Embedded Analytics Tutorial

with Amazon QuickSight

Module Three: IAM Policies

In this module we will learn about setting up the right permissions for dashboard users.

Introduction

In this module, we will learn about setting up the right permissions for dashboard users. We will do this by setting up the IAM roles and policies.

What You Will Learn

  • Create IAM Identity Provider - Mapping Cognito as an Identity provider
  • Create IAM Web Identity Role - Having permissions on QuickSight and trust relationship with above Identity provider

 Time to Complete

20 minutes

 Services Used

Implementation

  • Create IAM Identity Provider

    Steps to map Cognito UserPool as an Identity Provider are given below.

    1. Launch IAM and choose Identity providers from left panel.

    57-1

    2. Click Create Provider

    58-2

    3. Set the following options.
    Provider Type: OpenID Connect
    Provider URL: https://cognito-idp.us-east-1.amazonaws.com/Cognito UserPool Id
    Audience: Cognito App Client Id
    Click Next Step

    59-3

    4. Click Create button.

    60-4
  • Create Web Identity Role

    Steps to create a role that works with the Identity Provider are given below.

    1. Launch IAM and choose Roles from left panel.

    64-1

    2. Click Create role and then choose Web Identity.

    65-2
    66

    3. Choose the Identity Provider (created in last step) from drop down and App Client Id from Audience drop down.
    Click Next:Permissions.

    67-3

    4. Click Create policy. This will open a new tab with policy create option.

    68-4

    5. Click JSON tab, paste the following policy and click Review policy button.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "quicksight:GetDashboardEmbedUrl",
                    "quicksight:GetAuthCode",
                    "quicksight:GetSessionEmbedUrl"
                ],
                "Resource": "*"
            }
        ]
    }
    69-5

    6. Name the policy QSEmbedPolicy and click Create policy.

    70-6

    7. Switch back to create role tab.
    Refresh the policy list, search for QSEmbedPolicy, Check the select box and click Next: Tags.

    71-7

    8. Click Next: Review

    72-8

    9. Name the role QSER and click Create role.

    73-9

    10. Search for QSER and Click on the role name.

    74-10

    11. Copy Role ARN and save to notepad as QSER Role ARN

    75-11

Conclusion

You successfully completed module three! Next, lets create lambda functions in module four.

Was this module helpful?

Lambda Functions