我想为未注册的 QuickSight 用户生成一个嵌入式 Amazon QuickSight 控制面板 URL,这样我就可以将控制面板嵌入到 Web 应用程序中。但是,我收到了权限错误。
简短描述
后端或 Web 服务器使用的 AWS Identity and Access Management(IAM)用户或角色必须具有为未注册用户生成嵌入式 QuickSight 控制面板 URL 的权限。如果 IAM 用户或角色没有正确的权限,您会收到以下错误:
IAM 用户
An error occurred (AccessDeniedException) when calling the GenerateEmbedUrlForAnonymousUser operation: User: arn:aws:iam::XXXXXXXXXXX:user/user1 is not authorized to perform: quicksight:GenerateEmbedUrlForAnonymousUser on resource: arn:aws:quicksight:region:XXXXXXXXXXX:namespace/default because no identity-based policy allows the quicksight:GenerateEmbedUrlForAnonymousUser action
IAM 角色
An error occurred (AccessDeniedException) when calling the GenerateEmbedUrlForAnonymousUser operation: User: arn:aws:sts::XXXXXXXXXXX:user:assumed-role/role-name/policy-name is not authorized to perform: quicksight:GenerateEmbedUrlForAnonymousUser on resource: arn:aws:quicksight:region:XXXXXXXXXXX:user:namespace/default because no identity-based policy allows the quicksight:GenerateEmbedUrlForAnonymousUser action
要解决这些错误,您必须附加具有所需权限的 IAM policy。
解决方法
将以下 quicksight:GenerateEmbedUrlForAnonymousUser 操作的 IAM policy 附加到用于调用 GenerateEmbedUrlForAnonymousUser 的 IAM 用户或角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "quicksight:GenerateEmbedUrlForAnonymousUser",
"Resource": [
"arn:aws:quicksight:<region>:<AWS Account ID>:namespace/<namespace>",
"arn:aws:quicksight:<region>:<AWS Account ID>:dashboard/<Dashboard ID>"
]
}
]
}
**注意:**要为未注册用户嵌入 QuickSight 控制面板 URL,QuickSight 账户上的会话容量定价必须处于活跃状态。如果它处于非活跃状态,则用户会收到 UnsupportedPricingPlanException 错误。
相关信息
为所有人嵌入 QuickSight 数据控制面板