1

我正在尝试在 lambda 函数中获取 Quicksight 嵌入 URL,

lambda 函数从使用 aws amplify 在 react 应用程序上创建的前端接收 jwtToken,所有 cognito 设置运行良好(用户池和身份池),用户接收角色“arn:aws:iam::xx:role/Cognito_qa1_Admin”登录时,

该角色拥有 quicksight:registerUser 和 quicksight:getDashboardEmbedUrl 的权限

var cognitoIdentity = new AWS.CognitoIdentity();
  var params = {
    IdentityPoolId: "eu-west-2:xxx-291d-xx-b9a7-8b27c73c796c", // your identity pool id here
    Logins: {
      // your logins here
      "cognito-idp.eu-west-2.amazonaws.com/eu-west-2_xxx": event.jwtToken,
    },
  };
  // Get cognito identity from jwtToken
  cognitoIdentity.getId(params, function (err, data) {
    if (err) {
      return callback(err);
    }
    var roleArn = "arn:aws:iam::xx:role/Cognito_qa1_Admin"; // your cognito authenticated role arn here

    data.Logins = params.Logins;
    // Get credentials for the identity (it also does the AssumeRoleWithWebIdentity)
    cognitoIdentity.getCredentialsForIdentity(data, function (err, data) {
      console.log(data);
      if (err) {
        return callback(err);
      }
      // update credentials with web identity ones
      AWS.config.update({
        region: "eu-west-2",
        accessKeyId: data.Credentials.AccessKeyId,
        secretAccessKey: data.Credentials.SecretKey,
        sessionToken: data.Credentials.SessionToken,
        expiration: data.Credentials.Expiration,
      });

      const quicksight = new AWS.QuickSight();

      var getDashboardParams = {
        AwsAccountId: "xx",
        DashboardId: "a048efb6-3d3c-xx-8920-xxx",
        IdentityType: "IAM",
        ResetDisabled: false,
        SessionLifetimeInMinutes: 100,
        UndoRedoDisabled: false,
      };

      var registerUserParams = {
        AwsAccountId: "xxx",
        Email: event.userEmail,
        IdentityType: "IAM",
        Namespace: "default",
        UserRole: "READER",
        IamArn: roleArn,
        SessionName: event.payloadSub,
      };

      // register user, this one works well
      quicksight.registerUser(registerUserParams, function (err, data) {
        if (err) {
          if (err.code !== "ResourceExistsException") {
            console.log("error registering user");
            return callback(err);
          }
          console.log("user already exists");
        }
        console.log("User registration data", data);
        // Get dashboard url, this is the one failing with QuickSightUserNotFoundException
        quicksight.getDashboardEmbedUrl(getDashboardParams, function (
          err,
          data
        ) {
          if (err) {
            console.log("getDashboardEmbedUrl error", err);
            return callback(err);
          }
          callback(null, data);
        });
      });
    });
  });

一切顺利,网络身份的凭据被检索并设置为配置, registerUser 调用注册用户(或返回用户已存在错误)

但是getDashboardEmbedUrlQuickSightUserNotFoundException 失败:在 QuickSight 中找不到用户信息

如果我sts.getCallerIdentity在设置凭据后打电话,我会得到这个

{
  ResponseMetadata: { RequestId: 'd5cb26f1-f2f5-4148-87e5-74d6c998fb91' },
  UserId: 'AROAU63RLM5WIRTFDRETQ:CognitoIdentityCredentials',
  Account: 'xxx',
  Arn: 'arn:aws:sts::xxx:assumed-role/Cognito_qa1_Admin/CognitoIdentityCredentials'
}

任何想法?非常感谢提前

4

1 回答 1

6

注册用户时IdentityType必须是,IAM但对于 getDashboardEmbedUrl 它必须是类型QUICKSIGHT,并且您需要传递UserArn您可以在响应中找到的registerUser

于 2020-04-13T14:46:41.433 回答