Embedded Analytics Tutorial

with Amazon QuickSight

Module Six: QuickSight User and Domain Setup

In this module we will register a demo user, create an embedded reader group and add the demo user to this group.

Introduction

In this module, we will create and register a demo user, create an embedded reader group and add the demo user to this group so that they can access the embedded dashboards or sessions

What Will You Learn

  • Create and Execute Initial setup Lambda for Dashboard Embedding- To create QuickSight user, groups and permissions.
  • Create and Execute Initial setup Lambda for Session Embedding- To create QuickSight user, groups and permissions.
  • Whitelist domain - To allow embedding of QuickSight pages.

 Time to Complete

15 minutes

 Services Used

Implementation

  • Create and execute Initial Setup Lambda (For dashboard embedding)

    Skip to next section if you are trying out session embedding
    We will create a lambda function to run some initial setup API calls against QuickSight. These API calls will register DemoUser into QuickSight, Create an EmbeddedReader Group, Add DemoUser to this group and provide viewer access for a dashboard to the group.

    Ensure that QSInitialSetupTempPolicy is attached to QSLambdaBasicExecutionRole.

    1. Launch Lambda and click Create function button.

    139

    2. Make the following selections.
    Choose Author from scratch
    Function Name: QSEmbedSetup
    Runtime: Python 3.8
    Execution role: Use an existing role Select QSLambdaBasicExecutionRole from drop down.Click Create function

    140
    141

    3. Copy following python code into lambda function and click Save.

     

    def lambda_handler(event, context):
        import json,re,boto3,os,botocore
        AAI = os.environ["AwsAccountId"]
        email = os.environ["Email"]
        dashboardId = os.environ["DashboardId"]
        roleArn = os.environ["RoleArn"]
        identityRegion = os.environ["QuickSightIdentityRegion"]
        dashboardRegion = os.environ["DashboardRegion"]
        group = 'EmbeddedReaderGrp'
        groupArn='arn:aws:quicksight:'+identityRegion+':'+AAI+':group/default/'+group
    
        qs = boto3.client('quicksight',region_name=identityRegion)
        qsd = boto3.client('quicksight',region_name=dashboardRegion)
    
        try:
            res = qs.create_group(GroupName=group,AwsAccountId=AAI,Namespace='default')
        except Exception as e:
            if (str(type(e)) == "<class 'botocore.errorfactory.ResourceExistsException'>"):
                print('GroupExists')
            else:
                raise e
    
        try:
            res = qs.register_user(IdentityType='IAM',Email=email,UserRole='READER',IamArn=roleArn,SessionName='DemoUser',Namespace='default',AwsAccountId=AAI)
        except Exception as e:
            if (str(type(e)) == "<class 'botocore.errorfactory.ResourceExistsException'>"):
                print('UserExists')
            else:
                raise e
    
        res = qs.create_group_membership(MemberName='QSER/DemoUser',GroupName=group,AwsAccountId=AAI,Namespace='default')
        res = qsd.update_dashboard_permissions(AwsAccountId=AAI,DashboardId=dashboardId,GrantPermissions=[{'Principal':groupArn,'Actions':['quicksight:DescribeDashboard','quicksight:ListDashboardVersions','quicksight:QueryDashboard']}])
    142

    4. Scroll down to Environment variables section and click Manage environment variables.

    143

    5. Add the following environment variables.
    AwsAccountId
    Email
    DashboardId - DashboardId
    saved in your notepad. (or from dashboard url)
    RoleArn - QSER Role Arn saved in your notepad.
    QuickSightIdentityRegion - Region where your QuickSight identities are setup.
    DashboardRegion - DashboardRegion saved in your notepad. (or from dashboard url)
    Click Save button.

    144

    6. Scroll down to Basic Settings and click Edit button.

    145

    7. Increase Timeout value to 2 mins and click Save button

    146

    8. From Select a test event drop down, select Configure test events.

    147

    9. Enter event name as Test and click Create button.

    148

    10. Click Test button.

    149

    11. Launch IAM, Click roles in left panel, Search for QSLambdaBasicExecutionRole and delete temp policy.

    (Skip this and next step for now / Remember to add this policy back to the role ahead of running the setup lambda function if you are trying dashboard embedding now and want to try session embedding after this.)

    150

    12. Click Detach button.

    151
  • Initial Setup Lambda (For session embedding)

    Skip to next section if you are trying out dashboard embedding
    We will create a lambda function to run some initial setup API calls against QuickSight. These API calls will register DemoUser into QuickSight as an Author. Ensure that QSInitialSetupTempPolicy is attached to QSLambdaBasicExecutionRole.

    1. Launch Lambda and click Create function button.

    155

    2. Make the following selections.
    Choose Author from scratch
    Function Name: QSEmbedSetup
    Runtime: Python 3.8
    Execution role: Use an existing role Select QSLambdaBasicExecutionRole from drop down. Click Create function

    156
    157

    3. Copy following python code into lambda function and click Save.
     

    def lambda_handler(event, context):
        import json,re,boto3,os,botocore
        AAI = os.environ["AwsAccountId"]
        email = os.environ["Email"]
        roleArn = os.environ["RoleArn"]
        identityRegion = os.environ["QuickSightIdentityRegion"]
    
        qs = boto3.client('quicksight',region_name=identityRegion)
    
        try:
            res = qs.register_user(IdentityType='IAM',Email=email,UserRole='AUTHOR',IamArn=roleArn,SessionName='DemoUser',Namespace='default',AwsAccountId=AAI)
        except Exception as e:
            if (str(type(e)) == "<class 'botocore.errorfactory.ResourceExistsException'>"):
                print('UserExists')
                res = qs.describe_user(Namespace='default',AwsAccountId=AAI, UserName='QSER/DemoUser')
                if (res['User']['Role'] == 'READER'):
                    print('Upgrading user')
                    qs.update_user(Namespace='default',AwsAccountId=AAI, UserName='QSER/DemoUser', Email=email, Role='AUTHOR')
            else:
                raise e
    158

    4. Scroll down to Environment variables section and click Manage environment variables.

    159

    5. Add the following environment variables.
    AwsAccountId
    Email
    RoleArn - QSER Role Arn saved in your notepad.
    QuickSightIdentityRegion - Region where your QuickSight identities are setup.
    Click Save button.

    160

    6. Scroll down to Basic Settings and click Edit button.

    161

    7. Increase Timeout value to 2 mins and click Save button

    162

    8. From Select a test event drop down, select Configure test events.

    163

    9. Enter event name as Test and click Create button.

    164

    10. Scroll up and click Test button.

    165

    11. Launch IAM, Click roles in left panel, Search for QSLambdaBasicExecutionRole and delete remove temp policy.

    (Skip this and next step for now / Remember to add this policy back to the role ahead of running the setup lambda function if you are trying dashboard embedding now and want to try session embedding after this or vice versa)

    166

    12. Click Detach button.

    167
  • Whitelist Domain

    In final step, we will whitelist the CloudFront domain in QuickSight

    1. Launch QuickSight and change the region to where you have your dashboard.

    171

    2. Click the person icon on top right and Manage QuickSight from the drop down.

    172

    3. Click Domains and Embedding from left panel.

    173

    4. Enter https://CloudFront Domain Name in Domain and click Add button.

    174

Conclusion

You successfully completed module six! Next, lets launch the application in module seven.

Was this module helpful?

Launch Application