Embedded Analytics Tutorial
with Amazon QuickSight
Module Six: QuickSight User and Domain Setup
In this module we will register a demo user, create an embedded reader group and add the demo user to this group.
Introduction
In this module, we will create and register a demo user, create an embedded reader group and add the demo user to this group so that they can access the embedded dashboards or sessions
What Will You Learn
- Create and Execute Initial setup Lambda for Dashboard Embedding- To create QuickSight user, groups and permissions.
- Create and Execute Initial setup Lambda for Session Embedding- To create QuickSight user, groups and permissions.
- Whitelist domain - To allow embedding of QuickSight pages.
Time to Complete
15 minutes
Services Used
Implementation
-
Create and execute Initial Setup Lambda (For dashboard embedding)
Skip to next section if you are trying out session embedding
We will create a lambda function to run some initial setup API calls against QuickSight. These API calls will register DemoUser into QuickSight, Create an EmbeddedReader Group, Add DemoUser to this group and provide viewer access for a dashboard to the group.
Ensure that QSInitialSetupTempPolicy is attached to QSLambdaBasicExecutionRole.1. Launch Lambda and click Create function button.
2. Make the following selections.
Choose Author from scratch
Function Name: QSEmbedSetup
Runtime: Python 3.8
Execution role: Use an existing role Select QSLambdaBasicExecutionRole from drop down.Click Create function3. Copy following python code into lambda function and click Save.
def lambda_handler(event, context): import json,re,boto3,os,botocore AAI = os.environ["AwsAccountId"] email = os.environ["Email"] dashboardId = os.environ["DashboardId"] roleArn = os.environ["RoleArn"] identityRegion = os.environ["QuickSightIdentityRegion"] dashboardRegion = os.environ["DashboardRegion"] group = 'EmbeddedReaderGrp' groupArn='arn:aws:quicksight:'+identityRegion+':'+AAI+':group/default/'+group qs = boto3.client('quicksight',region_name=identityRegion) qsd = boto3.client('quicksight',region_name=dashboardRegion) try: res = qs.create_group(GroupName=group,AwsAccountId=AAI,Namespace='default') except Exception as e: if (str(type(e)) == "<class 'botocore.errorfactory.ResourceExistsException'>"): print('GroupExists') else: raise e try: res = qs.register_user(IdentityType='IAM',Email=email,UserRole='READER',IamArn=roleArn,SessionName='DemoUser',Namespace='default',AwsAccountId=AAI) except Exception as e: if (str(type(e)) == "<class 'botocore.errorfactory.ResourceExistsException'>"): print('UserExists') else: raise e res = qs.create_group_membership(MemberName='QSER/DemoUser',GroupName=group,AwsAccountId=AAI,Namespace='default') res = qsd.update_dashboard_permissions(AwsAccountId=AAI,DashboardId=dashboardId,GrantPermissions=[{'Principal':groupArn,'Actions':['quicksight:DescribeDashboard','quicksight:ListDashboardVersions','quicksight:QueryDashboard']}])
4. Scroll down to Environment variables section and click Manage environment variables.
5. Add the following environment variables.
AwsAccountId
Email
DashboardId - DashboardId saved in your notepad. (or from dashboard url)
RoleArn - QSER Role Arn saved in your notepad.
QuickSightIdentityRegion - Region where your QuickSight identities are setup.
DashboardRegion - DashboardRegion saved in your notepad. (or from dashboard url)
Click Save button.6. Scroll down to Basic Settings and click Edit button.
7. Increase Timeout value to 2 mins and click Save button
8. From Select a test event drop down, select Configure test events.
9. Enter event name as Test and click Create button.
10. Click Test button.
11. Launch IAM, Click roles in left panel, Search for QSLambdaBasicExecutionRole and delete temp policy.
(Skip this and next step for now / Remember to add this policy back to the role ahead of running the setup lambda function if you are trying dashboard embedding now and want to try session embedding after this.)12. Click Detach button.
-
Initial Setup Lambda (For session embedding)
Skip to next section if you are trying out dashboard embedding
We will create a lambda function to run some initial setup API calls against QuickSight. These API calls will register DemoUser into QuickSight as an Author. Ensure that QSInitialSetupTempPolicy is attached to QSLambdaBasicExecutionRole.1. Launch Lambda and click Create function button.
2. Make the following selections.
Choose Author from scratch
Function Name: QSEmbedSetup
Runtime: Python 3.8
Execution role: Use an existing role Select QSLambdaBasicExecutionRole from drop down. Click Create function3. Copy following python code into lambda function and click Save.
def lambda_handler(event, context): import json,re,boto3,os,botocore AAI = os.environ["AwsAccountId"] email = os.environ["Email"] roleArn = os.environ["RoleArn"] identityRegion = os.environ["QuickSightIdentityRegion"] qs = boto3.client('quicksight',region_name=identityRegion) try: res = qs.register_user(IdentityType='IAM',Email=email,UserRole='AUTHOR',IamArn=roleArn,SessionName='DemoUser',Namespace='default',AwsAccountId=AAI) except Exception as e: if (str(type(e)) == "<class 'botocore.errorfactory.ResourceExistsException'>"): print('UserExists') res = qs.describe_user(Namespace='default',AwsAccountId=AAI, UserName='QSER/DemoUser') if (res['User']['Role'] == 'READER'): print('Upgrading user') qs.update_user(Namespace='default',AwsAccountId=AAI, UserName='QSER/DemoUser', Email=email, Role='AUTHOR') else: raise e
4. Scroll down to Environment variables section and click Manage environment variables.
5. Add the following environment variables.
AwsAccountId
Email
RoleArn - QSER Role Arn saved in your notepad.
QuickSightIdentityRegion - Region where your QuickSight identities are setup.
Click Save button.6. Scroll down to Basic Settings and click Edit button.
7. Increase Timeout value to 2 mins and click Save button
8. From Select a test event drop down, select Configure test events.
9. Enter event name as Test and click Create button.
10. Scroll up and click Test button.
11. Launch IAM, Click roles in left panel, Search for QSLambdaBasicExecutionRole and delete remove temp policy.
(Skip this and next step for now / Remember to add this policy back to the role ahead of running the setup lambda function if you are trying dashboard embedding now and want to try session embedding after this or vice versa)12. Click Detach button.
-
Whitelist Domain
In final step, we will whitelist the CloudFront domain in QuickSight
1. Launch QuickSight and change the region to where you have your dashboard.
2. Click the person icon on top right and Manage QuickSight from the drop down.
3. Click Domains and Embedding from left panel.
4. Enter https://CloudFront Domain Name in Domain and click Add button.
Conclusion
You successfully completed module six! Next, lets launch the application in module seven.