security concerns about those domains being visible to all clients. This not only reduces an operational obstacle for us but also allows for a far better user experience for our millions of users.”
-Mark Groves – Sr. Development Manager at Intelerad.
Sample use case
In this example use case, Travel Analytics is a software as a service (SaaS) provider with travel-related solutions for various travel agencies. They have a SaaS application for these agencies to track different metrics on how their business is performing. Because Travel Analytics is scaling their business, they have different sites for different travel agencies. With the newly launched domain allow listing with APIs, they’re able to scale with ease. They allow list the specific domains, depending on the customer, via the API when generating the embedding URL.
The following code shows their sample GenerateEmbedURLForAnonymousUser API call with the domain added to the request:
The returned URL can only be embedded in the domain that was allow listed as part of the preceding request. The following is a screenshot of the embedded dashboard in this domain.
The CSP header has only the specific allow listed domain via the API when the dashboard is embedded.
Runtime domain allow listing using embedding APIs enables developers to scale their embedded offerings with QuickSight dashboards, visuals, QuickSight Q (natural language querying), or authoring experience across different domains for their different customers easily. All of this is done without any infrastructure setup or management, while scaling to millions of users. For more information, refer to Amazon QuickSight Embedded Analytics and What’s New in the Amazon QuickSight User Guide.
About the authors
Vetri Natarajan is a Specialist Solutions Architect for Amazon QuickSight. Vetri has 15 years of experience implementing enterprise Business Intelligence (BI) solutions and greenfield data products. Vetri specializes in integration of BI solutions with business applications and enable data-driven decisions.
Kareem Syed-Mohammed is a Product Manager at Amazon QuickSight. He focuses on embedded analytics, APIs, and developer experience. Prior to QuickSight he has been with AWS Marketplace and Amazon retail as a PM. Kareem started his career as a developer and then PM for call center technologies, Local Expert and Ads for Expedia. He worked as a consultant with McKinsey and Company for a short while.